{"id":314,"date":"2007-10-10T00:00:00","date_gmt":"2007-10-10T00:00:00","guid":{"rendered":"https:\/\/test.simple-talk.com\/uncategorized\/logon-triggers\/"},"modified":"2021-09-29T16:22:15","modified_gmt":"2021-09-29T16:22:15","slug":"logon-triggers","status":"publish","type":"post","link":"https:\/\/www.red-gate.com\/simple-talk\/databases\/sql-server\/t-sql-programming-sql-server\/logon-triggers\/","title":{"rendered":"Logon Triggers"},"content":{"rendered":"

When I asked a friend from the SQL Server development team “what’s the story behind Logon Triggers?” the answer was brief “Common Criteria compliance for SQL Server and nothing more”. That is, indeed, the short story but if you work with SQL Server 2005 and need the long story, read on.<\/p>\n

A little bit of Common Criteria mumbo jumbo<\/h3>\n

Today, for most businesses that involve IT, security is a must and not a luxury (as it was just a few years back). But what does security for a computer product really mean? It is not so easy to give an answer that would satisfy everyone. Fortunately for us IT folks, there are several standards that define security.<\/p>\n

One of these standards is the Common Criteria (CC) certification, which specifies the security functionalities of a product, as well as the methods to evaluate them. The CC evolved from three other standards: ITSEC (the European standard), CTCPEC (the Canadian standard) and TCSEC (The United States Department of Defense Standard).<\/p>\n

What you need to know about the Common Criteria certification is that it is recognized by more than twenty-four nations and that it specifies seven levels of assurance for a computer product, EAL1 to EAL7.<\/p>\n

For Windows Server, SQL Server and other software products designed for commercial distribution, an certification level of EAL4 is considered to be adequate.<\/p>\n

SQL Server 2005 was evaluated at Common Criteria certification EAL1 for Service Pack 1 and EAL4+ for Service Pack 2. The “+” from EAL4 represents “flaw remediation” that is not part of EAL4. It means that Microsoft will provide SQL Server customers with security patches or corrective actions for any security flaw found in the product.<\/p>\n

One of the features introduced by Service Pack 2, in order to achieve EAL4+, was Logon Triggers. They allow SQL Server to comply with the following requirements:<\/p>\n

    \n
  1. The ability to restrict the maximum number of concurrent sessions that belong to the same user.<\/li>\n
  2. The ability to configure a default maximum number of sessions per user.<\/li>\n
  3. The ability to deny session establishment based on user identity and\/or group identity, time of day, and day of week.<\/li>\n<\/ol>\n

    Do I really need Logon Triggers to implement these security functionalities? Is there any work-around? I encountered these questions more than a few times, from curious or service pack resistant people, so I decided to try to find a work-around, knowing that discovering one would mean outsmarting Microsoft developers (a very hard thing to do but not an impossible one).<\/p>\n

    A Logon Triggers work-around in SQL Server 2005 pre SP2<\/h3>\n

    Have you ever seen the following screen?<\/p>\n

    \"442-Image1.gif\"<\/p>\n

    It’s a screenshot of the Active Directory Users and Computers<\/i> snap-in that allows you to customize the logon hours for a user (among other things).<\/p>\n

    Don’t search for something similar in SQL Server 2005 pre SP2, because it doesn’t exist. However, its provision is a requirement of the EAL4 evaluation, as listed above (the ability to deny session establishment based on time of day, and day of week).<\/p>\n

    For this requirement I found an easy work-around, using SQL Server Agent jobs. Let’s suppose that one of the users in my organization, named Thomas Anderson, should be allowed to connect to the SQL Server box, every day of the week from 9AM to 5PM except Saturday and Sunday.<\/p>\n

    All I have to do is to disable his login each day at 5PM and enable it each day at 9AM. The following code does just that:<\/p>\n

