SQL: Login Failed Attempt


Symptoms : Access was denied to the SQL server.

Impact : High

In the case of multiple access attempts failing, this could be a sign of an attack.

Expected behavior :

This alert indicates an abnormal access attempt and should be investigated.

Possible causes

User name/password has changed  Priority : Medium

Recommended action :
Check with the user trying to connect – if the user has access to Windows but not to SQL, check if that user has specific credentials.

Application credentials are wrong  Priority : Medium
Backing up over a network increases overall efficiency by reducing the number of backup devices. However, it also introduces another point of failure into the backup process.
Recommended action :
Check the credentials of the application trying to connect to SQL.

Background

This alert means that a user tried to connect to SQL and received a response indicating the user does not have access via name/password authentication, an application tried to connect to an SQL database and the credentials are invalid. User’s access is validated by Windows log-on process. A server’s credentials are contained in a record containing the authentication information needed to connect to a resource outside of SQL Server. A single credential can be mapped to multiple SQL Server logins. But a SQL Server login can be mapped to only one credential.

In the case of individual users with needs for wider access, credentials provide a way to allow SQL Server Authentication users to have an identity outside of SQL Server. This is primarily used to execute code in assemblies with special permission set. Credentials can also be used when a user needs access to a domain resource, such as a file location to store a backup.