I was sitting at my desk, happily minding my own business when an alert came through that a database backup had failed. Ok, backups fail, I just figured one of the transaction log backups hiccupped (we’ve been having some problems the last few days).
When I looked at the failure it was a backup trying to write to the C drive on the server.
I NEVER backup to C. It can easily fill the drive and take down the system.
A bigger indicator that something was up was that all of our backups are done across a 10Gb network to a centralized location for ease of tape backup. This indicated that someone, not a DBA, had the access to run a SQL backup.
I trawled through the permissions on the server and nobody has that level of access so I couldn’t figure out who had done this and how.
So What Happened?
Looking through the SQL logs I saw multiple attempts by a contractor to login to SQL, all of which failed, then about 5 minutes after the backup error came through. Interesting stuff, so I walked over to the contractor and asked what was going on.
After he was unable to login he went to the application admin who helped him out with access…using the application service account.
One of the third party applications from Microsoft some unnamed vendor has a database on that server. Due to the nature of the well designed code the database owner has to be the same as the service account of the application. The application admin knows this password (not my doing).
Continue reading on SirSQL.net.