Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
devenoza
Starting Member
14 Posts |
 Posted - 2013-03-07 : 15:19:55
|
| my company management has decided to have a backup to the nas share folder so if any users/DBAs are trying to take a backup to another location (i.e to thier local drive) they would not be able to do that, how can I achieve this task please? I was thinking of using policy based management but not sure how can I apply to many servers. I would appriciate your thoughts on this. Thanks... Dev |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2013-03-07 : 16:49:54
|
| I agree with Tara. Restrict backup permissions, and if possible, restrict backups to local drives only, then have a separate process copy/move them to the NAS.I have a crazy idea (who, me?) that might be an option, but it's a lot of work and I don't have the skill at this point. Basically:1. Create an event notification for AUDIT_BACKUP_RESTORE_EVENTs2. Have an activation procedure on the queue for that notification3. The procedure parses the event data (TextData and SPID nodes) to see if they are backing up to an unauthorized location4. Kill the spid that's doing it#3 is going to cause you a lot of grief since it's text parsing, and it's easily circumvented using the WITH MIRROR option. Plus the fact that anyone with access to the NAS can copy backups unless you lock that down, which is the key part of Tara's suggestion. |
 |
|
|
devenoza
Starting Member
14 Posts |
Posted - 2013-03-08 : 00:14:06
|
| Thanks Tara and Rob for your reply... if this is not possible or possible with crazy idea :-) then I would leave upto my seniors and will see if they come up with other solution... once again thank you... |
|
|
|
mbourgon
Starting Member
6 Posts |
Posted - 2013-03-28 : 14:27:54
|
| Okay, so it's doable... with a catch. (well, several) The catch will differ depending on what you want to do. Catch 1: You would think you could use a Trigger on the table. Not easily - "KILL command cannot be used inside user transactions."The code you'd use, for your activated Stored Procedure, should use transactions. Which means you'd have to set your code to deal with the messages, THEN write to the table, which would fire the trigger. However, without being transactional, it could lose messages. Catch 2: Modifying the activated stored procedure to kill the transaction. The catch is that the stored procedure doesn't have rights to kill it ("User does not have permission to use the KILL statement.")Fixing that... I'm not sure offhand, honestly. It may require granting a particular user the rights to do so, it may require certificates... heck, it might require TRUSTWORTHY. Ugh.Catch 3: this is probably the one to go with, if 2 doesn't work. Note that I haven't tested the job - but I've already spent my lunch hour playing with this, so that's it for now, sorry.The backup must take more than a minute to run. And this could kill other code...IF SO...Build the EN. Queue, Service, EN.Set up an activated SP that will write to a table (I used Parse_EN_Messages, from my blog, thebakingdba dot blogspot dot com, the rest of the code is below). Make sure the code in Parse_EN_Messages points at the new Queue (it does so in multiple places), and modify the enaudit_events table & parse_en_messages to add the TextData field. Now, set up a job that runs as often as possible (once a minute; you can't easily do it continuously since you want to make sure you don't keep killing it after it's already died)If there are, grab the SPID and KILL it. Since it's a job separate from the Queue, I don't see any problems with it.Here's the code to build things... you'll have to do the Parse_EN_Message yourself - too long for here.CREATE DATABASE BackupWatcherGOALTER DATABASE BackupWatcher SET ENABLE_BROKER;goUSE BackupWatchergoCREATE QUEUE BackupNotifyQueue GOcreate SERVICE BackupNotifyServiceON QUEUE BackupNotifyQueue ([http://schemas.microsoft.com/SQL/Notifications/PostEventNotification])GOCREATE EVENT NOTIFICATION BackupNotifyEvent ON SERVER WITH FAN_IN FOR AUDIT_BACKUP_RESTORE_EVENT TO SERVICE 'BackupNotifyService', 'current database';GOBACKUP DATABASE BackupWatcher TO DISK='BackupWatcher3.bak'go--set up PARSE_EN_MESSAGES and necessary tables, changing the Queue Name in the SP to BackupNotifyQueue ALTER QUEUE BackupNotifyQueue WITH STATUS = ON, RETENTION = OFF ,ACTIVATION(STATUS = ON, PROCEDURE_NAME = [dbo].[Parse_EN_Messages], MAX_QUEUE_READERS = 2, EXECUTE AS owner)---and here's the code for your jobDECLARE @now SMALLDATETIME, @sql NVARCHAR(100), @min INT, @max INTSET @now = GETDATE()DECLARE @spids_to_kill TABLE (id int IDENTITY, spid NVARCHAR(10))INSERT INTO @spids_to_killSELECT spid FROM enaudit_events WHERE eventtype = 'AUDIT_BACKUP_RESTORE_EVENT' AND TextData NOT LIKE '%\\youracceptedpathhere%' --or whatever location you want AND insert_datetime > DATEADD(mi,-1,@now)IF (SELECT COUNT(*) FROM [@spids_to_kill]) > 0BEGIN SELECT @min =MIN(id), @max = MAX(id) FROM @spids_to_kill WHILE @min <= @max BEGIN SELECT @sql = 'KILL ' + spid FROM @spids_to_kill WHERE ID = @min IF (SELECT COUNT(*) FROM sys.sysprocesses WHERE spid = @min AND command LIKE '%backup database%') >0 --we do that so it doesn't accidentally kill a SPID once the backup is done BEGIN EXEC sp_executesql @sql END SET @min = @min+1 END END |
|
|
|
devenoza
Starting Member
14 Posts |
Posted - 2013-05-30 : 15:24:50
|
| Thanks mbourgon! I will try this way and let you know how it goes :-) |
|
|
|
d3goldnews
Starting Member
3 Posts |
Posted - 2013-05-31 : 22:02:57
|
| I think so. I think your article will give those people a good reminding. And they will express thanks to you later.__________________I'd rather be a happy fool than a sad sage.unspammed |
|
|
|
|
|
|
|
|
Must have a backup to the specific location only
Tara Kizer