Login failed for user 'sa'.

In my event viewer, I am getting a Failure Audit message with source MSSQLSERVER that says Login failed for user 'sa'.  [CLIENT:].  All my databases use Windows Authentication.  Is this someone trying to hack the server?  If so, how do I stop it?
Who is Participating?
SCarrisonConnect With a Mentor Commented:
It would seem that a machine on the internet with the IP address is attempting to login to your database server with the sa account.

Firstly, your database server should not be available directly via the internet - this is terribly bad practice from a security and sys admin point of view.  If your server is behind a firewall or router make sure that SQL ports are not being fowarded from the internet into your LAN.
kdataAuthor Commented:
Thanks for the advice.  I closed the port on the router and that stopped the intrusion without affecting our network access.  I am not sure why the port was open in the first place.
Even you have set your SQL to use Windows Authentication, it does not mean that you cannot use the SA account. You may want to check on the client IP address and find out where ther actual source is coming from and if it's one of your SQL admin trying to use it. Or if there's any other admin tools trying to use that account.
I know this is a long time issue...may i know what port is that you closed??
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.