Comprehensive data protection for all workloads
Post Reply
davidwatts71
Enthusiast
Posts: 32
Liked: 8 times
Joined: Oct 30, 2017 8:05 am
Full Name: David Alexander Watts
Contact:

FEATURE REQUEST: SQL account for Application aware processing

Post by davidwatts71 »

Case #03485338

We are using Veeam 9.5 update 4. Our veeam server is not joined to the domain for security reasons. When we use application aware processing
We use the local Administrator account which is explained here.

1. Ensure that the account being used by Veeam is a member of the Local Administrators group on the VM that is to be backed up.
2. If the account being used is not named “Administrator”, you must disable UAC on the Guest OS of the VM to be backed up.
https://www.veeam.com/kb1788
Disabling UAC is not an option here so we using the local Administrator to backup a database server.

The problem we face is that in order to use Application aware processing – Truncate SQL logs we need to add the local Administrator to the ‘Sysadmin’ role
In SQL server. This is a big problem for our DBA’s and security department. If the local administrator is compromised so is the database

Would it not be possible to add an extra account credential for SQL logins? this option is available in the Oracle tab, there you can specify Oracle account
with SYSDBA privileges

If there is no workaround to this then we would like this to be a feature request
HannesK
Product Manager
Posts: 14287
Liked: 2877 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: FEATURE REQUEST: SQL account for Application aware processing

Post by HannesK »

Hello,
If the account being used is not named “Administrator”, you must disable UAC on the Guest OS of the VM to be backed up.
this is only correct for VIX as mentioned in the KB article. VIX is the fallback method and not built for SQL-logshipping. The VIX interface is to slow. So the normal way for SQL log backup should always be network. Restore requires network.

Having that said, it does not solve the the request from the SQL DBAs. From my point of view, every local administrator can compromise everything. In Veeam Agent for Windows, you can set a user:
see here

I understand that this workaround is not perfect...

Best regards,
Hannes
davidwatts71
Enthusiast
Posts: 32
Liked: 8 times
Joined: Oct 30, 2017 8:05 am
Full Name: David Alexander Watts
Contact:

Re: FEATURE REQUEST: SQL account for Application aware processing

Post by davidwatts71 »

@HannesK

So what you are saying is that i need to install veeam agent for windows on a Virtual machine? Might have misunderstood something here but i thought the agent was only for physical machines

David
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: FEATURE REQUEST: SQL account for Application aware processing

Post by Dima P. »

Hello David,

Have you tried to create the sql account with limited set of permissions like described in this Help Center article?
Help Center wrote: To provide minimal permissions, the account must be assigned the following roles and permissions:

SQL Server instance-level role: public.
Database-level roles:db_backupoperator, db_denydatareader, public; for system databases (master, model, msdb) — db_backupoperator, db_datareader, public; for system database (msdb) — db_datawriter.
Securables: view any definition, view server state.
Does that help in your case? Thank you!
HannesK
Product Manager
Posts: 14287
Liked: 2877 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: FEATURE REQUEST: SQL account for Application aware processing

Post by HannesK »

as mentioned, my workaround is ugly... and I have to admit that I did not read exactly what you wrote so Dima's workaround is probably better. You don't need sysadmin permissions on the database
davidwatts71
Enthusiast
Posts: 32
Liked: 8 times
Joined: Oct 30, 2017 8:05 am
Full Name: David Alexander Watts
Contact:

Re: FEATURE REQUEST: SQL account for Application aware processing

Post by davidwatts71 »

Thanks that worked fine :-), thought only the sysadmin could process the transaction logs.

Thanks Again
Post Reply

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], IvanK and 174 guests