How to I backup the database without Agent XPs enabled?

  • The company I work for recently went through a MITRE federal security audit.

    They are telling my boss that I must diable Agent XPs.

    I have done this, but now my backup jobs don't appear to be working.

    Is it true that the backup agent will not work?

    Any ideas?

    Thanks.

  • You wouldn't be able to use SQL Server Agent to run jobs. SQL Server Agent will not start without this parameter enabled. You can create sqlcmd backup scripts and run Windows tasks instead of SQL Server Agent jobs.

  • Kind of crab sold to your boss.

    You should indeed disable them if you are not using sql agent jobs.

    If your system is secure and you have implemented all security related best practices and are up to date with service packs, it shouldn't be a problem to use sqlagent.

    I haven't seen a recommendation on sqlagent from our sox auditors.:ermm:

    Johan

    Learn to play, play to learn !

    Dont drive faster than your guardian angel can fly ...
    but keeping both feet on the ground wont get you anywhere :w00t:

    - How to post Performance Problems
    - How to post data/code to get the best help[/url]

    - How to prevent a sore throat after hours of presenting ppt

    press F1 for solution, press shift+F1 for urgent solution 😀

    Need a bit of Powershell? How about this

    Who am I ? Sometimes this is me but most of the time this is me

  • I recently implemented a free tool called SQL Scheduler to use with SQL Internal Database (SSEE) that does not have SQL Agent. It's simple & works well, allowing me to schedule SQL Scripts.

    http://www.lazycoding.com/home.aspx

  • Thanks for the awesome suggestions. What I ended up doing was to script out all the backups and then run them from the command line using Windows 2003 Scheduled Tasks. That was done just to get everything compliant. I will not allow it to stay in such a vunerable state. I need a more secure (and stable) task sheduling system other than Windows 2003 Scheduled Tasks. So, with that in mind....HomeBrew (user from post above) your suggestion of that freeware scheduling app will be downloaded and tried out.

    Any suggestions for better blind backup job monitoring in such an environment?

    I love all feedback, so don't hold back on me with those excellent ideas!!

    Thanks.

  • I somewhat fail to see what's insecure about the Agent XPs. If the auditor's don't like that, did they pass Windows Scheduled Tasks? Is that more secure somehow?

    I'd ask them what they recommend. They must have passed someone as secure that schedules tasks.

  • I would definitely ask WHY the SQL Agent tasks are prohibited. The answer needs to be more than 'the auditor said so', as this just shows the auditor probably knows very little about SQL Server.

    You should be told what exposure exists with SQL Agent, and how that exposure does not exist with the alternatives allowed by the auditor.

    Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.

    When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara

  • As mentioned above, you need to know the "why?" and be offered alternative recommendations by the auditor.

    The SQL Agent is highly used and any vulnerabilities would be fixed by MS, using other tools such as the "freeware" schedule mentioned above (SQL Scheduler) might make you more vulnerable to security holes.

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply