How to Audit Login Changes on a SQL Server

Problem

I’ve been charged with coming up with a quick solution to audit login changes on my SQL Servers. However, there’s no budget so I’m going to have to come up with basic scripts and the like to do the work. Is this tip we cover a solution for you to audit login changes.

Solution

Developing a solution to detect simple changes to logins is fairly easy and straight forward. For instance, if you’re just charged with detecting what logins have been created, deleted, or modified since the last audit, a purely T-SQL solution can be implemented quickly and easily. We’ll tackle something that provides slightly more information in this tip.

First, the basic tables we’ll need to do the auditing. We’ll need a table to store the current scan information as well as a table to store our scan history. We’ll actually compare the two tables in order to determine what has changed between audits. We’ll also need a table to track when we did our scans.

Here are the three tables:

CREATE TABLE dbo.AuditScan (

 AuditScanID INT IDENTITY(1,1) NOT NULL,

 ScanStartDate datetime NOT NULL,

 ScanEndDate datetime NULL,

 CONSTRAINT PK_AuditScan PRIMARY KEY CLUSTERED (AuditScanID)

);

GO




CREATE TABLE dbo.CurrentLoginScan (

 [sid] VARBINARY(85) NOT NULL,

 [name] sysname NOT NULL,

 [type] CHAR(1) NOT NULL,

 create_date DATETIME,

 modify_date DATETIME,

 AuditScanID INT NOT NULL,

 CONSTRAINT PK_CurrentLoginScan PRIMARY KEY CLUSTERED ([sid]),

 CONSTRAINT FK_CurrentLoginScan_AuditScan FOREIGN KEY (AuditScanID)

 REFERENCES dbo.AuditScan (AuditScanID)

);

GO




CREATE TABLE dbo.LoginScanRecord (

 [ScanLogID] INT NOT NULL IDENTITY(1,1),

 [AuditScanID] INT NOT NULL,

 [sid] VARBINARY(85) NOT NULL,

 [name] sysname NOT NULL,

 [type] CHAR(1) NOT NULL,

 create_date DATETIME NOT NULL,

 modify_date DATETIME NOT NULL,

 CONSTRAINT PK_LoginSCanRecord PRIMARY KEY CLUSTERED (ScanLogID),

 CONSTRAINT FK_LoginScanRecord_AuditScan FOREIGN KEY (AuditScanID)

 REFERENCES dbo.AuditScan (AuditScanID)

);

GO

Now we’ll need a couple of stored procedures to mark the start and stop of each audit.

CREATE PROC dbo.StartAuditScan

  @AuditScanID INT OUTPUT

AS

BEGIN

  SET NOCOUNT ON;




  DECLARE @AuditScanIDTable TABLE(AuditScanID INT);




  INSERT INTO dbo.AuditScan (ScanStartDate)

    OUTPUT INSERTED.AuditScanID INTO @AuditScanIDTable

  VALUES (GETDATE());




  SET @AuditScanID = (SELECT AuditScanID FROM @AuditScanIDTable);

END;

GO




CREATE PROC dbo.EndAuditScan

  @AuditScanID INT

AS

BEGIN

  SET NOCOUNT ON;




  UPDATE dbo.AuditScan

  SET ScanEndDate = GETDATE()

  WHERE AuditScanID = @AuditScanID;

END;

GO

And finally, we’ll need the stored procedure that does the audit itself. It’s going to do the following:

Start the audit.
Retrieve the pertinent information from the sys.server_principals view into the CurrentLoginScan table.
Compare to see what new logins have been created since the last audit.
Compare to see what logins have been deleted since the last audit.
Compare to see what logins show a change since the last audit.
End the audit.
Report the findings.

Here’s the stored procedure that accomplishes the above.

CREATE PROC dbo.ExecuteLoginScan

AS

BEGIN

  SET NOCOUNT ON;




  DECLARE @CurrentScanID INT;

  DECLARE @PreviousScanID INT;




  SET @PreviousScanID = (SELECT MAX(AuditScanID) FROM dbo.AuditScan);

  EXEC dbo.StartAuditScan @CurrentScanID OUTPUT;




  EXEC dbo.EndAuditScan @CurrentScanID;




  INSERT INTO dbo.CurrentLoginScan

  ([sid], [name], [type], create_date, modify_date, AuditScanID)

  SELECT [sid], [name], [type], create_date, modify_date, @CurrentScanID

  FROM master.sys.server_principals;




