Solved

Why install SQL binaries on another drive

Posted on 2013-05-10
5
509 Views
Last Modified: 2013-05-10
I know it's best practices to install SQL binaries on a non-system drive, but (the ugly truth), I don't know why. A client asked me and I'm er, uh...just because....

So why should SQL binaries be installed on a drive other than the OS as best practices? Google isn't giving up much.
0
Comment
Question by:barnesco
5 Comments
 
LVL 8

Expert Comment

by:didnthaveaname
ID: 39155481
I'm not going to lie - I always install the binaries on the system drive.  I believe the TempDB (all system DBs, for that matter) installs wherever the DBE is installed by default, which can be problematic if it expands to a point where it brings your drive down.  Beyond the concern that OS I/O causing disk contention that would impact SQL disk throughput, and the previously mentioned reason, I can't think of anything else.  Data and log files go on there own separate drives, definitely.
0
 
LVL 18

Accepted Solution

by:
Cluskitt earned 250 total points
ID: 39155511
One of the reasons is probably because the system drive is being read lots of times for the normal OS functioning. Having the DB on the same drive will cause SQL to compete for IO bandwidth with the OS (which has a higher priority), causing SQL related operations to lag on occasion.
0
 
LVL 15

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 250 total points
ID: 39155641
The primary reason is security.  If a vulnerability exists in your code (inadequate input validation) an attacker could exploit that condition via SQL injection and use path traversal to run local processes (such as the command interpreter in Windows), for example.  If your installing these binaries on your OS drive, an attacker needs only fingerprint your OS (IIS headers are revealing) to infer your OS paths and binaries... for example: ..\..\..\..\..\..\..\..\windows\system32\cmd.exe /c echo 0wned by G>>c:\apache\htdocs\index.php

Clearly this attack above couldn't be done if the process was running from another drive (X:), as the Windows directory won't exist off the root of X:, nor will the command interpreter.

An additional layer of security would be to explicitly deny all access to your OS binaries (execute, append, delete, etc.) from the restricted accounts used to run your webserver, interpreter, and SQL server processes.  You are using restricted accounts to run these processes, right? :-)

See http://www.blackhat.com/presentations/bh-europe-09/Guimaraes/Blackhat-europe-09-Damele-SQLInjection-slides.pdf
0
 

Author Closing Comment

by:barnesco
ID: 39155911
The two answers above make perfect sense. Thanks.
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 39155943
It might be a technicality, but I think the correct answer should be awarded to x66_x72_x65_x65 and mine should be only an assist. I feel his/hers is more accurate.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

JSON is being used more and more, besides XML, and you surely wanted to parse the data out into SQL instead of doing it in some Javascript. The below function in SQL Server can do the job for you, returning a quick table with the parsed data.
This article shows gives you an overview on SQL Server 2016 row level security. You will also get to know the usages of row-level-security and how it works
This video shows, step by step, how to configure Oracle Heterogeneous Services via the Generic Gateway Agent in order to make a connection from an Oracle session and access a remote SQL Server database table.
Using examples as well as descriptions, and references to Books Online, show the different Recovery Models available in SQL Server and explain, as well as show how full, differential and transaction log backups are performed

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question