Why can NT AUTHORITY\SYSTEM create SQL Server database backups?
Solution 1:
The minimum permissions to back up a database are PUBLIC
at the server level and DB_BACKUPOPERATOR
at a database level.
In SQL Server 2005, Microsoft recommended against removing NT AUTHORITY\SYSTEM
from the sysadmin role:
The NT AUTHORITY\SYSTEM account is also granted a SQL Server login. The NT AUTHORITY\SYSTEM account is provisioned in the SYSADMIN fixed server role. Do not delete this account or remove it from the SYSADMIN fixed server role. The NT AUTHORITY\SYSTEM account is used by Microsoft Update and by Microsoft SMS to apply service packs and hotfixes to a SQL Server 2005 installation. The NT AUTHORITY\SYSTEM account is also used by the SQL Writer Service.
This is no longer the case in 2012. I double-checked on my own instance of 2012 Express: NT AUTHORITY\SYSTEM
is not a sysadmin. However, the SQL Service VSS Writer
is running as NT AUTHORITY\SYSTEM
and is a sysadmin.
I'm not able to find any links backing up that this is why NT AUTHORITY\SYSTEM
is allowed to back up databases, but I believe that's the case.