Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


local system account for sql server service


local system account for sql server service

Author
Message
bodhilove
bodhilove
Old Hand
Old Hand (305 reputation)Old Hand (305 reputation)Old Hand (305 reputation)Old Hand (305 reputation)Old Hand (305 reputation)Old Hand (305 reputation)Old Hand (305 reputation)Old Hand (305 reputation)

Group: General Forum Members
Points: 305 Visits: 888
Hi Folks,

what are the ramifications of using the local system account for the sql server service?
george sibbald
george sibbald
SSCertifiable
SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)

Group: General Forum Members
Points: 6324 Visits: 13685
main effect is that SQL can not perform any actions that require network connectivity, e.g. access shares on other servers, backup across the network, logshipping or mirroring would not work if you required those options.

Also local admin is more access at the the server level than SQL really requires so there is an enhanced security risk.

---------------------------------------------------------------------
Jerry Hung
Jerry Hung
Right there with Babe
Right there with Babe (792 reputation)Right there with Babe (792 reputation)Right there with Babe (792 reputation)Right there with Babe (792 reputation)Right there with Babe (792 reputation)Right there with Babe (792 reputation)Right there with Babe (792 reputation)Right there with Babe (792 reputation)

Group: General Forum Members
Points: 792 Visits: 1208
Local System is pretty minimal, safe for a local SQL instance
If you need Network-features such as back up to UNC, talk to other servers etc... use a domain account if you can


You don't need Local Admin


This is for SQL 2005 Express, but applicable as well
http://msdn.microsoft.com/en-us/library/ms143170(SQL.90).aspx

Use the built-in System account
   

You can assign Local System, Network Service, or Local Service to the logon for the configurable SQL Server services.

Local System account
   

The Local System option specifies a local system account that does not require a password to connect to SQL Server on the same computer. However, the local system account might restrict the SQL Server installation from interacting with other servers, depending on the privileges granted to the account.
Important:
Local System is a powerful account. It might not be appropriate for all service settings. For more information, see "Security Considerations for a SQL Server Installation." in SQL Server 2005 Books Online.

Network Service account
   

The Network Service account is a special, built-in account that is similar to an authenticated user account. The Network Service account has the same level of access to resources and objects as members of the Users group. Services that run as the Network Service account access network resources using the credentials of the computer account.
Important:
We recommend that you do not use the Network Service account for the SQL Server. Local User or Domain User accounts are more appropriate for these SQL Server services.

Local Service account
   

The Local Service account is a special, built-in account that is similar to an authenticated user account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard the system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session without credentials. For more information on service accounts, see Setting Up Windows Service Accounts in SQL Server 2005 Books Online.


SQLServerNewbie

MCITP: Database Administrator SQL Server 2005
bodhilove
bodhilove
Old Hand
Old Hand (305 reputation)Old Hand (305 reputation)Old Hand (305 reputation)Old Hand (305 reputation)Old Hand (305 reputation)Old Hand (305 reputation)Old Hand (305 reputation)Old Hand (305 reputation)

Group: General Forum Members
Points: 305 Visits: 888
I think you can use mirroring if you use certificates

http://msdn.microsoft.com/en-us/library/ms191477.aspx
Mike Levan
Mike Levan
Ten Centuries
Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)

Group: General Forum Members
Points: 1023 Visits: 1893
I am trying to change local account to windows account as service ac for sql server but when i change login as from services>SQL Server Service > properties its net getting started after restarting.
do i need to change anything else ofr the newly created windows account.


thanks
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (35K reputation)SSC-Dedicated (35K reputation)SSC-Dedicated (35K reputation)SSC-Dedicated (35K reputation)SSC-Dedicated (35K reputation)SSC-Dedicated (35K reputation)SSC-Dedicated (35K reputation)SSC-Dedicated (35K reputation)

Group: Administrators
Points: 35894 Visits: 18721
Change this in Configuration manager, not control panel, and you should be fine.

Follow me on Twitter: @way0utwestForum Etiquette: How to post data/code on a forum to get the best help
Mike Levan
Mike Levan
Ten Centuries
Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)

Group: General Forum Members
Points: 1023 Visits: 1893
yeah it worked. can u let me know what is the diffrence.
thanks
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (35K reputation)SSC-Dedicated (35K reputation)SSC-Dedicated (35K reputation)SSC-Dedicated (35K reputation)SSC-Dedicated (35K reputation)SSC-Dedicated (35K reputation)SSC-Dedicated (35K reputation)SSC-Dedicated (35K reputation)

Group: Administrators
Points: 35894 Visits: 18721
I don't have the list handy, but Configuration Manager grants the rights needed (folders/files/user rights) for the service account.

Follow me on Twitter: @way0utwestForum Etiquette: How to post data/code on a forum to get the best help
Roy Ernest
Roy Ernest
SSCrazy
SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)

Group: General Forum Members
Points: 2494 Visits: 6852
Along with what steve said, I would also add that some registery entries wont be done properly if you use services to change the account.

-Roy
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (6.8K reputation)

Group: Moderators
Points: 6770 Visits: 1908
I know I'm coming in late on this, but the preference is not to use the local System account. It's not a minimal account (that's Local Service). It has all the rights of an administrator-level account + some (there are rights granted to System, such implicitly that are not normally granted to members of the local Administrators group). If you have the option, create a new local account with a strong password and use that, instead.

K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search