    USE msdb;\r\nGO\r\n-- Create a job\r\nEXEC sp_add_job @job_name=N'LogonHours';\r\nGO\r\n-- Add a T-SQL step to the job\r\nEXEC sp_add_jobstep \r\n\u00a0\u00a0\u00a0\u00a0\u00a0 @job_name = N'LogonHours',\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0@step_name=N'Enable\/Disable login', \r\n\u00a0\u00a0\u00a0\u00a0\u00a0 @subsystem=N'TSQL', \r\n\u00a0\u00a0\u00a0\u00a0\u00a0 @command=N'IF DATEPART(hour,GETDATE())=9 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ALTER LOGIN thomas_anderson ENABLE\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ELSE \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ALTER LOGIN thomas_anderson DISABLE', \r\n\u00a0\u00a0\u00a0 \u00a0\u00a0@database_name=N'master';\r\nGO\r\n-- Associate a schedule to the job\r\n-- to run the job a 5PM\r\nEXEC sp_add_jobschedule\r\n\u00a0\u00a0 @job_name = N'LogonHours', \r\n\u00a0\u00a0 @name=N'LogonHoursScheduleForDisable', \r\n\u00a0\u00a0 @enabled=1, \r\n\u00a0\u00a0 @freq_type=8, \r\n\u00a0\u00a0 @freq_interval=62, \r\n\u00a0\u00a0 @freq_subday_type=1, \r\n\u00a0\u00a0 @freq_subday_interval=0, \r\n\u00a0\u00a0 @freq_relative_interval=0, \r\n\u00a0\u00a0 @freq_recurrence_factor=1, \r\n\u00a0\u00a0 @active_start_time=170000;\r\nGO\u00a0\u00a0 \r\n-- Associate a second schedule to the job\r\n-- to run the job at 9AM\r\nEXEC sp_add_jobschedule \r\n\u00a0\u00a0 @job_name = N'LogonHours',\r\n\u00a0\u00a0 @name=N'LogonHoursScheduleForEnable', \r\n\u00a0\u00a0 @enabled=1, \r\n\u00a0\u00a0 @freq_type=8, \r\n\u00a0\u00a0 @freq_interval=62, \r\n\u00a0\u00a0 @freq_subday_type=1, \r\n\u00a0\u00a0 @freq_subday_interval=0, \r\n\u00a0\u00a0 @freq_relative_interval=0, \r\n\u00a0\u00a0 @freq_recurrence_factor=1, \r\n\u00a0\u00a0 @active_start_time=90000;\r\nGO<\/pre>\n
    Let me explain the code just a little bit. We create a job and associate to with two schedules. One schedule that will execute the job each working day at 9AM and a similar schedule that will execute the job at 5PM. The job itself runs T-SQL code that enables the thomas_anderson<\/b> login if it’s 9AM and disables it otherwise.<\/p>\n
    So far so good, the work-around works like a charm. What about the other requirements? Can I restrict the number of connections for a user using the same method? No!<\/p>\n
    A possible scenario for restricting the number of connections is the next one: first the user establishes a connection, then we check the number of already existing connections from this user and if the maximum number of connections that we allow is already attained we kill the new connection.<\/p>\n
    To do that we need something that will notify us when the user tries to connect. Something close to what we need is the AUDIT_LOGIN<\/b> SQL Trace event, which fires when a user establishes a successful connection. We can use this event with SQL Profiler or with Event Notifications. The first option, SQL Profiler, is not actually an option, unless we plan to sit watching a screen 24\/7, and manually ending connections.<\/p>\n
    Event Notifications allow the automation of our scenario.<\/p>\n
    Note<\/b>: The Event Notifications use the Service Broker infrastructure by sending a message about an event to a Service Broker service.<\/i><\/p>\n
    To use Event Notifications, we need a queue that will hold the events, a service, a route, an event notification and a stored procedure that will do the work. As there’s no need to reinvent the wheel we can adapt the code using the base samples from Books Online.<\/p>\n
    Here’s the code:<\/p>\n
    USE master;\r\nGO\r\n-- Create demo database\r\nCREATE DATABASE DemoDB;\r\nGO\r\n-- Create demo login\r\nCREATE LOGIN thomas_anderson \r\nWITH PASSWORD = 'yukon9.0';\r\nGO\u00a0\u00a0\u00a0 \r\n-- Enable Service Broker for DemoDB database if it's the case\r\nIF EXISTS(\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 SELECT * \r\n\u00a0\u00a0\u00a0\u00a0\u00a0 FROM sys.databases\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 WHERE [name]=N'DemoDB' AND is_broker_enabled=0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 )\r\nALTER DATABASE DemoDB SET ENABLE_BROKER;\r\nGO\r\n-- We will access from the activated stored procedure a view that is \r\n-- located in a different database \r\n-- the sys.dm_exec_sessions dynamic management view\r\n-- The security context of the stored procedure would not allow us to do so\r\n-- unless we set the the TRUSTWORTHY option to ON.\r\nALTER DATABASE DemoDB SET TRUSTWORTHY ON\r\nGO\r\nUSE DemoDB;\r\nGO\r\n-- Create a queue\r\nCREATE QUEUE Logon_Triggers_Queue; \r\nGO\r\n-- Create a service\r\nCREATE SERVICE Logon_Triggers_Service\r\nON QUEUE Logon_Triggers_Queue([http:\/\/schemas.microsoft.com\/SQL\/Notifications\/PostEventNotification]);\r\nGO\r\n-- Create a route\r\nCREATE ROUTE Logon_Triggers_Route \r\nWITH SERVICE_NAME = N'Logon_Triggers_Service', \r\nADDRESS = N'LOCAL';\r\nGO\r\n-- Create the event notification at the server level for the AUDIT_LOGIN event\r\nCREATE EVENT NOTIFICATION Successfull_Login_Notification\r\nON SERVER \r\nFOR AUDIT_LOGIN\r\nTO SERVICE 'Logon_Triggers_Service', 'current database';\r\nGO\r\n\r\n-- Create the stored procedure that will handle the events\r\n-- First set the options required to work with the XML data type\r\nSET ANSI_NULLS ON;\r\nGO\r\nSET QUOTED_IDENTIFIER ON;\r\nGO\r\nCREATE PROCEDURE usp_Logon_Triggers\r\nAS\r\nBEGIN\r\nSET NOCOUNT ON;\r\n-- Use