January 24, 2007 at 12:23 am
Hi All
Does anybody know what the "NT AUTHORITY\SYSTEM" account create during a SQL Server 2005 instillation is used for?
Does this account pose a security risk, and can it be removed safely?
Regards
Stevo
January 25, 2007 at 2:20 am
I think this is related to using NT Authentication instead of SQL Authentication when signing into SQL. Experimentation on a TEST box would clarify same.
January 25, 2007 at 5:13 am
This is a built-in account. Explanation from BOL
"Local System account. The name of this account is NT AUTHORITY\System. It is a powerful account that has unrestricted access to all local system resources. It is a member of the Windows Administrators group on the local computer, and is therefore a member of the SQL Server sysadmin fixed server role "
I think it is clear enough...
January 25, 2007 at 8:10 am
I understand that it is a very powerful account, but would still like to know why this account is created during the install? Has anybody experimented with removing this account? It seems as if it is similar to the “Builtin\administrator” account, and if this is the case do the same security concerns apply?
January 25, 2007 at 8:17 am
Have look in the services console, you will see how many services are running under the local system account. Probably you don 't want to remove this account afterwood ;-))
Regards,
Moreno
January 25, 2007 at 8:56 am
To clarify, I am considering removing the account from SQL Server 2005 and not from Windows.
January 30, 2007 at 7:10 pm
What the previous poster is saying is if you have this account in SQL Server everything in SQL Server was installed using that account so you have to plan and create accounts to run all services including SQL Server service, SQL Server Agent, SQL Server Integration Services, Reporting Services, Microsoft Search Service and Analysis Service, some of the above need admin level domain accounts or all your applications will start failing. Hope this helps.
Kind regards,
Gift Peddie
January 30, 2007 at 8:04 pm
Before removing this account, verify that the following are not true (you can do all through services.msc or the Configuration Manager):
If, when you did your SQL Server installation, you didn't specify a user account to use for the services, the installation defaulted to localsystem. Localsystem = NT Authority\System = the System account for the operating system.
SQL Server is going to explicitly add accounts for the services even if they would be convered by BUILTIN\Administrators. This behavior is unchanged from SQL Server 2000.
K. Brian Kelley
@kbriankelley
January 30, 2007 at 11:28 pm
I did specify a domain account for all the services when I did the install.
I had a look in the Configuration Manager and the only service using the "NT Authority\NetworkService" account is SQL Server Integration Services. I don't remember being able to select an account for this service when I did the install so I assume that by default SQL uses the NT Authority account and adds it into SQL Server.
Will try the next install without SSIS and see if it still adds the account into SQL.
Will also try to change the account used by SSIS and try removing the "NT Authority\System" account from SQL.
Thanks for all your feedback so far. 😉
January 30, 2007 at 11:42 pm
For SSIS you can use without problem a domain account. Just change it after installation completed.
Moreno
April 9, 2008 at 9:52 am
It is best practice to set up all the SQL Server services to run under dedicated domain or local accounts. These should not be Local Admins in Windows but should be sysadmins in SQL Server.
You should create a login in SQL Server for your Database Administrators domain group and add this to the sysadmin role. Once you have verified that you can login with an account in this group, it is safe (and best practice) to remove the logins for BUILTIN\Administrators and NT AUTHORITY\Local System.
February 13, 2009 at 12:33 am
The NT AUTHORITY\SYSTEM account is also granted a SQL Server login. The NT AUTHORITY\SYSTEM account is provisioned in the SYSADMIN fixed server role. Do not delete this account or remove it from the SYSADMIN fixed server role. The NTAUTHORITY\SYSTEM account is used by Microsoft Update and by Microsoft SMS to apply service packs and hotfixes to a SQL Server 2005 installation. The NTAUTHORITY\SYSTEM account is also used by the SQL Writer Service.
http://support.microsoft.com/kb/932881
[font="Verdana"]CU
tosc[/font]
Viewing 12 posts - 1 through 11 (of 11 total)
You must be logged in to reply to this topic. Login to reply