January 25, 2002 at 10:52 am
I have read a lot about what kind of account should be used to run the SQL Server service but I am still confused.
I was told at one time to create an NT/2000 user with Domain Admin privileges on our domain, make it a part of the local Administrators group, then install SQL Server while logged in as the NT/2000 account I created. I was told this was necessary so the server could communicate with other SQL Servers.
Now I am reading a lot about setting up a domain user but not making it part of the Domain Admin group because of security risks.
What is the proper/recommended method for running the service? What are the benefits/drawbacks to using a login with Domain Admin rights vs. not a Domain Admin? If not Domain Admin, what kind of rights does this user need on the domain?
----------------------------------------------------------
01010011010100010100110000100000010100110110010101110010011101100110010101110010
001000000101001001101111011000110110101101110011
January 25, 2002 at 11:25 am
I've written briefly about this in a general article on services:
http://www.sqlservercentral.com/columnists/bkelley/services.asp
Chris Kempster has focused an article solely on security that does provide coverage of the service account:
http://www.sqlservercentral.com/columnists/ckempster/sql_server_security.asp
Give the account the privileges it needs and no more. Basically, if you think SQL Server is going to need access to networked resources (to include file shares and/or replication) it's probably best to go with a domain user account (if you know for sure that you will, go ahead and create that domain user for the service account). Grant this user account the proper permissions where appropriate. Only in extreme circumstances would you need a SQL Server service account with domain admin privileges. If you aren't going to be using networked resources, you can go with a local account on the server or the localsystem account.
K. Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
Edited by - bkelley on 01/25/2002 11:25:48 AM
K. Brian Kelley
@kbriankelley
January 25, 2002 at 1:15 pm
As a rule, I always use a domain user account, NEVER a domain admin account. You can substantially restrict the rights of the domain account, but in almost every case, I want SQL Mail running to notify me of things.
Having the service run as a local admin can be damaging, but you should be careful what you allow users to do. I know it can run as a less privledged account, but IMHO, it is not worth the hassle. Especially if I need to rapidly recover this server. I like having a domain account that is available anywhere on the network.
BTW, read Brian's references before you decide.
Steve Jones
January 25, 2002 at 1:51 pm
Normally I have it as a domain user with local administrative rights to the server itself, and no more. Steve's comments well illustrate the 80-20 rule. You *can* run a service account with less than local administrative rights, but there is a price to pay. Most of the time, it's just not worth it.
Right now I'm experimenting with using SQL Server and T-SQL to do reporting about my network infrastructure and collecting and parsing data into the DB. Since a lot of what I'm using to collect information is command-line based, I need to use xp_cmdshell, and privs need to be Domain Admin level. If I wasn't doing this, there would be no way I'd be running a service at this level.
Suffice it to say, this particular SQL Server is a local install on my workstation and the only time it's using a Domain Admin level account is when I'm specifically working towards the ends I've mentioned. Otherwise I switch it back to a different service account with domain user and local administrative rights.
K. Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
K. Brian Kelley
@kbriankelley
January 25, 2002 at 2:08 pm
Can't you run a process using runas instead? This would alleviate the need to run as a domain admin (though you;d need an accoutn and pwd in SQL to run the commands. Not sure which is worse.
Steve Jones
January 25, 2002 at 2:19 pm
It's a trade-off, and I don't really like either solution very much. However, it's probably the fastest way I can collect and parse the data I need in a format I'm looking for at this time. I don't have the keys to those nice expensive tools such as BindView (though others do in the organization), but a few custom built SQL apps with free utilities can do wonders.
K. Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
K. Brian Kelley
@kbriankelley
January 25, 2002 at 2:26 pm
Upon further testing, I forgot runas prompts for a password, which won't work for sending through xp_cmdshell. The net command can take a password... grrr.
K. Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
K. Brian Kelley
@kbriankelley
January 25, 2002 at 2:45 pm
Don't have time to check, but can runas take an input file like ftp? Like I did in the Pushftp article?
Steve Jones
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply