Database Journal
MS SQL Oracle DB2 Access MySQL PostgreSQL Sybase PHP SQL Etc SQL Scripts & Samples Tips Database Forum Rss Feed

» Database Journal Home
» Database Articles
» Database Tutorials
MS Access
SQL Scripts & Samples
» Database Forum
» Slideshows
Free Newsletters:

News Via RSS Feed

Rss Feed

Database Journal |DBA Support |SQLCourse |SQLCourse2

Featured Database Articles


Posted Aug 2, 2003

Enhanced SQL Server Security Auditing

By DatabaseJournal.com Staff

by MAK [Muthusamy Anantha Kumar]

Applies to: SQL Server 7.0 and 2000.

Security audit in SQL server captures only successful and failed logins. It does not capture the application that uses the login. Login used by an application may have full read and write access on all of the tables and procedures but the application restricts the users by providing a front-end which will allow them to see only a few columns, tables etc. However, certain users out of curiosity may log on to the database using SQL Query tools such as Enterprise manager and Query analyzer, using production login information. The following process will capture such un-authorized users who log on to the SQL server.


All of the processes in SQL Server can be viewed by querying the system table "sysprocesses." This whole article is based on that table.

Step1: Create a job with one job step.


Job Step

Step2: Copy and paste the code below into the command window of the job step.

select identity(int,1,1) as traceid, a.name as [Database],
	ltrim(rtrim(convert(varchar,b.spid))) as spid,
ltrim(rtrim(b.loginame)) as loginame,ltrim(rtrim(b.program_name)) 
	as program_name,ltrim(rtrim(b.hostname)) 
as hostname into #audittrace from master.dbo.sysprocesses b (nolock) , 
	master.dbo.sysdatabases A where 
a.dbid = b.dbid and ltrim(rtrim(loginame)) not in 
('DBA1','domain\systemaccount','DBA2','domain\administrator') and 
ltrim(rtrim(left(program_name,8))) in ('MS SQLEM','SQL Quer')

--drop table #audittrace
select * from #audittrace

declare @count int
declare @message varchar(1000)
set @count = (select count(*) from #audittrace)

While @count >=1 
set @message = (select 'SQL Security Enhanced Auditing: SPID =' + spid +'     , 
	Database: ' + [Database] + 
'    ,Loginame: ' + loginame + '    ,hostname: '+ hostname +'    , Program Name: ' + 
program_name from #audittrace where traceid = @count)
set @count  = @count-1
RAISERROR (@message, 16, 1) with log
drop table #audittrace

Step3: Make the job Success/Failure flow to report success on both success and failure.


Create schedule for this job to run every 15 minutes on a daily basis.


When the job executes, if it finds un-authorized users using Enterprise Manager or Query Analyzer it creates an entry in the SQL Server Error log, the Event viewer's Application log and also in the job history.

SQL Server error log:

Application log

Job History

Note: Change the login list in the code [('DBA1','domain\systemaccount','DBA2','domain\administrator') to reflect the list of logins you do not want to capture as an un-authorized user. For capturing different applications, change the application list in the code from ('MS SQLEM','SQL Quer') to the list of applications you would like to capture.


In this way, you can capture the un-authorized use of logins that connect to SQL Server. This is an enhanced version of SQL Server internal security auditing. This helps not only in capturing the unauthorized user but also for capturing un-authorized applications that are being connected to SQL Server.

MS SQL Archives

Latest Forum Threads
MS SQL Forum
Topic By Replies Updated
SQL 2005: SSIS: Error using SQL Server credentials poverty 3 August 17th, 07:43 AM
Need help changing table contents nkawtg 1 August 17th, 03:02 AM
SQL Server Memory confifuration bhosalenarayan 2 August 14th, 05:33 AM
SQL Server Primary Key and a Unique Key katty.jonh 2 July 25th, 10:36 AM