Whilst doing a routine check of some SQL Servers I came across the following login failure message.

Login failed for user 'our-domain\one-of-our-servers$'. Reason: Could not find a login matching the name provided. [CLIENT: xxx.xxx.x.xx].

This is usually the AD machine account for a server.

What intrigued me was that the server login failure was from a dev server. A dev server trying to access a production server.

To investigate further we changed the server auditing for a brief period to be for all logins, not just failed.

What we found was that there where a number of non prod servers accessing production servers.

They are now removing this access to production servers, unless there is sufficient justification.

Do you know who has access to your servers and why?

This could have been the case of being lazy, but it could also have been a backdoor.

It just reminded me to do security checks more often and be more vigilant.