SQL Server trusted connection additional security

The feature designed to help in this scenario is Application Roles. With an Application Role you can allow the user to connect to the target database, but not be able to run any queries until the application supplies a secret to activate the Application Role.


A possible solution is to create a server logon trigger that would check the app_name(). I created the following server trigger on my local instance and tried to connect via ODBC. The connection was rejected. You would have to modify for your needs.

CREATE TRIGGER trgGetAppName ON ALL SERVER
FOR LOGON AS

IF APP_NAME() NOT LIKE ('Microsoft SQL Server Management Studio%')
    AND APP_NAME() NOT LIKE ('.Net SqlClient Data Provider%')
BEGIN
    ROLLBACK
END

A word of caution about logon triggers:

A logon trigger can effectively prevent successful connections to the Database Engine for all users, including members of the sysadmin fixed server role. When a logon trigger is preventing connections, members of the sysadmin fixed server role can connect by using the dedicated administrator connection, or by starting the Database Engine in minimal configuration mode (-f)