Service Authorization Settings

Configuring which Windows users can invoke SQL Backup Master service operations

SERVICE AUTHORIZATION IN SQL BACKUP MASTER

Starting with version 8.5, the SQL Backup Master Windows service requires the calling user to be a member of the local Administrators group before it will perform backup-related operations. This article explains why, who needs to read it, and how to configure the new behavior for your environment.

What changed

SQL Backup Master is split into two components: a Windows service that runs as LocalSystem and performs backup work, and one or more client applications (the main UI, the desktop tray notification app, and PowerShell cmdlets) that talk to the service over a local named pipe. In earlier versions, any authenticated local user could call any operation on that pipe. That included operations that modify backup jobs – and because backup jobs can run custom pre- and post-backup PowerShell or batch scripts as LocalSystem, this represented a local privilege escalation path on shared machines.

The service now enforces an authorization check on every operation. By default, only members of the local BUILTIN\Administrators group are permitted to invoke service operations. Members of DOMAIN\Domain Admins are also permitted on domain-joined machines because that group is nested into local Administrators by default Active Directory policy.

Who needs to read this

You probably need to take action if any of the following applies to your installation:

  • The SQL Backup Master desktop tray notification app is launched at logon under a Windows account that is not a member of the local Administrators group.
  • You run the SQL Backup Master PowerShell cmdlets in scheduled tasks or scripts under a non-administrator service account.

If your operators log into Windows as administrators (the most common case), no action is required.

Where the settings live

Authorization is configured in the service's App.config file, located in the SQL Backup Master install directory: 

C:\Program Files\Key Metric Software\SQL Backup Master\SQLBackupMaster.Service.exe.config

Two keys under <appSettings> control the policy: 

<appSettings>
    <add key="ServiceAuthorization.RequireAdmin" value="true" />
    <add key="ServiceAuthorization.AdditionalGroups" value="" />
</appSettings>

Editing this file requires administrator rights (because the install directory is under %ProgramFiles%), and changes only take effect after restarting the SQL Backup Master Windows service.

Option 1 (recommended): Run client tools as administrator

For most installations, the simplest and most secure choice is to ensure the SQL Backup Master client applications run under an administrator identity:

  • The SQL Backup Master installer creates the main UI's desktop and Start Menu shortcuts with the Run as administrator property set. Launching the UI from either shortcut will trigger a single UAC elevation prompt and run the rest of the session elevated – no manual action required.
  • The tray notification app, if launched at user logon, should be launched under an account that's a member of Administrators. If you run it under a dedicated non-admin operator account today, consider whether that account can be added to Administrators, or use Option 2 below.
  • PowerShell cmdlet invocations should run in elevated PowerShell sessions or as scheduled tasks configured with the Run with highest privileges option set.

No configuration changes are required for this option. Leave both settings at their defaults.

Option 2: Authorize a specific Windows group

If you have an established Windows group for backup operators – either the built-in Backup Operators group, or a custom domain group such as CONTOSO\SQL Backup Admins – you can grant that group access without making its members full Administrators.

Add the group name to the AdditionalGroups setting:

<add key="ServiceAuthorization.AdditionalGroups" value="BUILTIN\Backup Operators" />

Multiple groups can be listed, separated by semicolons:

<add key="ServiceAuthorization.AdditionalGroups" value="BUILTIN\Backup Operators;CONTOSO\SQL Backup Admins" />

Group names must include their scope prefix (BUILTIN\, NT AUTHORITY\, or YOURDOMAIN\). Local groups created on the SQL Backup Master host itself use the machine name as the prefix – for example, SBM-HOST\SqlBackupOps.

Restart the SQL Backup Master service after editing the file. Members of the named group will then be permitted to invoke service operations alongside members of Administrators.

Note on what this grants. Members of any listed group can trigger backup jobs, which means they indirectly cause the service's pre- and post-backup scripts to run as LocalSystem. They cannot, however, modify the scripts themselves – those operations remain Administrator-only by design. Choose groups whose members you trust to legitimately run backup jobs at the times of their choosing.

