Secure the Snapshot Folder
Applies To: SQL Server 2016
The snapshot folder is a directory that stores snapshot files; it is recommended that you dedicate the directory for snapshot storage. Grant the Snapshot Agent write permission to the folder, and ensure that read permission is granted only to the Windows account that the Merge Agent or Distribution agent uses when accessing the folder. The Windows account associated with the agent must be a domain account to access a snapshot folder that is located on a remote computer.
When configuring a Distributor through the Configure Distribution Wizard or the New Publication Wizard, the snapshot folder defaults to a local path: X:\Program Files\Microsoft SQL Server\<instance>\MSSQL\ReplData. If you are using a remote Distributor or pull subscriptions, you must specify a UNC network share (such as \\<computername>\snapshot) rather than a local path.
When granting permissions to access the snapshot folder, you must grant them according to the way in which the folder is accessed. The following dialog box tabs are used in Microsoft Windows 2003:
If you specify a local path, grant permissions through the Security tab of the Properties dialog box for the folder.
If you specify a network share, grant permissions through the Sharing tab of the Properties dialog box for the folder.
If the replication agent runs on the Distributor, use the Security tab of the Properties dialog box for the folder to grant permissions to the Windows account used to run the agent. Do this even when a network share is used. This applies to the Merge Agent and Distribution Agent for a push subscription and to the Snapshot Agent when the Publisher and Distributor are on the same computer.
For more information about setting permissions for local paths and network shares, see the Windows documentation.
It is recommended as a security best practice that snapshots be stored in a UNC share, but snapshots can be stored in an FTP share and then delivered to a Subscriber through FTP. When configuring the FTP server, ensure that the virtual directory exposes an underlying UNC share that permits write access by the Snapshot Agent for the publication.
To configure a Subscriber to retrieve the Snapshot via FTP, first set up an FTP server with an FTP login and password that allows Subscribers read (or "get") access to allow the snapshot files to be downloaded.
To deliver snapshots through FTP, see Deliver a Snapshot Through FTP.
For information about setting and changing the password for access to snapshots through FTP, see the section "FTP Snapshot Delivery" in the topic Secure the Publisher.