|
database
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Backup SQL Server database to UNCdirection in a previous post. However, I found another solution. In order to backup an SQL Server database to another machine, you must specify a UNC path to a share. The backup is performed with the credentials of the SQL Server service, for example mssql$<instance> or mssqlserver. One solution suggested is to change the logon credentials of this service to a domain user with permissions to the share. Another is to enable null session shares on the SQL Server machine, which allows anonymous access. Instead, I left the logon credentials of the service alone, as LocalSystem. Then I granted the computer object (in an Active Directory domain) permissions to the share. I had to grant this permission on the Sharing tab of the properties dialog of the share, not the Security tab. On the Sharing tab (an XP computer), I clicked "Permissions", then "Add", then clicked the "Object Types..." button to add computers to the list of object types. Then I was able to add the domain computer object and grant Full Control permissions. Any comments? Richard Mueller Richard Mueller wrote:
Show quote > Thanks to Tracy McKibben and Geoff Hiten for pointing me in the right Interesting... I'm not much of an Active Directory guy, wouldn't have > direction in a previous post. However, I found another solution. > > In order to backup an SQL Server database to another machine, you must > specify a UNC path to a share. The backup is performed with the credentials > of the SQL Server service, for example mssql$<instance> or mssqlserver. One > solution suggested is to change the logon credentials of this service to a > domain user with permissions to the share. Another is to enable null session > shares on the SQL Server machine, which allows anonymous access. > > Instead, I left the logon credentials of the service alone, as LocalSystem. > Then I granted the computer object (in an Active Directory domain) > permissions to the share. I had to grant this permission on the Sharing tab > of the properties dialog of the share, not the Security tab. On the Sharing > tab (an XP computer), I clicked "Permissions", then "Add", then clicked the > "Object Types..." button to add computers to the list of object types. Then > I was able to add the domain computer object and grant Full Control > permissions. Any comments? > > Richard Mueller > > thought of this... Tracy McKibben wrote:
> I'm MVP in ADSI. Your link got me thinking that it's really the computer > Interesting... I'm not much of an Active Directory guy, wouldn't have > thought of this... > object that needs permission. I like granting this object the permission because I don't have to worry about passwords expiring, or an account being disabled, or granting anonymous access. I also think I'd rather have customers do this, since they already must create the share if they want to backup to another machine. Richard Muelleer Richard Mueller wrote:
Show quote > Tracy McKibben wrote: Makes sense to me...> >> Interesting... I'm not much of an Active Directory guy, wouldn't have >> thought of this... >> > > I'm MVP in ADSI. Your link got me thinking that it's really the computer > object that needs permission. I like granting this object the permission > because I don't have to worry about passwords expiring, or an account being > disabled, or granting anonymous access. I also think I'd rather have > customers do this, since they already must create the share if they want to > backup to another machine. > > Richard Muelleer > > Hi,
I believe there are issues. Per Active Directory experts, a knowledgeable person with physical access to the machine (in this case, the computer with SQL Server, which has been granted permissions to a share), can access LocalSystem. They would have the permissions granted to the computer. In an Active Directory newsgroup this came up recently when it was recommended that you should never add a computer object to the Domain Admins group. Of course, if someone accesses the machine and assumes the LocalSystem identity, you have bigger problems. Show quote "ML" <M*@discussions.microsoft.com> wrote in message news:D1FEA5DD-68B6-4129-BB23-61CD2345BD89@microsoft.com... > And this doesn't lead to any security gaps? > > > ML > > --- > http://milambda.blogspot.com/ Interesting. I hadn't gone down that route since I never run SQL servers
under LocalSystem. Good to know, though. Thanks for the feedback. -- Show quoteGeoff N. Hiten Senior Database Administrator Microsoft SQL Server MVP "Richard Mueller" <rlmueller-NOSPAM@ameritech.NOSPAM.net> wrote in message news:uqY2bSrpGHA.4216@TK2MSFTNGP04.phx.gbl... > Thanks to Tracy McKibben and Geoff Hiten for pointing me in the right > direction in a previous post. However, I found another solution. > > In order to backup an SQL Server database to another machine, you must > specify a UNC path to a share. The backup is performed with the > credentials of the SQL Server service, for example mssql$<instance> or > mssqlserver. One solution suggested is to change the logon credentials of > this service to a domain user with permissions to the share. Another is to > enable null session shares on the SQL Server machine, which allows > anonymous access. > > Instead, I left the logon credentials of the service alone, as > LocalSystem. Then I granted the computer object (in an Active Directory > domain) permissions to the share. I had to grant this permission on the > Sharing tab of the properties dialog of the share, not the Security tab. > On the Sharing tab (an XP computer), I clicked "Permissions", then "Add", > then clicked the "Object Types..." button to add computers to the list of > object types. Then I was able to add the domain computer object and grant > Full Control permissions. Any comments? > > Richard Mueller > Thanks for that 'tidbit' Richard.
It can be quite useful in some circumstances -especially when admins don't want to create network accounts with non-expiring credentials. -- Show quoteArnie Rowland* "To be successful, your heart must accompany your knowledge." "Richard Mueller" <rlmueller-NOSPAM@ameritech.NOSPAM.net> wrote in message news:uqY2bSrpGHA.4216@TK2MSFTNGP04.phx.gbl... > Thanks to Tracy McKibben and Geoff Hiten for pointing me in the right > direction in a previous post. However, I found another solution. > > In order to backup an SQL Server database to another machine, you must > specify a UNC path to a share. The backup is performed with the > credentials of the SQL Server service, for example mssql$<instance> or > mssqlserver. One solution suggested is to change the logon credentials of > this service to a domain user with permissions to the share. Another is to > enable null session shares on the SQL Server machine, which allows > anonymous access. > > Instead, I left the logon credentials of the service alone, as > LocalSystem. Then I granted the computer object (in an Active Directory > domain) permissions to the share. I had to grant this permission on the > Sharing tab of the properties dialog of the share, not the Security tab. > On the Sharing tab (an XP computer), I clicked "Permissions", then "Add", > then clicked the "Object Types..." button to add computers to the list of > object types. Then I was able to add the domain computer object and grant > Full Control permissions. Any comments? > > Richard Mueller >  |
|||||||||||||||||||||||
Other interesting topics