emulator Posted August 5, 2008 Report Share Posted August 5, 2008 (edited) Hi All... I have been working with our DB admin for backing up a MS SQL 2005 server. He is convinced that when using SQL authentication, the user that Retrospect is connecting to the server with should *NOT* be required to have the sysadmin privilege. He posted to a Microsoft SQL forum, and got a response from a Microsoft employee and forum moderator. I'm going to post the response FIRST, and then a link to the actual thread. It appears that the moderator believes that this is a flaw in Retrospect's security model: It seems like a design flaw in the backup software (Retrospect); I would strongly recommend notifying the vendor about this bug and ask them if there is any way to disable this call. From your description it seems like this particular software is under the assumption that backup administrators have sysadmin access to the server, obviously not a good security practice as you have already stated. Even more, they should not even be using this XP directly, I tried to find BOL information about this XP and I found out that this is an undocumented legacy module, and the verification for sysadmin membership is inside the XP code itself (that's why granting permissions is not enough). Unfortunately there is no easy workaround; there is no way to limit the operations a sysadmin can perform on the server (i.e. sysdmin members have absolute power on the server). -Raul Garcia SDE/T SQL Server Engine The link to the forum thread is here: http://forums.microsoft.com/forums/ShowPost.aspx?PostID=3704982&SiteID=1 So what's the deal here? Is Retrospect using a security model that is "overkill" for backing up a MSSQL server? The DB admin is very adamant about how unnecessary the backup model is, and would like to find a way around it. Please help! Edited August 5, 2008 by Guest Quote Link to comment Share on other sites More sharing options...
Mayoff Posted August 5, 2008 Report Share Posted August 5, 2008 (edited) SQL Requirements are clearly outlined in the Retrospect User's guide. They are basically the same as the exchange requirements: http://kb.dantz.com/article.asp?article=9633&p=2 except you do not need to send an email to the RBU user account. When you right click on the SQL Server and select "login as", I find it works best to use the SA account. Edited August 5, 2008 by Guest Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.