SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Service acounts for SQL Server


Service acounts for SQL Server

Author
Message
SQListic
SQListic
SSCommitted
SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)

Group: General Forum Members
Points: 1578 Visits: 1115
Hi Experts,

I got a request for creating 5 service accounts for sql servre


Question 1) these accounts shoulb be AD accounts,am i right?
Question 2) Creating Service accounts is job of DBA? I think it should be done by systems/network team(plz clarify)
Question 3) These same 5 accounts will be used in dev and future prod box, condition is that service accounts password should be different in DEV and QA, how can i fulfill this?
MyDoggieJessie
MyDoggieJessie
SSChampion
SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)

Group: General Forum Members
Points: 12416 Visits: 7444
Sqlism (8/7/2012)
Question 1) these accounts shoulb be AD accounts,am i right?
Question 2) Creating Service accounts is job of DBA? I think it should be done by systems/network team(plz clarify)
Question 3) These same 5 accounts will be used in dev and future prod box, condition is that service accounts password should be different in DEV and QA, how can i fulfill this?

#1 - It depends on how things are set up at your company, but I would recommend AD accounts, configured as ones that cannot be locked out. Another note, these accounts should not be granted logon to the server/workstation.

#2 - The DBA/team can request the creation of AD accounts, but in my experience it's the System/Network team. However if the system/network team is going to allow you to do it and grant you access to do so, I'd be tickled...

#3 - ??? How can you fulfill it? Can't you just ask them to make the account passwords different ???

______________________________________________________________________________
"Never argue with an idiot; They'll drag you down to their level and beat you with experience" ;-)
SQListic
SQListic
SSCommitted
SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)

Group: General Forum Members
Points: 1578 Visits: 1115
Thank you so much for the help!
MyDoggieJessie
MyDoggieJessie
SSChampion
SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)

Group: General Forum Members
Points: 12416 Visits: 7444
You're very welcome, best of luck with it Hehe

______________________________________________________________________________
"Never argue with an idiot; They'll drag you down to their level and beat you with experience" ;-)
Nadrek
Nadrek
SSCarpal Tunnel
SSCarpal Tunnel (4.6K reputation)SSCarpal Tunnel (4.6K reputation)SSCarpal Tunnel (4.6K reputation)SSCarpal Tunnel (4.6K reputation)SSCarpal Tunnel (4.6K reputation)SSCarpal Tunnel (4.6K reputation)SSCarpal Tunnel (4.6K reputation)SSCarpal Tunnel (4.6K reputation)

Group: General Forum Members
Points: 4590 Visits: 2741
Don't forget to make sure to set Group Policy up for these accounts as you see fit, and if need be, set up Proxy accounts also.

Personally, I tend to make sure they're on the lists for:
Act as part of the operating system
Adjust memory quotas for a process
Bypass traverse checking
Lock pages in memory
Log on as a service
Perform volume maintenance tasks
Replace a process level token

Some of the above were from working with proxy users, as well, and may not be required for you. I understand there is some debate about Lock pages in memory, as well.

Note that one account gets one and only one password - use a different account username for Prod than you do for QA as you do for Dev.

For passwords, they're service accounts, set and forget, so make them insanely long, complex and random, then copy/paste them in.

I disagree about disabling account lockout - I'd rather have the security in case some tries a dictionary, hybrid rules based dictionary, or even pure brute force attack. If you can manage to keep the username/passwords secret, and only use one per machine/environment, then you shouldn't have much to worry about them being locked out by other employees.

As mentioned above turn off the "log on as a user" right, and definitely don't make them domain admins or local admins, so they're not as useful to a hacker, and not as tempting to other employees to use as shortcuts.
MyDoggieJessie
MyDoggieJessie
SSChampion
SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)

Group: General Forum Members
Points: 12416 Visits: 7444
+1 Nadrek

______________________________________________________________________________
"Never argue with an idiot; They'll drag you down to their level and beat you with experience" ;-)
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search