SQL Server Services Account

  • Lee From Bangalore

    Say Hey Kid

    Points: 691

    Hi,

    Why the services need a account to run?

    Is It Must be administrator's rights account?

    plz let me know,

    With regards

    Lee

  • Roy Ernest

    SSC-Dedicated

    Points: 38707

    Service account is needed if your Sql Server has to access resources outside the box. Like a share to take back up or replication ect.

    Service account should not be an Administrator. It should have to rights to log on locally and Run As Service right. There are lots of articles out there specifying what basic rights are needed for the Service account.

    -Roy

  • Jack Corbett

    SSC Guru

    Points: 184381

    With SQL Server 2005 and later you do not have to manually assign rights as the install creates local groups with appropriate rights and places the Service account in those groups. After install using the SQL Server Configuration Manager to change the service account also does this. If you change the service account using the Services applet then you need to add it to the appropriate groups.

    As Roy said, if the SQL Server or Agent needs access to network resources then you need to use a Domain account and grant that account appropriate rights within the domain.

    Jack Corbett
    Consultant - Straight Path Solutions
    Check out these links on how to get faster and more accurate answers:
    Forum Etiquette: How to post data/code on a forum to get the best help
    Need an Answer? Actually, No ... You Need a Question

  • K. Brian Kelley

    SSC Guru

    Points: 114485

    The correct permissions and what options you may have there are documented in Books Online:

    Setting up Windows Service Accounts

    K. Brian Kelley
    @kbriankelley

  • Andrew Hatfield

    SSCrazy

    Points: 2241

    K. Brian Kelley (5/14/2009)


    The correct permissions and what options you may have there are documented in Books Online:

    Setting up Windows Service Accounts

    This isn't strictly complete. The BOL article is only correct if you do not modify Default Domain Policy or over-ride any settings. Specifically, if you lock down the Access this Computer from the Network privilege you will need to explicitly grant this to your SQL service accounts.

    --
    Andrew Hatfield

  • sam bryant

    Right there with Babe

    Points: 786

    I am in the process of researching and testing the use of domain user accounts to run the various SQL Server services as our startup accounts on our servers are mostly configured to run as local system. I have read that you should use separate accounts for each server. So my take is that I should have about 5 - 7 domain user accounts...

    So my question is whether or not it is alright to use these same accounts across our 5 servers? As in each of the servers SQL Server service account can run as the 1 domain user account created for the SQL Server service?

    Please let me know if I am misunderstanding anything along the way as I am somewhat new to security as a whole. :unsure:

    Thanks,

    Sam

  • Michael Valentine Jones

    SSC Guru

    Points: 64818

    Use a different account as the service account for each SQL Server.

    If you use the same account on more than one server, it becomes almost impossible to change the account password without taking down all the other SQL Servers.

  • sam bryant

    Right there with Babe

    Points: 786

    Thanks for the reply Michael.

    So I will use separate accounts for each of the services across each of the servers. Just out of curiosity besides what you mentioned about changing passwords are there any security implications of using the same domain user account, say User123, as the startup account for the SQL Server service on ServerA and ServerB?

  • Michael Valentine Jones

    SSC Guru

    Points: 64818

    ssb (5/22/2009)


    Thanks for the reply Michael.

    So I will use separate accounts for each of the services across each of the servers. Just out of curiosity besides what you mentioned about changing passwords are there any security implications of using the same domain user account, say User123, as the startup account for the SQL Server service on ServerA and ServerB?

    Among other things, it also means that a sysadmin login on ServerA can gain access to ServerB with sysadmin rights.

  • sam bryant

    Right there with Babe

    Points: 786

    To add on to my earlier replies, I have the following information/inquiries.

    I am trying to identify the best accounts to use for each service.

    Microsoft SQL Server Best Practices Analyzer is showing the following recommendations:

    MSSQLServer Service: domain user account

    SQL Server Agent service: domain user account

    SSIS Service: Network Service Account

    SQL Browser service: Network Service Account

    Analysis Service service: Network Service Account

    Full Text service: MSSQLServer Service startup account

    Reporting services account: domain user account (I believe)

    I am pretty sure I have read many other posts/articles that do not specifically say which setup to use for each service, but I do not recall many (if any) posts/articles saying to use the Network Service Account for so many services.

    My question is whether I should use around 5 - 7 domain user accounts for the services or if I should follow the Best Practices Analyzer completely and create 3 domain user accounts (1 for MSSQLServer service and Full Text service, 1 for SQL Server Agent service, 1 for Reporting Services service) and use the Network Service Account for all the other services.

    I am not looking for answers discussing the trade-off between security and maintenance. I am moreso looking for the best setup from a security standpoint.

    Thanks for any info/help on this issue.

    Sam

  • Andrew Hatfield

    SSCrazy

    Points: 2241

    The "best" setup from a security standpoint is balanced between least privilege, the implementation, support overhead and understanding how it works.

    I would say use a service account with the relevant privileges for the following

    - Database Engine (MSSQLServer)

    - Full Text Search

    - Agent

    - SSIS

    - Analysis Services

    If you want security, don't even enable the Browser and use static ports with SPNs to enable Kerberos.

    Reporting Services will run on another machine. It is HIGHLY recommended to run it within an Application Pool with a service account. Again, enable Kerberos to support Double-Hop authentication.

    --
    Andrew Hatfield

  • Leon Johnston

    Newbie

    Points: 3

    SQL 2005 BPA is also telling me to use Network Service for SQLBrowser, the services and service accounts security planning guide

    http://www.microsoft.com/downloads/details.aspx?FamilyId=F4069A30-01D7-43E8-8B30-3799DB2D9C2F&displaylang=en

    states on page 21 that the least privilege hierarchy should use accounts in the following order

    1 Local Service

    2 Network Service

    3 Unique User Account

    4 Local System

    5 Local Administrator

    6 Domain Administrator

    so it looks like Network Service is more secure.

Viewing 12 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic. Login to reply