Tracy Boggiano's SQL Server  Blog Rotating Header Image

T-SQL Tuesday #53 – Why So Serious? No SQL Authenication Use Your Own Account

T-SQL Tuesday

T-SQL Tuesday

At a previous job I had several developers that had passwords for SQL authenticated accounts for systems that would give them more access than they needed when they had Windows accounts that would give them enough to troubleshoot issues.  Our trick was to write a login trigger that would block any SQL Authentication accounts that were logged in with SSMS.  Many a developer fell pry to our logon trigger and because of the severity of the message did not quite understand why.  This made my troubleshooting life easy because I didn’t have to figure out if a developer ran something to fix something or if something legitimate was broke.  Of course I made sure to not block my sa account just in case I needed it.

CREATE TRIGGER Developer_No_Logins_W_SQLAuth ON ALL SERVER
    FOR LOGON
AS
    BEGIN
        IF EXISTS ( SELECT  *
                    FROM    sys.dm_exec_sessions AS es
                    WHERE   es.login_name = ORIGINAL_LOGIN()
                            AND es.program_name LIKE 'Microsoft SQL Server Management Studio%'
                            AND es.nt_user_name IS NULL
                            AND es.login_name <> 'sa' )
            ROLLBACK;
    END;

Leave a Reply

%d bloggers like this: