HOW TO: Detect Reoccurring Login Failures

 

If security monitoring is enabled for instances RockSolid will automatically gather failed login data.  This includes the:

  • Attempted login name
  • The originating host
  • The date/time of the failure
  • The reason for the login failure

This information is kept within the RockSolid repository and can be reported on demand.  However it is useful to also allow RockSolid to identify reoccurring patterns in failures and raise service requests if sustained or suspicious failures are occurring.  These occurrences may indicate that an application is failing to connect to SQL Server due to a configuration change, or that potentially an unauthorised brute force style attack is occurring on the SQL Server environment.

NOTE: RockSolid login failure auditing does not require login failures to be logged to the SQL Server error log.  RockSolid failed login auditing is captured by an automated trace initiated as part of monitoring by RockSolid.

Enabling Login Failed Service Requests

To enable the creation of service requests due to reoccurring login failures, please enable this option using the following process:

  • Navigate to the relevant level in the instance hierarchy.  Typically this is applied at either the service provider, instance group or site level.
  • Click on the Settings tab to view the policy definition.
  • Click on the Security sub-tab to view the security policy.
  • Set the "Raise Failed Login Events" option to enabled.

Once enabled RockSolid will raise the detection of reoccurring and/or suspicious login failures as service requests of task type "Login Failure".

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.