I have SQL Server 2008 R2 Express installed on client systems. We got information that some people just open the Management Studio and change the data.
How can we stop from this happening and can we make a log of what is being changed by them?
i could not get the idea of runas
.But i used @Martin Smith idea
and build solution which is below.
It will be used to disable all non sa user doing any activity in any login. I did not test it in active directory.
Deny Sql to connect.
Create TRIGGER DisableSMSSEntry_trigger
ON ALL SERVER WITH EXECUTE AS 'sa'
FOR LOGON
AS
BEGIN
DECLARE @NtUserName AS NVARCHAR(100)
IF ( (SELECT DISTINCT RTRIM(LTRIM(nt_user_name)) AS LogedUser FROM sys.dm_exec_sessions WHERE is_user_process = 1 AND login_name !='sa') >0 )
BEGIN
SET @NtUserName= (SELECT DISTINCT RTRIM(LTRIM(nt_domain+'\'+nt_user_name)) AS LogedUser FROM sys.dm_exec_sessions WHERE is_user_process = 1 AND login_name !='sa')
DECLARE @membername AS varchar(100),@rolename AS varchar(100)
SET @membername=@NtUserName
set @rolename ='DB_DenyDataWriter'
EXEC sp_addrolemember @membername,@rolename
set @rolename = 'DB_DenyDataReader'
EXEC sp_addrolemember @membername,@rolename
exec (' DENY VIEW ANY DATABASE TO '+ @NtUserName )
exec ('DENY SQL CONNECT ' + @NtUserName )
ROLLBACK
END
END