August 7, 2012 at 4:37 pm
Hi Experts,
I got a request for creating 5 service accounts for sql servre
Question 1) these accounts shoulb be AD accounts,am i right?
Question 2) Creating Service accounts is job of DBA? I think it should be done by systems/network team(plz clarify)
Question 3) These same 5 accounts will be used in dev and future prod box, condition is that service accounts password should be different in DEV and QA, how can i fulfill this?
August 7, 2012 at 10:50 pm
Sqlism (8/7/2012)
Question 1) these accounts shoulb be AD accounts,am i right?
Question 2) Creating Service accounts is job of DBA? I think it should be done by systems/network team(plz clarify)
Question 3) These same 5 accounts will be used in dev and future prod box, condition is that service accounts password should be different in DEV and QA, how can i fulfill this?
#1 - It depends on how things are set up at your company, but I would recommend AD accounts, configured as ones that cannot be locked out. Another note, these accounts should not be granted logon to the server/workstation.
#2 - The DBA/team can request the creation of AD accounts, but in my experience it's the System/Network team. However if the system/network team is going to allow you to do it and grant you access to do so, I'd be tickled...
#3 - ??? How can you fulfill it? Can't you just ask them to make the account passwords different ???
______________________________________________________________________________Never argue with an idiot; Theyll drag you down to their level and beat you with experience
August 8, 2012 at 2:52 pm
Thank you so much for the help!
August 8, 2012 at 2:57 pm
You're very welcome, best of luck with it :hehe:
______________________________________________________________________________Never argue with an idiot; Theyll drag you down to their level and beat you with experience
August 9, 2012 at 2:05 pm
Don't forget to make sure to set Group Policy up for these accounts as you see fit, and if need be, set up Proxy accounts also.
Personally, I tend to make sure they're on the lists for:
Act as part of the operating system
Adjust memory quotas for a process
Bypass traverse checking
Lock pages in memory
Log on as a service
Perform volume maintenance tasks
Replace a process level token
Some of the above were from working with proxy users, as well, and may not be required for you. I understand there is some debate about Lock pages in memory, as well.
Note that one account gets one and only one password - use a different account username for Prod than you do for QA as you do for Dev.
For passwords, they're service accounts, set and forget, so make them insanely long, complex and random, then copy/paste them in.
I disagree about disabling account lockout - I'd rather have the security in case some tries a dictionary, hybrid rules based dictionary, or even pure brute force attack. If you can manage to keep the username/passwords secret, and only use one per machine/environment, then you shouldn't have much to worry about them being locked out by other employees.
As mentioned above turn off the "log on as a user" right, and definitely don't make them domain admins or local admins, so they're not as useful to a hacker, and not as tempting to other employees to use as shortcuts.
August 9, 2012 at 2:24 pm
+1 Nadrek
______________________________________________________________________________Never argue with an idiot; Theyll drag you down to their level and beat you with experience
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply