Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

local system account for sql server service Expand / Collapse
Author
Message
Posted Monday, December 1, 2008 12:57 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Tuesday, November 23, 2010 11:36 PM
Points: 305, Visits: 888
Hi Folks,

what are the ramifications of using the local system account for the sql server service?
Post #611063
Posted Tuesday, December 2, 2008 3:36 AM
SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 1:01 PM
Points: 5,872, Visits: 12,974
main effect is that SQL can not perform any actions that require network connectivity, e.g. access shares on other servers, backup across the network, logshipping or mirroring would not work if you required those options.

Also local admin is more access at the the server level than SQL really requires so there is an enhanced security risk.


---------------------------------------------------------------------

Post #611929
Posted Tuesday, December 2, 2008 8:11 AM


Right there with Babe

Right there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with Babe

Group: General Forum Members
Last Login: Thursday, September 25, 2014 9:07 AM
Points: 774, Visits: 1,191
Local System is pretty minimal, safe for a local SQL instance
If you need Network-features such as back up to UNC, talk to other servers etc... use a domain account if you can


You don't need Local Admin


This is for SQL 2005 Express, but applicable as well
http://msdn.microsoft.com/en-us/library/ms143170(SQL.90).aspx

Use the built-in System account


You can assign Local System, Network Service, or Local Service to the logon for the configurable SQL Server services.

Local System account


The Local System option specifies a local system account that does not require a password to connect to SQL Server on the same computer. However, the local system account might restrict the SQL Server installation from interacting with other servers, depending on the privileges granted to the account.
Important:
Local System is a powerful account. It might not be appropriate for all service settings. For more information, see "Security Considerations for a SQL Server Installation." in SQL Server 2005 Books Online.

Network Service account


The Network Service account is a special, built-in account that is similar to an authenticated user account. The Network Service account has the same level of access to resources and objects as members of the Users group. Services that run as the Network Service account access network resources using the credentials of the computer account.
Important:
We recommend that you do not use the Network Service account for the SQL Server. Local User or Domain User accounts are more appropriate for these SQL Server services.

Local Service account


The Local Service account is a special, built-in account that is similar to an authenticated user account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard the system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session without credentials. For more information on service accounts, see Setting Up Windows Service Accounts in SQL Server 2005 Books Online.


SQLServerNewbie

MCITP: Database Administrator SQL Server 2005
Post #612092
Posted Tuesday, December 2, 2008 4:03 PM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Tuesday, November 23, 2010 11:36 PM
Points: 305, Visits: 888
I think you can use mirroring if you use certificates

http://msdn.microsoft.com/en-us/library/ms191477.aspx
Post #612459
Posted Monday, March 2, 2009 1:07 PM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Saturday, April 3, 2010 2:42 PM
Points: 1,023, Visits: 1,893
I am trying to change local account to windows account as service ac for sql server but when i change login as from services>SQL Server Service > properties its net getting started after restarting.
do i need to change anything else ofr the newly created windows account.


thanks
Post #666847
Posted Monday, March 2, 2009 1:22 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 8:41 PM
Points: 31,080, Visits: 15,525
Change this in Configuration manager, not control panel, and you should be fine.






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #666854
Posted Monday, March 2, 2009 1:42 PM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Saturday, April 3, 2010 2:42 PM
Points: 1,023, Visits: 1,893
yeah it worked. can u let me know what is the diffrence.
thanks
Post #666875
Posted Monday, March 2, 2009 2:35 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 8:41 PM
Points: 31,080, Visits: 15,525
I don't have the list handy, but Configuration Manager grants the rights needed (folders/files/user rights) for the service account.






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #666914
Posted Thursday, March 5, 2009 3:34 AM


SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Today @ 11:00 AM
Points: 2,361, Visits: 6,745
Along with what steve said, I would also add that some registery entries wont be done properly if you use services to change the account.

-Roy
Post #669042
Posted Thursday, March 5, 2009 10:51 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873
I know I'm coming in late on this, but the preference is not to use the local System account. It's not a minimal account (that's Local Service). It has all the rights of an administrator-level account + some (there are rights granted to System, such implicitly that are not normally granted to members of the local Administrators group). If you have the option, create a new local account with a strong password and use that, instead.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #669439
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse