Jump to content
Sign in to follow this  
emulator

Rights necessary for backups

Recommended Posts

Hi All...

 

I have been working with our DB admin for backing up a MS SQL 2005 server. He is convinced that when using SQL authentication, the user that Retrospect is connecting to the server with should *NOT* be required to have the sysadmin privilege. He posted to a Microsoft SQL forum, and got a response from a Microsoft employee and forum moderator. I'm going to post the response FIRST, and then a link to the actual thread. It appears that the moderator believes that this is a flaw in Retrospect's security model:

 

It seems like a design flaw in the backup software (Retrospect); I would strongly recommend notifying the vendor about this bug and ask them if there is any way to disable this call.

 

From your description it seems like this particular software is under the assumption that backup administrators have sysadmin access to the server, obviously not a good security practice as you have already stated. Even more, they should not even be using this XP directly, I tried to find BOL information about this XP and I found out that this is an undocumented legacy module, and the verification for sysadmin membership is inside the XP code itself (that's why granting permissions is not enough).

 

Unfortunately there is no easy workaround; there is no way to limit the operations a sysadmin can perform on the server (i.e. sysdmin members have absolute power on the server).

 

-Raul Garcia

SDE/T

SQL Server Engine

 

The link to the forum thread is here:

 

 

So what's the deal here? Is Retrospect using a security model that is "overkill" for backing up a MSSQL server? The DB admin is very adamant about how unnecessary the backup model is, and would like to find a way around it.

 

Please help!

Edited by Guest

Share this post


Link to post
Share on other sites

SQL Requirements are clearly outlined in the Retrospect User's guide. They are basically the same as the exchange requirements:

 

http://kb.dantz.com/article.asp?article=9633&p=2 except you do not need to send an email to the RBU user account.

 

When you right click on the SQL Server and select "login as", I find it works best to use the SA account.

Edited by Guest

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×