Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Service acounts for SQL Server Expand / Collapse
Author
Message
Posted Tuesday, August 07, 2012 4:37 PM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Today @ 1:24 PM
Points: 227, Visits: 949
Hi Experts,

I got a request for creating 5 service accounts for sql servre


Question 1) these accounts shoulb be AD accounts,am i right?
Question 2) Creating Service accounts is job of DBA? I think it should be done by systems/network team(plz clarify)
Question 3) These same 5 accounts will be used in dev and future prod box, condition is that service accounts password should be different in DEV and QA, how can i fulfill this?
Post #1341599
Posted Tuesday, August 07, 2012 10:50 PM


Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Monday, March 31, 2014 2:22 PM
Points: 3,731, Visits: 7,067
Sqlism (8/7/2012)
Question 1) these accounts shoulb be AD accounts,am i right?
Question 2) Creating Service accounts is job of DBA? I think it should be done by systems/network team(plz clarify)
Question 3) These same 5 accounts will be used in dev and future prod box, condition is that service accounts password should be different in DEV and QA, how can i fulfill this?

#1 - It depends on how things are set up at your company, but I would recommend AD accounts, configured as ones that cannot be locked out. Another note, these accounts should not be granted logon to the server/workstation.

#2 - The DBA/team can request the creation of AD accounts, but in my experience it's the System/Network team. However if the system/network team is going to allow you to do it and grant you access to do so, I'd be tickled...

#3 - ??? How can you fulfill it? Can't you just ask them to make the account passwords different ???


______________________________________________________________________________
"Never argue with an idiot; They'll drag you down to their level and beat you with experience"
Post #1341670
Posted Wednesday, August 08, 2012 2:52 PM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Today @ 1:24 PM
Points: 227, Visits: 949
Thank you so much for the help!
Post #1342235
Posted Wednesday, August 08, 2012 2:57 PM


Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Monday, March 31, 2014 2:22 PM
Points: 3,731, Visits: 7,067
You're very welcome, best of luck with it

______________________________________________________________________________
"Never argue with an idiot; They'll drag you down to their level and beat you with experience"
Post #1342247
Posted Thursday, August 09, 2012 2:05 PM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Yesterday @ 8:46 AM
Points: 845, Visits: 2,331
Don't forget to make sure to set Group Policy up for these accounts as you see fit, and if need be, set up Proxy accounts also.

Personally, I tend to make sure they're on the lists for:
Act as part of the operating system
Adjust memory quotas for a process
Bypass traverse checking
Lock pages in memory
Log on as a service
Perform volume maintenance tasks
Replace a process level token

Some of the above were from working with proxy users, as well, and may not be required for you. I understand there is some debate about Lock pages in memory, as well.

Note that one account gets one and only one password - use a different account username for Prod than you do for QA as you do for Dev.

For passwords, they're service accounts, set and forget, so make them insanely long, complex and random, then copy/paste them in.

I disagree about disabling account lockout - I'd rather have the security in case some tries a dictionary, hybrid rules based dictionary, or even pure brute force attack. If you can manage to keep the username/passwords secret, and only use one per machine/environment, then you shouldn't have much to worry about them being locked out by other employees.

As mentioned above turn off the "log on as a user" right, and definitely don't make them domain admins or local admins, so they're not as useful to a hacker, and not as tempting to other employees to use as shortcuts.
Post #1342996
Posted Thursday, August 09, 2012 2:24 PM


Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Monday, March 31, 2014 2:22 PM
Points: 3,731, Visits: 7,067
+1 Nadrek

______________________________________________________________________________
"Never argue with an idiot; They'll drag you down to their level and beat you with experience"
Post #1343020
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse