Hi @Jorge ,
Is the reply helpful?
BR,
Mia
If the answer is helpful, please click "Accept Answer" and upvote it.
My SQL Configuration changes automatically
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 67%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Jorge
21
Reputation points
HiI would like to know why my SQL configuration is changing automatically. I am a worried that it can be a security issue.
First my admin account, the one I use locally with Windows Authentication get disabled.
Then a DB in my instance changes to restricted mode and single user.
Finally the maxed memory, min memory per query, max thread user and the blocked threadholds configuration changes creating a big error in the DB that did not made me login.
Please I would like to know why this configuration changes with no apparent reason, when I see the logs of this changes it says user: N/A.
Checking for some login log I found hundreds of login tries with different users, maybe a brute force attack. So I am starting to think that maybe this can be a security issue.
Windows for business | Windows Server | Devices and deployment | Configure application groups
SQL Server | Other
SQL Server | Other
Additional SQL Server features and topics not covered by specific categories
3 answers
Sort by: Most helpful
-
m 4,286 Reputation points2020-10-05T02:59:38.673+00:00 Hi @Jorge ,
HiI would like to know why my SQL configuration is changing automatically...
SQL configuration can't be changed automatically by itself unless someone trying to change it.
Try code as next and show scrrenshot of the result:SELECT T.DatabaseName, T.TextData, T.HostName, T.ApplicationName, T.LoginName, T.StartTime,T.EventClass, CASE T.IsSystem WHEN 1 THEN 'YES' ELSE 'NO' END AS IsSystem FROM sys.FN_TRACE_GETTABLE(CONVERT(VARCHAR(150), ( SELECT TOP 1 f.[VALUE] FROM sys.FN_TRACE_GETINFO(NULL) f WHERE f.property = 2 )), DEFAULT) T WHERE T.TextData LIKE '%configuration option%' AND T.EventClass = 22 -- Configuration related Order by t.starttime desc;If the result is same as you use sql-server-ssms-configuration-changes-history
Please track the failed logins as this : audit-failed-sql-server-logins-part-iii-the-solution (note: you need to download one third party tool as the doc. describes)
And track the unauthorized configuration as this: spotting-unauthorized-configuration-settings-sql-server
BR,
Mia
If the answer is helpful, please click "Accept Answer" and upvote it.
-
Erland Sommarskog 134.7K Reputation points MVP Volunteer Moderator2020-10-03T09:21:13.11+00:00 Is you SQL instance exposed on the internet? In such case, you need to fix that.
Exactly what do these log entries say? Changes to configuration options such as "Max server memory" manifest themselves in the SQL Server errorlog, but only the spid is logged, not the user. The default trace will also have the user information, but the information here is not kept for very long.