  CREATE TABLE #LoginScanReport (

    Change VARCHAR(20) NOT NULL,

    [sid] VARBINARY(85) NOT NULL,

    [Current_Name] sysname NULL,

    [Old_Name] sysname NULL,

    [Current_Type] CHAR(1) NULL,

    [Old_Type] CHAR(1) NULL,

    [Current_Create_Date] DATETIME NULL,

    [Old_Create_Date] DATETIME NULL,

    [Current_Modify_Date] DATETIME NULL,

    [Old_Modify_Date] DATETIME NULL

  );




  — Find new logins

  INSERT INTO #LoginScanReport

  (Change, [sid], Current_Name, Current_Type, Current_Create_Date, Current_Modify_Date)

  SELECT ‘Added’, Curr.[sid], Curr.[name], Curr.[type], Curr.create_date, Curr.modify_date

  FROM dbo.CurrentLoginScan Curr

    LEFT JOIN (SELECT [sid], [name], [type], create_date, modify_date

               FROM dbo.LoginScanRecord

               WHERE AuditScanID = @PreviousScanID) Old

      ON Curr.[sid] = Old.[sid]

  WHERE Old.[sid] IS NULL;




  — Find deleted logins

  INSERT INTO #LoginScanReport

  (Change, [sid], Old_Name, Old_Type, Old_Create_Date, Old_Modify_Date)

  SELECT ‘Deleted’, Old.[sid], Old.[name], Old.[type], Old.create_date, Old.modify_date

  FROM dbo.CurrentLoginScan Curr

    RIGHT JOIN (SELECT [sid], [name], [type], create_date, modify_date

               FROM dbo.LoginScanRecord

               WHERE AuditScanID = @PreviousScanID) Old

      ON Curr.[sid] = Old.[sid]

  WHERE Curr.[sid] IS NULL;




  — Find Changed Logins

  INSERT INTO #LoginScanReport

  (Change, [sid], Current_Name, Current_Type, Current_Create_Date, Current_Modify_Date,

                  Old_Name, Old_Type, Old_Create_Date, Old_Modify_Date)

  SELECT ‘Modified’, Curr.[sid], Curr.[name], Curr.[type], Curr.create_date, Curr.modify_date,

                     Old.[name], Old.[type], Old.create_date, Old.modify_date

  FROM dbo.CurrentLoginScan Curr

    JOIN (SELECT [sid], [name], [type], create_date, modify_date

          FROM dbo.LoginScanRecord

          WHERE AuditScanID = @PreviousScanID) Old

      ON Curr.[sid] = Old.[sid]

  WHERE (Curr.[name] <> Old.[name]) OR (Curr.[type] <> Old.[type])

         OR (Curr.create_date <> Old.create_date) OR (Curr.modify_date <> Old.modify_date);




  INSERT INTO dbo.LoginScanRecord

  (AuditScanID, [sid], [name], [type], create_date, modify_date)

  SELECT AuditScanID, [sid], [name], [type], create_date, modify_date

  FROM dbo.CurrentLoginScan;




  DELETE FROM dbo.CurrentLoginScan;




  SELECT Change, [sid], Current_Name, Old_Name, Current_Type, Old_Type,

    Current_Create_Date, Old_Create_Date, Current_Modify_Date, Old_Modify_Date

  FROM #LoginScanReport;

END;

GO

Next Steps

Look at the SQL Server-provided tables and catalog views for login information.
Review how to use PowerShell to audit sysadmin level logins on multiple SQL Servers.
Learn how to implement an audit of password age for your SQL Server-based logins.
Know how to map between logins and database users.

K. Brian Kelley

Brian Kelley is an author, columnist, Certified Information Systems Auditor (CISA), and former Microsoft Data Platform (SQL Server) MVP (2009-2016) focusing primarily on SQL Server and Windows security. Brian currently serves as a data architect as well as an independent infrastructure/security architect concentrating on Active Directory, SQL Server, and Windows Server. He has served in a myriad of other positions including senior database administrator, data warehouse architect, web developer, incident response team lead, and project manager. Brian has spoken at 24 Hours of PASS, IT/Dev Connections, SQLConnections, the Techno Security and Forensics Investigation Conference, the IT GRC Forum, SyntaxCon, and at various SQL Saturdays, Code Camps, and user groups.

MSSQLTips Awards: Author of the Year Contender – 2015, 2017 | Champion (100+ tips) – 2014

Leave a ReplyCancel Reply