Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Server Trigger Expand / Collapse
Author
Message
Posted Wednesday, November 2, 2011 3:08 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Today @ 7:11 AM
Points: 834, Visits: 2,442
Hi,

We have a DDL trigger on our server preventing access from Microsoft Office, Excel or Access applications for unauthorised users. Users and their workstation details are in a 'white list', which gives them access if they've been approved. Every one else gets a 'login failed due to trigger execution' message.

I've just found out that when trying to create a DSN connection using the ODBC manager (SQL Server Native Client 10), it also fires the trigger. Is this a security feature to stop Office users using DSN connections as a backdoor, or is the ODBC manager seen as part of the office suite? Having said that, I've also tried using the ODBC manager from a machine without MS Office installed, and it still failed.

Login trigger code:

/****** Object:  DdlTrigger [Logon_Trigger_Monitor_Excel]    Script Date: 11/02/2011 09:01:39 ******/
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE TRIGGER [Logon_Trigger_Monitor_Excel]
ON ALL SERVER WITH EXECUTE AS 'xxxx\xxxx'
FOR LOGON
AS
BEGIN
IF APP_NAME() LIKE '%MICROSOFT OFFICE%' OR APP_NAME() LIKE '%EXCEL%' OR APP_NAME() LIKE '%ACCESS%'
IF UPPER(ORIGINAL_LOGIN()) LIKE 'HERMES\%'
BEGIN
IF (SELECT COUNT(*)
FROM monitoring.dbo.tblExcelWhiteList
WHERE UPPER(loginwho) = UPPER(ORIGINAL_LOGIN())
AND UPPER(loginfrom) = UPPER(HOST_NAME())) = 0 ROLLBACK
END
END

GO
SET ANSI_NULLS OFF
GO
SET QUOTED_IDENTIFIER OFF
GO
ENABLE TRIGGER [Logon_Trigger_Monitor_Excel] ON ALL SERVER

Post #1199139
Posted Wednesday, November 2, 2011 3:21 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Today @ 7:11 AM
Points: 834, Visits: 2,442
Actually, just figured it out. SQL Server's picking up the connection as 'Microsoft Data Access Components'. Our login trigger's screening applications like '%ACCESS%'...

thanks for looking..
Post #1199142
Posted Wednesday, November 2, 2011 3:38 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 2:44 AM
Points: 5,018, Visits: 10,532
I ended up with a similar solution in the past because I had no other option.
However, be aware that this is not the best way to enforce security. Users should be unable to login because they don't have a login at all.


--
Gianluca Sartori

Get your two-cent-answer quickly
spaghettidba.com
@spaghettidba
Post #1199150
Posted Wednesday, November 2, 2011 3:41 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Today @ 7:11 AM
Points: 834, Visits: 2,442
We allow users to access the database through the designated application, for which they are in an AD group with limited permissions, but we don't want those same users accessing the database from Excel, Access, etc. That's why it's set-up this way.
Post #1199153
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse