markr1963

I'm working on a project for a client that includes installing Symantec ServiceDesk 7.1 with off-box SQL. One of the prerequisites is that the computer account of the SD box is added to the local admins group of the SQL box. The client's DBAs are asking why and me telling them that Symantec says so isn't cutting it. There's nothing in the doucmentation or KBs so can anyone explain why this may be needed?

Thanks
Mark

An0n0m0us

I know this is probably stating the bleeding obvious but by purchasing that product did they not get any Symantec technical support with it that could answer that question for you by way of a phone call to them?

Don't you just love DBAs, almost as much of a pain in the ar$e as Unix engineers.

simonchapman1986

well its needed because it needs to have the restricted security on the sql box to only be access by the other machine (your basically locking everything down). From the product and jargon you are talking I can only presume this is a windows machine? So you need to get into the user group settings (control panel), and add from the network the machine (which should be auto-detected) admin group into the local admin group - this will tie up the machine into the others local settings and thus should work.

although not 100% as "I'm a pain in the ar$e unix engineer :P " haha

An0n0m0us

markr1963

Sure, they have access to tech support but in this regard and with past experience I doubt they'd be able to help, certainly not the first line engineers. The info will buried somewhere within the yellow machine , getting it is the tricky bit.

Fortunately, I don't have much contact with those pale skinned folks that inhabit the windowless rooms in IT depts

markr1963

Thanks and yes, Windows. How to do it ain't the problem it's trying to explain why Symantec do things the way they do. Some hope of doing that

simonchapman1986

well its a pretty secure setup which is what you want in this instance, in any application (of great importance) the DB will sit on a separate box within the same subnet of the application, this allows for not only a greater load balance but obviously if one box was intruded they would still have to figure out how to get into the other. Now obviously you know it would be a straight connection to the other from that machine, but they dont even know it exists yet and would have to do a tcp sweep and perform ddos to find the concurrent connections where sql is being sent and received data, then they would have to get in then crack the sql administration. All of which takes a fair bit of time and should have been traced and denied by then. I'm certain however you would not have had to set it up this way, surely you could have setup the sql on the machine from which the application sits and do a direct localhost connection? Even if it doesnt seem able surely it would still be possible, this way you wouldnt even have to worry about setting up the secirty rules for users to access as you are already there! Back when i was doing windows network administration I used AVG the entirety of the application sat on the main windows server database as well. Was bloody good although often had issues with cross OS's.

And yes 1st line engineers will only be able to tell you how to reboot your machine, this really is a job for an onsite engineer, this being you lol! but then generally someone who would be setting this sort of thing up should know the lot and no doubt be an MSCE or MSCA.

HHxx

I would also ask the same question of why the computer account requires administrator rights on the SQL server.

It is not really secure, if the app server is compromised, it can have full admin rights to your SQL server and so could anyone connected to the app server.

You will have to get Symantec to tell you why it is required. Granting full access doesn't cut it with me, only grant what is required and no more.

If your SQL server is shared, the other hosted DB's will not be secure.

Can the app utilise a different SQL server? Say Oracle/MySql on a unix type OS? If there is no other OS/DB option, I can only presume that the app must install/access/control things running on SQL as well as the OS. If this is the case and you really want to use this product, you are going to have to use dedicated servers to host this application.