SQL Server Security – How to Find Out Who Changed the Password for a Login?

loginspermissionsSecuritysql-server-2008-r2

I am trying to find out who changed the password for a login in SQL Server 2008 R2.

I have already checked default trace – and it does not log that event. The default trace will include these security-related events:

/*
    Audit Add DB user event
    Audit Add login to server role event
    Audit Add Member to DB role event
    Audit Add Role event
    Audit Add login event
    Audit Backup/Restore event
    Audit Change Database owner
    Audit DBCC event
    Audit Database Scope GDR event (Grant, Deny, Revoke)
    Audit Login Change Property event
    Audit Login Failed
    Audit Login GDR event
    Audit Schema Object GDR event
    Audit Schema Object Take Ownership
    Audit Server Starts and Stops 
*/

Also, looked into transaction log backup to find that out, but no luck.

Is there any other way to find it out ?

Also, I am aware that a server side trace will help, but unfortunately in our server side trace, we did not include the Audit Login Change Password Event.

Best article that I found is from Aaron Bertrand : Tracking Login Password Changes in SQL Server

Best Answer

My article will help if you set it up in advance, but not when the event happened in the past and you didn't have any kind of auditing mechanism set up.

There is still hope, though. Let's say I did this:

CREATE LOGIN flooberella WITH PASSWORD = N'x', CHECK_POLICY = OFF;

This information is in the default trace under EventClass 104 (Audit Addlogin Event). However, if I change the password using either of these methods:

ALTER LOGIN flooberella WITH PASSWORD = N'y';

EXEC sp_password N'y', N'z', N'flooberella';

These events are not captured by the default trace, for obvious security reasons - it should not be possible for anyone with access to the default trace to figure out what someone else's password is, nor do they want to make it easy to even find out that a password has been changed (polling the frequency of these events, for example, can reveal certain properties of your security strategy).

So what else can you do? While this relies on the information still being in the log, and it also relies on using an undocumented DBCC command against a system database (you may wish to back up master and restore it elsewhere), you can get some information from the transaction log, e.g.:

DBCC LOG(master, 1);

This will yield, for the above two commands, rows with the following (partial) information:

Current LSN             Description
======================  ======================================================================
000000f2:000001b8:0002  ALTER LOGIN;0x01050000000000051500000093a3bcd7a9f8fb1417ab13bce8030000
000000f2:000001b8:0004  Alter login change password;0x01050000000000 ... same sid as above ...

Doesn't seem like much, but now take that 0x portion of the description, and then do:

SELECT name FROM sys.server_principals
  WHERE sid = 0x01050000000000051500000093a3bcd7a9f8fb1417ab13bce8030000;

Smoking gun! This is the person responsible for that event.

Of course, if they use ALTER LOGIN syntax for all operations (which they should be using instead of sp_password), you can't distinguish between someone changing the default database and someone changing the password. You also can't tell (at least that I can see) which login this affected, only that this person changed a login. Jon seems to think that this information is in the log as well, but I failed to find it (unlike the time information, which somehow I scrolled right past).

There may be different answers for contained users in SQL Server 2012 - though I suspect password changes are still obfuscated in similar ways. Will leave that for a separate question.

Related Solutions

Sql-server – BUILTIN\Administrators accidently removed

To assign sysadmin, you have to do it while logged in as a sysadmin. From here,

Requires membership in the role to which the new member is being added.

which is basic escalation prevention.

You'll need to do one of two things:

Log in as a sysadmin (Windows account or otherwise), or have someone else do this if there are other sysadmin level logins on the server.
Restart the instance in single-user mode (which allows local administrators to log in as sysadmin automatically), fix the login, then restart in multi-user mode.

Sql-server – Adding the domain account to a security group on the SQL Server computer that has sufficient privileges to log on as a service

To answer your questions directly:

2) In order to add a login to the sysadmin fixed server role you can utilize ALTER SERVER ROLE ... ADD MEMBER (2012) or sp_addsrvrolemember (pre-2012). Here would be an example:

exec sp_addsrvrolemember 'yourLoginName', 'sysadmin';

3) Without having to reiterate what's found in the following documentation, take a look at this MSDN reference on the service permissions for each SQL Server service.

Best Answer

Related Solutions

Sql-server – BUILTIN\Administrators accidently removed

Sql-server – Adding the domain account to a security group on the SQL Server computer that has sufficient privileges to log on as a service

Related Question