Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 


 
     
Recent Posts
   
Popular Topics
Home   
Search
    Members    Calendar    Who's On

Home » SQL Server 2005 » SQL Server 2005 Security » local system account for sql server service
Add to briefcase
12 posts, Page 1 of 2
12»»

local system account for sql server service Expand / Collapse
Rate Topic
Display Mode
Topic Options
Author
Message
bodhilove
Posted Monday, December 01, 2008 12:57 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Tuesday, November 23, 2010 11:36 PM
Points: 305, Visits: 888
Hi Folks,

what are the ramifications of using the local system account for the sql server service?
Post #611063
george sibbald
Posted Tuesday, December 02, 2008 3:36 AM
SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 4:02 PM
Points: 5,269, Visits: 11,203
main effect is that SQL can not perform any actions that require network connectivity, e.g. access shares on other servers, backup across the network, logshipping or mirroring would not work if you required those options.

Also local admin is more access at the the server level than SQL really requires so there is an enhanced security risk.

---------------------------------------------------------------------
Post #611929
Jerry Hung
Posted Tuesday, December 02, 2008 8:11 AM


Right there with Babe

Right there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with Babe

Group: General Forum Members
Last Login: Yesterday @ 11:40 AM
Points: 768, Visits: 1,160
Local System is pretty minimal, safe for a local SQL instance
If you need Network-features such as back up to UNC, talk to other servers etc... use a domain account if you can


You don't need Local Admin


This is for SQL 2005 Express, but applicable as well
http://msdn.microsoft.com/en-us/library/ms143170(SQL.90).aspx

Use the built-in System account


You can assign Local System, Network Service, or Local Service to the logon for the configurable SQL Server services.

Local System account


The Local System option specifies a local system account that does not require a password to connect to SQL Server on the same computer. However, the local system account might restrict the SQL Server installation from interacting with other servers, depending on the privileges granted to the account.
Important:
Local System is a powerful account. It might not be appropriate for all service settings. For more information, see "Security Considerations for a SQL Server Installation." in SQL Server 2005 Books Online.

Network Service account


The Network Service account is a special, built-in account that is similar to an authenticated user account. The Network Service account has the same level of access to resources and objects as members of the Users group. Services that run as the Network Service account access network resources using the credentials of the computer account.
Important:
We recommend that you do not use the Network Service account for the SQL Server. Local User or Domain User accounts are more appropriate for these SQL Server services.

Local Service account


The Local Service account is a special, built-in account that is similar to an authenticated user account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard the system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session without credentials. For more information on service accounts, see Setting Up Windows Service Accounts in SQL Server 2005 Books Online.

SQLServerNewbie

MCITP: Database Administrator SQL Server 2005
Post #612092
bodhilove
Posted Tuesday, December 02, 2008 4:03 PM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Tuesday, November 23, 2010 11:36 PM
Points: 305, Visits: 888
I think you can use mirroring if you use certificates

http://msdn.microsoft.com/en-us/library/ms191477.aspx
Post #612459
Mike Levan
Posted Monday, March 02, 2009 1:07 PM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Saturday, April 03, 2010 2:42 PM
Points: 1,023, Visits: 1,893
I am trying to change local account to windows account as service ac for sql server but when i change login as from services>SQL Server Service > properties its net getting started after restarting.
do i need to change anything else ofr the newly created windows account.


thanks
Post #666847
Steve Jones - SSC Editor
Posted Monday, March 02, 2009 1:22 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 6:14 PM
Points: 31,421, Visits: 13,734
Change this in Configuration manager, not control panel, and you should be fine.






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #666854
Mike Levan
Posted Monday, March 02, 2009 1:42 PM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Saturday, April 03, 2010 2:42 PM
Points: 1,023, Visits: 1,893
yeah it worked. can u let me know what is the diffrence.
thanks
Post #666875
Steve Jones - SSC Editor
Posted Monday, March 02, 2009 2:35 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 6:14 PM
Points: 31,421, Visits: 13,734
I don't have the list handy, but Configuration Manager grants the rights needed (folders/files/user rights) for the service account.






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #666914
Roy Ernest
Posted Thursday, March 05, 2009 3:34 AM


Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Yesterday @ 7:52 AM
Points: 3,280, Visits: 6,622
Along with what steve said, I would also add that some registery entries wont be done properly if you use services to change the account.

-Roy
Post #669042
K. Brian Kelley
Posted Thursday, March 05, 2009 10:51 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Yesterday @ 4:47 PM
Points: 6,584, Visits: 1,788
I know I'm coming in late on this, but the preference is not to use the local System account. It's not a minimal account (that's Local Service). It has all the rights of an administrator-level account + some (there are rights granted to System, such implicitly that are not normally granted to members of the local Administrators group). If you have the option, create a new local account with a strong password and use that, instead.

K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #669439
« Prev Topic | Next Topic »

Add to briefcase
12 posts, Page 1 of 2
12»»

Permissions Expand / Collapse

 
 
Copyright © 2002-2013 Simple Talk Publishing. All Rights Reserved. Privacy Policy. Terms of Use. Report Abuse.