an endless loop to receive messages\r\nWHILE (1 = 1)\r\n\u00a0\u00a0\u00a0 BEGIN\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 DECLARE @messageBody VARBINARY(MAX);\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 DECLARE @messageTypeName NVARCHAR(256);\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 WAITFOR ( \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 RECEIVE TOP(1)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 @messageTypeName = message_type_name,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 @messageBody = message_body\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 FROM Logon_Triggers_Queue\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ), TIMEOUT 500\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 -- If there is no message, exit\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 IF @@ROWCOUNT = 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 BEGIN\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 BREAK ;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 END ;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 -- If the message type is EventNotification do the actual work \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IF (@messageTypeName =\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 'http:\/\/schemas.microsoft.com\/SQL\/Notifications\/EventNotification')\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 BEGIN\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 DECLARE @data XML;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 DECLARE @SPID VARCHAR(5);\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 DECLARE @LoginName NVARCHAR(128);\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 SET @data = CAST(@messageBody AS XML);\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -- Get the SPID and the Login name using the value method\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 SET @SPID = @data.value('(\/EVENT_INSTANCE\/SPID)[1]', 'VARCHAR(5)'); \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 SET @LoginName = @data.value('(\/EVENT_INSTANCE\/LoginName)[1]', 'NVARCHAR(128)');\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -- Check the login name\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IF @LoginName=N'thomas_anderson' AND\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (SELECT COUNT(*) FROM sys.dm_exec_sessions\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 WHERE is_user_process = 1 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0AND original_login_name = 'thomas_anderson') > 1\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 BEGIN\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -- Kill the current connection if there is already one session established \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -- as thomas_anderson\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 EXECUTE ('KILL ' + @SPID);\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 END\r\n\u00a0 \u00a0\u00a0\u00a0\u00a0END;\r\n\r\nEND;\r\nEND;\r\nGO\r\n\r\n-- Link the stored procedure to the Logon_Triggers_Queue \r\nALTER QUEUE Logon_Triggers_Queue\r\n\u00a0\u00a0\u00a0 WITH STATUS=ON,\r\n\u00a0\u00a0 ACTIVATION (\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 STATUS=ON,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 PROCEDURE_NAME = usp_Logon_Triggers,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 MAX_QUEUE_READERS = 1,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 EXECUTE AS SELF) ;\r\nGO<\/pre>\n
    The creation of the queue, service, event notification and route are pretty straightforward but if you need further details on setting up Service Broker, please refer to this article:<\/p>\n
    http:\/\/www.simple-talk.com\/sql\/learn-sql-server\/service-broker-foundations-workbench\/<\/a><\/p>\n
    The stored procedure is activated when a message is posted to the service. If the message type is event notification, the code gets the login name and the SPID (Session ID) of the new connection from the event data.<\/p>\n
    The information posted to the Logon_Triggers_Service,<\/b> about the AUDIT_LOGIN<\/b> event, has the following structure:<\/p>\n
    <EVENT_INSTANCE>\r\n\u00a0 <EventType>event_type<\/EventType>\r\n\u00a0 <PostTime>post_time<\/PostTime>\r\n\u00a0 <SPID>spid<\/SPID>\r\n\u00a0 <TextData>text_data<\/TextData>\r\n\u00a0 <BinaryData>binary_data<\/BinaryData>\r\n\u00a0 <DatabaseID>database_id<\/DatabaseID>\r\n\u00a0 <NTUserName>nt_user_name<\/NTUserName>\r\n\u00a0 <NTDomainName>nt_domain_name<\/NTDomainName>\r\n\u00a0 <HostName>host_name<\/HostName>\r\n\u00a0 <ClientProcessID>client_process_id<\/ClientProcessID>\r\n\u00a0 <ApplicationName>application_name<\/ApplicationName>\r\n\u00a0 <LoginName>login_name<\/LoginName>\r\n\u00a0 <StartTime>start_time<\/StartTime>\r\n\u00a0 <EventSubClass>event_subclass<\/EventSubClass>\r\n\u00a0 <Success>success<\/Success>\r\n\u00a0 <IntegerData>integer_data<\/IntegerData>\r\n\u00a0 <ServerName>server_name<\/ServerName>\r\n\u00a0 <DatabaseName>database_name<\/DatabaseName>\r\n\u00a0 <LoginSid>login_sid<\/LoginSid>\r\n\u00a0 <RequestID>request_id<\/RequestID>\r\n\u00a0 <EventSequence>event_sequence<\/EventSequence>\r\n\u00a0 <IsSystem>is_system<\/IsSystem>\r\n\u00a0 <SessionLoginName>session_login_name<\/SessionLoginName>\r\n<\/EVENT_INSTANCE><\/pre>\n
    Most of the elements are self explanatory:<\/p>\n