Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

Basit's SQL Server Tips

Basit Farooq is a Lead Database Administrator, Trainer and Technical Author. He has more than a decade of IT experience in development, technical training and database administration on Microsoft SQL Server platforms. Basit has authored numerous SQL Server technical articles, and developed and implemented many successful database infrastructure, data warehouse and business intelligence projects. He holds a master's degree in computer science from London Metropolitan University, and industry standard certifications from Microsoft, Sun, Cisco, Brainbench, Prosoft and APM, including MCITP Database Administrator 2008, MCITP Database Administrator 2005, MCDBA SQL Server 2000 and MCTS .NET Framework 2.0 Web Applications.

Logon Triggers: SQL Server

As the name implies, logon triggers fire in response to the logon event that is raised when a user sessions is being established. The logon triggers can be used to audit and control server sessions, such as tracking the login activity, restricting logins to SQL Server, or limiting or denying the number of login sessions for a specific user. The logon triggers always run after the authentication phase, but before the user session is actually established, which means that trigger logon will not fire if authentication fails. Therefore, all messages originating inside the trigger logon, which would usually reach the user, such as error messages and messages from the PRINT statement, are diverted to the SQL Server error log.

For example, the following code shows how logon trigger rejects attempts to logon for “testuser1″, if they are initiated outside business hours i.e. between 10:00 and 18:00 hours.

First step of the process is to create SQL user called “testuser1″ on the server, To do so execute the following code:

USE [master]
GO

--Create the login on your servel called "testuser1"
CREATE LOGIN [testuser1] WITH PASSWORD=N'StrongPassword'
    ,DEFAULT_DATABASE=[master]
    ,DEFAULT_LANGUAGE=[us_english]
    ,CHECK_EXPIRATION=OFF
    ,CHECK_POLICY=OFF
GO

Now create logon trigger called “connection_limit_trigger”, which only permits login attempts for “testuser1″ during business hours i.e. between 10:00 and 18:00 hours.

USE [master]
GO

CREATE TRIGGER [connection_limit_trigger]
ON ALL SERVER
FOR LOGON 
AS
BEGIN
DECLARE @ErrorText [varchar](128)

SET @ErrorText = 'Cannot allow login to "testuser1" outside of normal business hours. '
SET @ErrorText = @ErrorText + 'Please try again between business hours 10:00 and 18:00.'

IF ORIGINAL_LOGIN() = 'testuser1' AND
    (DATEPART(HOUR, GETDATE()) < 10 OR DATEPART (HOUR, GETDATE()) > 18)
    BEGIN
        PRINT @ErrorText
        ROLLBACK;
    END
END;
GO

ENABLE TRIGGER [connection_limit_trigger] ON ALL SERVER  
GO

Now that we have configured our logon trigger, the “testuser1″ will not be able to log on to SQL Server outside the specified business hours of 10:00 to 18:00. The following dialog box will appear if you attempt to login to SQL Server with “testuser1” SQL login:

If you review the SQL Server error logon, you will see that it has an entry about this failed login attempt containing the information message from our logon trigger:

One interesting observation about logon trigger, which you can see from above example, is that the logon triggers generates multiple entries for successful and failed logon attempts.

Conclusion

The logon on triggers are useful to track and control SQL Server login activity. The information captured by logon trigger helps us identify and prevent unauthorised access from SQL Server.


Comments

Leave a comment on the original post [basitaalishan.com, opens in a new window]

Loading comments...