How to deny access to SQL Server to certain login over SSMS, but allow over .Net SqlClient Data Provider

Question

We have a situation where Developers do not have any UPDATE permissions, BUT they work with applications and see connection strings -> they know passwords from some SQL accounts (example SQLLogin1) that have UPDATE permissions. Our operations currently are not perfect, and sometimes production data needs to be modified (no GUI for that yet).

Instead of contacting DBA, and asking him to modify the data, Developer would (improperly) use SQL account SQLLogin1 (that has permission to modify the data), and connect over SQL Server Management Studio to modify the data himself.

DBA can not change password for SQLLogin1 without Developer seeing the new connection string and new password, since the application connection string that uses SQLLogin1 is maintained by Developer.

Question:

Is there a way to deny access to SQLLogin1 SQL login, but only if it is connecting over SSMS?

At the same time if SQLLogin1 is connecting over .Net SqlClient Data Provider (program_name in the sys.dm_exec_sessions), it must be allowed to login.

This way we want to not let Developer connect over SSMS using SQLLogin1, while the application that is using SQLLogin1, would still be able to connect.

Answer 1

You can use a server logon trigger to make custom logon validations and reject them whenever you see fit. You will see this trigger listed below "Server Objects" and inside "Triggers" if you are using SSMS.

For example:

CREATE TRIGGER strRejectSSMSConnectionForSQLLogin1
ON ALL SERVER FOR LOGON
AS
BEGIN

    IF ORIGINAL_LOGIN() = N'SQLLogin1' AND PROGRAM_NAME() LIKE N'Microsoft SQL Server Management Studio%'
    BEGIN
        RAISERROR('Direct connection by SSMS refused.', 16, 1)
        ROLLBACK
    END

END

The ROLLBACK inside the trigger will reject the connection (there's an implicit transaction wrapping the call to the trigger on the logon event).

Be careful when implementing logon triggers, if not coded properly you will be rejecting logins that should be able to login (including your own!). Make sure to test on test/dev environments first.

Keep in mind that this code is executed before the session is created, so system views that rely on the session id (SPID) won't contain the currently checked login until the triggers ends without rollback or high enough failure.

Answer 2

I think there is no reliable solution for your problem since Application Name is modifiable parameter that cam be changed by any user.

Here is how to change it within SSMS:

In Connect to Database Object dialog choose Options, open Additional Connection Parameters and choose any name for Application Name like this:

Now sys.dm_exec_sessions DMV and Program_name() will show you what you passed in your connection string in Application Name parameter:

Answer 3

1. In the ideal sense, this is a process / policy / management issue. Even if someone knows the password, if it is against company policy for anyone but a DBA to connect to Production (well, you might have a Release Engineering team and/or sys admins, etc), and there are penalties for breaking the rules, then that should be sufficient (assuming that such rules are enforced).

2. Trying to prevent a particular application from connecting is impossible. As sepupic demonstrated, it is fairly easy to change the "program name". But even if the developer can't figure that out, there are plenty of other programs that can connect to SQL Server. Most people will have access to SQLCMD.exe and even the deprecated OSQL.exe. The developer can connect from within Visual Studio, and they can even create their own app to connect via ".Net SqlClient Data Provider". Oh, and now we even have Azure Data Studio. It's just too many.

3. Still, this might could still be possible if we approach it from the other direction: instead of preventing application X from connecting, how about only allowing application Y to connect? Sure, we again get into the "program name", and even "hostname" can be spoofed, BUT, I am pretty sure that the client's IP Address cannot be spoofed (at least not through the connection string keywords). You know the IP Address of the app server(s), or can easily find it from the sys.dm_exec_connections DMV (in the client_net_address field).

   Starting with the Logon Trigger suggested by EzLo, we can modify the logic that determines if the connection is valid or not to be the following:

   IF (ORIGINAL_LOGIN() = N'SQLLogin1'
       AND (
                CONVERT(VARCHAR(10), CONNECTIONPROPERTY('net_transport')) <> 'TCP'
             OR CONVERT(VARCHAR(10), CONNECTIONPROPERTY('client_net_address')) <> '10.10.10.10'
    -- uncomment below (and comment-out line above) if app uses multiple IP addresses
    --       OR CONVERT(VARCHAR(10), CONNECTIONPROPERTY('client_net_address'))
    --                   NOT IN ( '10.10.10.10', '10.10.10.11', ...)
           ))
   BEGIN
       RAISERROR('Non-application connection refused.', 16, 1);
       ROLLBACK;
   END;
   

   The only ways in now would be to either log onto the Production machine, or to have their workstation spoof the IP of the app server. Hopefully devs do not have any access to log onto Production. And spoofing an existing IP on a network causes problems which might adversely affect Production, so they won't be trying that, right? Right?

Answer 4

You can't cut off a specific client, as already detailed in the other answers.

The solution is to remove the access privileges to the production systems from the developer's accounts.

Any change must be scripted and a dba will run the script.

Deployment is performed by a sysadmin; devs produce a package they give to someone with proper privileges and devs never see the configs used on production systems.

Debugging is arranged on a case by case basis with a copy of the production data in a staging environment as a preferred solution or a temporary account with limited privileges if needed.

Answer 5

I previously worked for a company that had this problem with one developer. He was fired, but we also implemented a table that had the LoginName and AllowedMachine (Application Server) via a Login Trigger. This resolved our problems. Or maybe it was due to the firing.