Option 3 (not recommended): Disable the authorization check

As a last resort – for example, if you operate SQL Backup Master in an environment with strong external access controls and the operational cost of Options 1 and 2 is prohibitive – you can revert to the previous behavior in which any authenticated local user can call any service operation: 

<add key="ServiceAuthorization.RequireAdmin" value="false" />

This re-opens the local privilege escalation surface described above. Any local user able to log onto the SQL Backup Master host – including, in default configurations, the Guest account – can configure malicious pre-backup scripts and have them executed as LocalSystem. We recommend this setting only on hosts where every interactive user is already trusted at the same level as LocalSystem, and we recommend pairing it with compensating controls (limited logon access, host firewall, intrusion detection).

When this setting is disabled, the service writes a warning to the Windows Event Log on every startup so that the change remains visible to administrators reviewing the host.

Launching the main UI as a non-administrator under this option. The SQL Backup Master installer configures the desktop and Start Menu shortcuts to launch the main UI elevated by default. With RequireAdmin set to false, the service itself will accept calls from any authenticated user – but the standard shortcuts will still trigger a UAC elevation prompt, which a non-administrator account cannot satisfy. To run the main UI as a non-administrator under this option, either create a new shortcut pointing directly at SQLBackupMaster.exe in the install directory (leaving the Run as administrator property unset), or open the properties of an existing shortcut, click Advanced, and clear the Run as administrator checkbox. The tray notification app and PowerShell cmdlets do not have this constraint – once RequireAdmin is disabled, they will run normally under any logged-on account.

Verifying your configuration

After changing either setting, restart the SQL Backup Master Windows service and review the Windows Event Log (Applications and Services Logs → SQL Backup Master) for entries from the Service Authorization source.

  • If RequireAdmin is disabled, you will see a warning at every service startup explaining that any authenticated user may invoke operations.
  • If a non-authorized caller attempts an operation, you will see a warning describing the caller's identity and the operation that was denied. This is useful for diagnosing tray-app or cmdlet failures after upgrade.

From a non-administrator command prompt, you can quickly verify that a denial occurs by attempting to list backup jobs through the PowerShell cmdlets – the call should fail with a fault indicating that administrator privileges are required.

Returning to defaults

To restore the recommended secure defaults at any time, set the configuration back to: 

<appSettings>
    <add key="ServiceAuthorization.RequireAdmin" value="true" />
    <add key="ServiceAuthorization.AdditionalGroups" value="" />
</appSettings>

Restart the SQL Backup Master Windows service for the change to take effect.

Security notes

The default configuration protects against:

  • A non-administrator local user invoking service operations to modify backup jobs, install malicious pre-backup scripts, and obtain code execution as LocalSystem.
  • A non-administrator local user reading sensitive job data – including stored OAuth tokens, destination configurations, and connection strings – through the service's read operations.
  • User-mode malware running under a non-administrator account from using the service as a privilege-escalation primitive.

The default configuration does not protect against:

  • An already-administrator local user. The service trusts administrators to configure backup jobs and scripts; an administrator is, by definition, able to perform actions equivalent to those the service performs.
  • Compromise of the install directory's file permissions. If a non-administrator user has been granted write access to %ProgramFiles%\Key Metric Software\SQL Backup Master\, all bets are off.
  • Network-level threats. SQL Backup Master's service endpoint is local-only; this article addresses local authorization. For network-facing concerns (SQL Server connectivity, cloud destination credentials), see the relevant per-feature documentation.
Getting help

If after reading this article you're unsure which option fits your environment, or if you're seeing authorization-related warnings in the Event Log that you can't account for, please reach out to SQL Backup Master support with a description of how SQL Backup Master is deployed in your environment (who logs in, which client tools they use, and whether any automation invokes the service). We'll help you pick the right configuration.

The best way to experience SQL Backup Master is to try it for yourself.

Download NowUpgrade to Pro