May 13, 2009 at 2:38 am
Hi,
Why the services need a account to run?
Is It Must be administrator's rights account?
plz let me know,
With regards
Lee
May 13, 2009 at 2:59 am
Service account is needed if your Sql Server has to access resources outside the box. Like a share to take back up or replication ect.
Service account should not be an Administrator. It should have to rights to log on locally and Run As Service right. There are lots of articles out there specifying what basic rights are needed for the Service account.
-Roy
May 13, 2009 at 7:04 am
With SQL Server 2005 and later you do not have to manually assign rights as the install creates local groups with appropriate rights and places the Service account in those groups. After install using the SQL Server Configuration Manager to change the service account also does this. If you change the service account using the Services applet then you need to add it to the appropriate groups.
As Roy said, if the SQL Server or Agent needs access to network resources then you need to use a Domain account and grant that account appropriate rights within the domain.
Jack Corbett
Consultant - Straight Path Solutions
Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
May 14, 2009 at 8:45 pm
The correct permissions and what options you may have there are documented in Books Online:
Setting up Windows Service Accounts
K. Brian Kelley
@kbriankelley
May 15, 2009 at 10:05 pm
K. Brian Kelley (5/14/2009)
The correct permissions and what options you may have there are documented in Books Online:
This isn't strictly complete. The BOL article is only correct if you do not modify Default Domain Policy or over-ride any settings. Specifically, if you lock down the Access this Computer from the Network privilege you will need to explicitly grant this to your SQL service accounts.
--
Andrew Hatfield
May 22, 2009 at 12:28 pm
I am in the process of researching and testing the use of domain user accounts to run the various SQL Server services as our startup accounts on our servers are mostly configured to run as local system. I have read that you should use separate accounts for each server. So my take is that I should have about 5 - 7 domain user accounts...
So my question is whether or not it is alright to use these same accounts across our 5 servers? As in each of the servers SQL Server service account can run as the 1 domain user account created for the SQL Server service?
Please let me know if I am misunderstanding anything along the way as I am somewhat new to security as a whole. :unsure:
Thanks,
Sam
May 22, 2009 at 12:35 pm
Use a different account as the service account for each SQL Server.
If you use the same account on more than one server, it becomes almost impossible to change the account password without taking down all the other SQL Servers.
May 22, 2009 at 12:56 pm
Thanks for the reply Michael.
So I will use separate accounts for each of the services across each of the servers. Just out of curiosity besides what you mentioned about changing passwords are there any security implications of using the same domain user account, say User123, as the startup account for the SQL Server service on ServerA and ServerB?
May 22, 2009 at 1:14 pm
ssb (5/22/2009)
Thanks for the reply Michael.So I will use separate accounts for each of the services across each of the servers. Just out of curiosity besides what you mentioned about changing passwords are there any security implications of using the same domain user account, say User123, as the startup account for the SQL Server service on ServerA and ServerB?
Among other things, it also means that a sysadmin login on ServerA can gain access to ServerB with sysadmin rights.
June 2, 2009 at 6:58 am
To add on to my earlier replies, I have the following information/inquiries.
I am trying to identify the best accounts to use for each service.
Microsoft SQL Server Best Practices Analyzer is showing the following recommendations:
MSSQLServer Service: domain user account
SQL Server Agent service: domain user account
SSIS Service: Network Service Account
SQL Browser service: Network Service Account
Analysis Service service: Network Service Account
Full Text service: MSSQLServer Service startup account
Reporting services account: domain user account (I believe)
I am pretty sure I have read many other posts/articles that do not specifically say which setup to use for each service, but I do not recall many (if any) posts/articles saying to use the Network Service Account for so many services.
My question is whether I should use around 5 - 7 domain user accounts for the services or if I should follow the Best Practices Analyzer completely and create 3 domain user accounts (1 for MSSQLServer service and Full Text service, 1 for SQL Server Agent service, 1 for Reporting Services service) and use the Network Service Account for all the other services.
I am not looking for answers discussing the trade-off between security and maintenance. I am moreso looking for the best setup from a security standpoint.
Thanks for any info/help on this issue.
Sam
June 3, 2009 at 7:14 am
The "best" setup from a security standpoint is balanced between least privilege, the implementation, support overhead and understanding how it works.
I would say use a service account with the relevant privileges for the following
- Database Engine (MSSQLServer)
- Full Text Search
- Agent
- SSIS
- Analysis Services
If you want security, don't even enable the Browser and use static ports with SPNs to enable Kerberos.
Reporting Services will run on another machine. It is HIGHLY recommended to run it within an Application Pool with a service account. Again, enable Kerberos to support Double-Hop authentication.
--
Andrew Hatfield
June 4, 2009 at 8:25 am
SQL 2005 BPA is also telling me to use Network Service for SQLBrowser, the services and service accounts security planning guide
states on page 21 that the least privilege hierarchy should use accounts in the following order
1 Local Service
2 Network Service
3 Unique User Account
4 Local System
5 Local Administrator
6 Domain Administrator
so it looks like Network Service is more secure.
Viewing 12 posts - 1 through 11 (of 11 total)
You must be logged in to reply to this topic. Login to reply