Separate Accounts

SQLServerCentral is supported by Red Gate Software Ltd.

Popular Topics

Home

Members

Calendar

Who's On

Home » SQLServerCentral.com » Editorials » Separate Accounts

35 posts, Page 1 of 4

1 2 3 4 »»»

Separate Accounts

Rate Topic

Display Mode

Topic Options

Author

Message

Steve Jones - SSC Editor

Posted Thursday, August 09, 2012 9:44 PM

SSC-Dedicated

Group: Administrators
Last Login: Today @ 9:00 AM
Points: 31,410, Visits: 13,728

Comments posted to this topic are about the item Separate Accounts

Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help

Post #1343121

AVX

Posted Friday, August 10, 2012 2:28 AM

SSC-Enthusiastic

Group: General Forum Members
Last Login: Thursday, May 16, 2013 4:46 AM
Points: 107, Visits: 185

Hi, It is nice to know that "you are not alone".
I too believe in the separate service account per instance, although you're "do not store the password and change it when needed" seems to be a bit extreme.

Post #1343195

ddriver

Posted Friday, August 10, 2012 5:49 AM

SSC Rookie

Group: General Forum Members
Last Login: Yesterday @ 6:53 AM
Points: 28, Visits: 189

I really like that idea and I will pass it on to our DBA's and admins.

Post #1343317

Mike Palecek

Posted Friday, August 10, 2012 6:12 AM

SSC Eights!

Group: General Forum Members
Last Login: Friday, May 17, 2013 7:26 AM
Points: 845, Visits: 688

I will admit that I do not have very many instances under my control, but I very much agree with separate accounts and not storing the password. The administrative time spent on password resets, etc. I do not think is too much. The administrative time spent on resting user's forgotten passwords is acceptable so why wouldn't this be?

Post #1343334

Grant Bradley

Posted Friday, August 10, 2012 6:40 AM

Grasshopper

Group: General Forum Members
Last Login: Friday, November 16, 2012 5:36 AM
Points: 17, Visits: 127

I think at the least should be separate account for SQL, there by separating the sql db from system admin.
If separate instanances managed by different people then should also have separate accounts for each.

Post #1343349

Markus

Posted Friday, August 10, 2012 6:49 AM

Ten Centuries

Group: General Forum Members
Last Login: Yesterday @ 12:10 PM
Points: 1,046, Visits: 2,211

We have the same account to run SQL Server for all production and a seperate ID for non production. I was going to have a new account created and used for SQL2012 and continue that with a new account for each new version of SQL Server....

Post #1343355

cfradenburg

Posted Friday, August 10, 2012 6:59 AM

SSCommitted

Group: General Forum Members
Last Login: Thursday, May 16, 2013 7:44 AM
Points: 1,555, Visits: 1,925

When I started here the same account was used for all servers and services. All new servers get new accounts created though and we're working on changing the account on old servers. We do use the same account for all services on a box.

The only reason it's a pain to do it this way is the IS Security team is so far behind that it can take a couple weeks to get a new service account created. But it's worth it knowing that if one account gets compromised or locked out that it's not going to affect over 150 servers in our hospital system.

Post #1343363

rrcottin

Posted Friday, August 10, 2012 7:10 AM

Forum Newbie

Group: General Forum Members
Last Login: Friday, May 03, 2013 10:09 AM
Points: 1, Visits: 34

The whole strategy makes implementing Kerberos in your environment a little tougher.

Post #1343372

thadeushuck

Posted Friday, August 10, 2012 7:18 AM

SSC-Enthusiastic

Group: General Forum Members
Last Login: Thursday, May 09, 2013 9:39 AM
Points: 166, Visits: 150

If the password of a SQL service account is THAT important to your companies defense of it's data then you are already inside a hurt locker if you ask me but I do know we'd have to change our SOX/SAS/PCI/GSA account documentation to even think about doing this and it would result in god only knows how many issues since we have automated the security model around a 90 day change of service accounts, instance spawning automation and self serivice account management for our clients... I guess for a small shop with under 100 servers this might be a no brainer, but with VM the days of counting servers on two hands are gone...

Post #1343379

Tillymint

Posted Friday, August 10, 2012 7:40 AM

Forum Newbie

Group: General Forum Members
Last Login: Monday, May 13, 2013 7:30 AM
Points: 5, Visits: 394

We used to have one service account for all instances, but decided a while ago that was a risky strategy. We are now moving to one account per instance, or per pair of instances where we are mirroring databases.
Our Windows Ops team have given us management of an AD group to create these accounts in to.
We do store the passwords for these service accounts, but that's more out of habit than for any specific reason.

Post #1343395

« Prev Topic | Next Topic »

35 posts, Page 1 of 4

1 2 3 4 »»»

Permissions