Restrict server login by user AND machine (within or not within a domain): is it possible?

Question

I'm trying to setup a SQL Server 2008 R2 instance, restricting access to my database so only specific users on specific machines can login there.

Let's say, we have 3 devs: John, Jill and Steve, with 3 machines: JohnPC, JillPC and StevePC. John and Jill use their machines inside a domain, but Steve doesn't. So, the machines "full names" are: MYDOMAIN\JohnPC, MYDOMAIN\JillPC and StevePC, since Steve isn't in MYDOMAIN, but in windows default "WorkGroup".

I know that I can create accounts to restrict access from a machine, as in [MYDOMAIN\JohnPC$].

But in my case, I don't want to allow Jill to login from JohnPC.

I'm using mixed-mode login to server, so I have the 'sa' account enabled (and it's supposed to access only within the server's localhost environment).

I've read this article that shows how to create an account for a computer within a domain, but that doesn't apply to my case [Edit: because it doesn't tell how to restrict user to each computer, and it doesn't tell how to create an account for a computer with no domain]. Searched google about it, and can't find any answer that could remotely fit what I'm trying to do.

So, is this possible to achieve? And if it is, how can I do it?

Answer 1

You can create a server level trigger for LOGON and in there you can check the user, domain and the client host name using sys.dm_exec_sessions to determine whether user is allowed or not. (We can have the permitted combinations in a separate table if require)

I have done a similar thing to stop users accessing the SQL Server databases using SSMS with any SQL Logins. Only domain users are allowed via SSMS.

Hope this helps you.