Minimum levels for SQL Service Accounts

  • I am currently reviewing the service accounts sql starts up with. BOL says the account should have local admin rights, whereas SQLSECURITY.com suggests that the service should not be given local admin rights.

    Does anyone know what the minimum permissions/access a sql service account needs?

    Steven

  • The following is the minimum requirements that we use as explained by Microsoft.

    Creating SQL Server Services User Accounts

    When running on Microsoft Windows NT, Microsoft SQL Server and SQL Server Agent are started and run as Windows NT services named MSSQLServer and SQLServerAgent. For these services to run, they must be assigned a Windows NT user account. Both services may be assigned the same user account.

    Note Microsoft Windows 95/98 does not support Windows NT services; instead, SQL Server simulates the MSSQLServer and SQLServerAgent services. You do not need to create user accounts for these simulated services.

    Three types of accounts can be assigned to SQL Server services:

    ·Local system

    ·Local user

    ·Domain user

    The local system and local user accounts do not have network access rights. Using a local account restricts SQL Server from interacting with other servers. Some server-to-server activities can be performed only with a domain user account. For example:

    ·Remote procedure calls (RPCs)

    ·Replication

    ·Backing up to network drives

    ·Heterogeneous joins that involve remote data sources

    ·SQL Server Agent mail features and SQL Mail

    This restriction applies if you are using Microsoft Exchange. Most other mail systems also require clients (MSSQLServer and SQLServerAgent) to be run on accounts with network access.

    Note Another service, Microsoft Search, is installed with the full-text search custom installation option. Microsoft Search service is always assigned the local system account.

    Domain User Account Requirements

    All domain user accounts must have permission to:

    ·Access and change the SQL Server directory (\MSSQL7).

    ·Access and change the .mdf, .ndf, and .ldf database files.

    ·Log in as a service.

    ·Read and write registry keys at and under:

    ·HKEY_LOCAL_MACHINE\Software\Microsoft\MSSQLServer.

    ·HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\MSSQLServer.

    ·HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Perflib.

    In addition, these permissions are required for certain functionality to work.

    ServicePermissionFunctionality

    MSSQLServerNetwork write privilegesWrite to a mail slot using xp_sendmail

    MSSLQServerAct as part of the operating systemRun xp_cmdshell for a user other than a SQL Server administrator

    Replace process level token

    SQLServerAgentMember of the Administrators local groupCreate CmdExec and ActiveScript jobs belonging to someone other than a SQL Server administrator

    SQLServerAgentMember of the Administrators local groupUse the autorestart feature

    SQLServerAgentMember of the Administrators local groupUse run-when-idle jobs

    It is recommended that you use a domain user account that is a member of the Administrators local group.

    Note Several servers running SQL Server can share the same user account. When setting up replication, it is recommended that a Publisher and all its Subscribers share the same account.

    Changing the Assigned User Account

    After you have installed SQL Server, you can change the user account assigned to any of the SQL Server services by using the Services application in Control Panel. You can also change the MSSQLServer and SQLServerAgent services through SQL Server Enterprise Manager. Each service must be changed individually. The new user account will take effect the next time each service is started.

    Important If full-text search is installed on the computer, do not change the MSSQLServer account information in the Services application in the Control Panel. While the Microsoft Search service is always assigned to the local system account, it keeps track of the MSSQLServer service account. You must change the MSSQLServer service account in SQL Server Enterprise Manager for the Microsoft Search service to stay in sync.

    For information about creating Windows NT user accounts, granting advanced user rights, setting password expiration, and managing group memberships, see your Windows NT documentation or User Manager for Domains Help.

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply