Sharing of thoughts and information is what blogging is all about. This way we can learn from each other. Post A Comment!These postings are provided "AS IS" with no warranties, and confers no rights. You assume all risk for your use.
Anthony Bartolo Twitter | LinkedIn
Pierre Roman Twitter | LinkedIn
Securing SQL Server is one of the top priorities of any SQL Server DBA. It is extremely important for DBA’s and system admins to make sure that SQL Server is TIGHTLY SECURED and is not exposed to users that don’t need access to SQL Server. Only valid and required users MUST be granted “required” permissions.
Apart from configuring the right security/permissions for SQL Server users/logins, it is also very important to select the right account to run SQL Server services. In today’s tip, we will explore when to use what service accounts for running SQL Server services.
WHEN TO USE DOMAIN USER ACCOUNT?
If your SQL Server interacts with other servers, services or resources on the network (ex: Files Shares, etc.) or if your SQL Server services uses linked servers to connect to other SQL Servers on the network, then you may use a low privileged domain user account for running SQL Server services. Domain user account is the most recommended account for setting up SQL Server services that interact with other servers on the network. One of the plus points of using a Domain User Account is that the account is controlled by Windows active directory therefore, domain level policy on accounts apply to SQL Server service account as well.
WHEN TO USE NETWORK SERVICE ACCOUNT?
NEVER should you use Network Service Account for running SQL Server services. Network Service accounts are shared with other services running on the local computer. Network Service Account is a built-in account that has more access to server resources and objects than users accounts of local user groups.
Any SQL Server services that runs on Network Service Account, can access network resources by using the credentials of the computer account. This account shows up as “NET AUTHORITY\NETWORK SERVICE” when configuring SQL Server Services.
WHEN TO USE LOCAL USER ACCOUNT?
If your SQL Server DOES NOT interact with other servers, services or resources on the network (ex: Files, Shares, Linked Servers, Etc.) then you may use a low privileged local user account for running SQL Server Services.
NOTE: You are not required to use the local user account with administrative privileges to run SQL Server services.
WHEN TO USE LOCAL SYSTEM ACCOUNT?
NEVER should you use local system account for running SQL Server services. Local System Account has more permissions than you would think. It is a very high-privileged built-in account created by Windows O/S.
Local System Account has extensive privileges on the entire local system and acts as a computer on your company’s network. This account shows up as “NT AUTHORITY\SYSTEM” when configuring SQL Server services.
The local system account is used by quite a few services that listen on various well known ports so I don't know how running the sql service as local system would decrease your security much. If I remember correctly a domain based account is a member of the dynamic group "domain user", this account is ripe for abuse. Its a low priv account thats granted minimally read on a lot of objects within most domain's which can facilitate information disclosures. Man security is tough.
You are right that a number of services use the local system account but it is also a privileged account that may provide more access to the local computer than is needed by SQL Server services. Using a domain account that does not have as high a privilege level can provide more security on the local system but also allow SQL Server to communicate across the network for things such as multi-server management and jobs.
You're right - security is never easy.