SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


How to I backup the database without Agent XPs enabled?


How to I backup the database without Agent XPs enabled?

Author
Message
tim.cloud
tim.cloud
SSC Veteran
SSC Veteran (232 reputation)SSC Veteran (232 reputation)SSC Veteran (232 reputation)SSC Veteran (232 reputation)SSC Veteran (232 reputation)SSC Veteran (232 reputation)SSC Veteran (232 reputation)SSC Veteran (232 reputation)

Group: General Forum Members
Points: 232 Visits: 349
The company I work for recently went through a MITRE federal security audit.
They are telling my boss that I must diable Agent XPs.
I have done this, but now my backup jobs don't appear to be working.
Is it true that the backup agent will not work?
Any ideas?

Thanks.
magasvs
magasvs
SSCrazy
SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)

Group: General Forum Members
Points: 2403 Visits: 756
You wouldn't be able to use SQL Server Agent to run jobs. SQL Server Agent will not start without this parameter enabled. You can create sqlcmd backup scripts and run Windows tasks instead of SQL Server Agent jobs.
ALZDBA
ALZDBA
SSC-Dedicated
SSC-Dedicated (30K reputation)SSC-Dedicated (30K reputation)SSC-Dedicated (30K reputation)SSC-Dedicated (30K reputation)SSC-Dedicated (30K reputation)SSC-Dedicated (30K reputation)SSC-Dedicated (30K reputation)SSC-Dedicated (30K reputation)

Group: General Forum Members
Points: 30169 Visits: 8986
Kind of crab sold to your boss.

You should indeed disable them if you are not using sql agent jobs.

If your system is secure and you have implemented all security related best practices and are up to date with service packs, it shouldn't be a problem to use sqlagent.

I haven't seen a recommendation on sqlagent from our sox auditors.Ermm

Johan


Dont drive faster than your guardian angel can fly ...
but keeping both feet on the ground wont get you anywhere w00t

- How to post Performance Problems
- How to post data/code to get the best help


- How to prevent a sore throat after hours of presenting ppt ?


press F1 for solution, press shift+F1 for urgent solution :-D


Need a bit of Powershell? How about this

Who am I ? Sometimes this is me Alien but most of the time this is me Hehe
homebrew01
homebrew01
SSChampion
SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)

Group: General Forum Members
Points: 12498 Visits: 9222
I recently implemented a free tool called SQL Scheduler to use with SQL Internal Database (SSEE) that does not have SQL Agent. It's simple & works well, allowing me to schedule SQL Scripts.

http://www.lazycoding.com/home.aspx



tim.cloud
tim.cloud
SSC Veteran
SSC Veteran (232 reputation)SSC Veteran (232 reputation)SSC Veteran (232 reputation)SSC Veteran (232 reputation)SSC Veteran (232 reputation)SSC Veteran (232 reputation)SSC Veteran (232 reputation)SSC Veteran (232 reputation)

Group: General Forum Members
Points: 232 Visits: 349
Thanks for the awesome suggestions. What I ended up doing was to script out all the backups and then run them from the command line using Windows 2003 Scheduled Tasks. That was done just to get everything compliant. I will not allow it to stay in such a vunerable state. I need a more secure (and stable) task sheduling system other than Windows 2003 Scheduled Tasks. So, with that in mind....HomeBrew (user from post above) your suggestion of that freeware scheduling app will be downloaded and tried out.
Any suggestions for better blind backup job monitoring in such an environment?
I love all feedback, so don't hold back on me with those excellent ideas!!

Thanks.
Steve Jones
Steve Jones
SSC Guru
SSC Guru (147K reputation)SSC Guru (147K reputation)SSC Guru (147K reputation)SSC Guru (147K reputation)SSC Guru (147K reputation)SSC Guru (147K reputation)SSC Guru (147K reputation)SSC Guru (147K reputation)

Group: Administrators
Points: 147752 Visits: 19440
I somewhat fail to see what's insecure about the Agent XPs. If the auditor's don't like that, did they pass Windows Scheduled Tasks? Is that more secure somehow?

I'd ask them what they recommend. They must have passed someone as secure that schedules tasks.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
EdVassie
EdVassie
SSChampion
SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)

Group: General Forum Members
Points: 14178 Visits: 3901
I would definitely ask WHY the SQL Agent tasks are prohibited. The answer needs to be more than 'the auditor said so', as this just shows the auditor probably knows very little about SQL Server.

You should be told what exposure exists with SQL Agent, and how that exposure does not exist with the alternatives allowed by the auditor.

Original author: SQL Server FineBuild 1-click install and best practice configuration of SQL Server 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005. 14 Mar 2017: now over 40,000 downloads.Disclaimer: All information provided is a personal opinion that may not match reality.Quote: When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist. - Archbishop Hélder Câmara
Steve-3_5_7_9
Steve-3_5_7_9
SSCrazy
SSCrazy (3K reputation)SSCrazy (3K reputation)SSCrazy (3K reputation)SSCrazy (3K reputation)SSCrazy (3K reputation)SSCrazy (3K reputation)SSCrazy (3K reputation)SSCrazy (3K reputation)

Group: General Forum Members
Points: 2966 Visits: 1609
As mentioned above, you need to know the "why?" and be offered alternative recommendations by the auditor.

The SQL Agent is highly used and any vulnerabilities would be fixed by MS, using other tools such as the "freeware" schedule mentioned above (SQL Scheduler) might make you more vulnerable to security holes.



Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search