Is there a way to restrict a specific sql 2005 login on a Microsoft SQL Server 2005, standard version (sql is in mixed mode) to specific IP adresses, while other logins, windows authentated ones, are unaffected?
A:
I have restricted logins on my system to a single IP address, just use the firewall.
Lazarus
2008-11-06 16:10:50
A:
SQL Server can be mapped to serveral port/IP configurations by the Server Manager, but afaik there isn't a way to bind a login method to a port/ip.
The only thing I can think of is to create a trigger FOR LOGON and inside that trigger test the Event Data like:
SELECT EVENTDATA().value ('(/EVENT_INSTANCE/LoginType)','nvarchar(max)'), EVENTDATA().value ('(/EVENT_INSTANCE/ClientHost)','nvarchar(max)')
...and maybe calling RAISEERROR or ROLLBACK if you don't like what you find might terminate the connection?
Hope this helps
James Green
2008-11-07 02:05:24
A:
Why do you need to restrict by IP address? If all your users are authenticated, just set up group permissions on SQL Server, and allow or deny the groups you want.
If the problem is various users using applications with the same SQL login (you mentioned you're using mixed-mode), then the question is why do you want to allow some users using the applications to access SQL Server, and not allow others? Implement the security in the applications, don't bounce them at the database level.
Rick
2008-11-07 02:30:52
I don't "want" to, but it's a mixture off applications, and I have no control over those. These apps are accessing the DB with an sql login, without possibility to configure. So I want to ensure that the apps are still accessing the db, while any other sources, like developer desktops, are denied.
gerleim
2008-11-07 11:31:23
Are the apps PC or server based? If they are PC based, then the apps will come from the users' computers, and so you can't filter by IP. If they are server based (e.g. on a corporate intranet), then hopefully the users don't have the database username/password, so they have no access to the db.
Rick
2008-11-12 02:09:37
+1
A:
Yes, you can do this. You'll need to write a logon trigger as described here:
http://technet.microsoft.com/en-us/library/bb326598.aspx
I futzed around with it for the last fifteen minutes and had limited success, but maybe there's somebody else on here who's done a DDL logon trigger filtering by IP address that can show the source code.
Brent Ozar
2008-11-15 13:05:40
+1
A:
I use the following trigger to restrict access to specific login - IPs combo.
CREATE TRIGGER [LOGIN_IP_RESTRICTION]
ON ALL SERVER FOR LOGON
AS
BEGIN
DECLARE @host NVARCHAR(255);
SET @host = EVENTDATA().value('(/EVENT_INSTANCE/ClientHost)[1]', 'nvarchar(max)');
IF(EXISTS(SELECT * FROM master.dbo.IP_RESTRICTION
WHERE UserName = SYSTEM_USER))
BEGIN
IF(NOT EXISTS(SELECT * FROM master.dbo.IP_RESTRICTION
WHERE UserName = SYSTEM_USER AND ValidIP = @host))
BEGIN
ROLLBACK;
END
END
END;
DDL for table IP_RESTRICTION:
CREATE TABLE [dbo].[IP_RESTRICTION](
[UserName] [varchar](255) NOT NULL,
[ValidIP] [varchar](15) NOT NULL,
[Comment] [nvarchar](255) NULL,
CONSTRAINT [PK_IP_RESTRICTION] PRIMARY KEY CLUSTERED
([UserName] ASC, [ValidIP] ASC) ON [PRIMARY]
) ON [PRIMARY]
Thuglife
2008-11-28 14:49:02