Thanks for your reply.

Having thought about it some more, I guess that separating the boxes makes the SQL Server machine less susceptible to *automated* attacks (simply because there would be many different potential configurations to attack). This is undoubtedly a very good thing.

I think you won me over by generalising that as the webserver is open to the public - on purpose - it will be attacked constantly and there is no need to make it any easier for someone to get to your database if they are successful. However, if the *whole* system isn't secured, I reckon it's just an inconvenience for the determined hacker to leap between the two machines. So I humbly concede the security benefits of the 2 box architecture, with the reservation that the administrator needs to be aware that the physical separation alone does not guarantee the SQL Server box will be unaffected by IIS exploits - the SQL server box should still be locked down as tight as possible. (and the IIS too 🙂 )

>>My understanding is that the SQL Server service HAS to run with administrative

>> priviledges of the machine on which it is installed?

According to MS, this is true only under certain conditions (and then just for SQL Server Agent)- see point number 6 at:

http://www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp

Anyone else have a different experience / problems when not run as Administrator?