February 10, 2012 at 2:36 am
Goodmorning everyone,
I start my sql server and sql agent with a domain service user domain\svcsql. This user i use for different servers.
The user i added to my local SQL server groups in the user management of the servers that i use.
Let say i have two servers PROD and TEST and i have a agent job who schedules my backup from PROD to TEST (UNC - backup device).
\\TEST\D$\Backup where the domain\svcsql has modify/write rights.
I mostly get an operating system error and that means the user has not enough rights, because when i make this users and admin on the testserver then the backup succeeded.
But due security vulnerability i don't like this option. I can do the job as and admin, but it's not correct to use a working user for these jobs.
Has anyone has a tip to solve my issue.
Kind regards,
André
February 10, 2012 at 8:39 am
I'd recommend not using administrative shares in order to perform those backups.
Create a shared folder on the TEST server (such as \\TEST\ProdBackups$) and set the permissions on the share and the folder for the service account.
February 11, 2012 at 1:20 am
Thats a good idea, i will try a share with security.
February 15, 2012 at 1:50 am
Thanks it works fine and even more secure that rights a service user doesn't need.
February 15, 2012 at 2:02 am
Also, I would strongly recommend using different domain accounts for test and live servers. Think about it - at the moment, everything that your live server has access to, so does your test server. Even if this isn't a particular security issue for you, you will want your testing to fail if you accidentally point it at live resources.
I would go even further and recommend that you use a different domain account for each server for maximum security and integrity. That's how we do it here - indeed we even have different accounts for SQL Server and SQL Server Agent!
John
February 15, 2012 at 4:56 am
I like this solution. So when there is a security thread you only have to lock one account. And when your testing somethings and the account locks you don't bother production server.
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply