>>>Is 80K records for today in Application Event Viewer for MSSQLServer a clear indication of someone trying to hack the server and therefore bringing down the resources?
>>
>>Are those event records failed logins? I've seen that many times when people are working to guess the sa password. Your sa account will get locked out because of the failed attempts, by the way.
>>
>
>Yes, they are all failed logins.
>
>>First thing to do if possible is make sure TCP port 1433 is not allowed in through the corporate firewall. If your DMZ or otherwise external web server or outside client has to connect to the SQL server, make rules on the firewall or router to only allow 1433 in to the SQL server from specific IP addresses.
>
>Can you please elaborate on this? What exactly should I do?
The very first thing you should do is get your network administrator involved. Hack attempts on SQL Server may be external, or could be internal via a compromised workstation on your network, behind the corporate firewall. If you don't know the current firewall architecture and configuration DO NOT make any changes by yourself - your netadmin will be very p*ss*ed if you do.
Regards. Al
"Violence is the last refuge of the incompetent." -- Isaac Asimov
"Never let your sense of morals prevent you from doing what is right." -- Isaac Asimov
Neither a despot, nor a doormat, be
Every app wants to be a database app when it grows up