December 19, 2008 at 8:26 am
I have 10 sql servers which have different serivce accounts and they are domain user accounts created exclusively forthose sql services. CAn i just use one account as service account for all the servers. What are the pros and cons involved.
thanks
December 19, 2008 at 9:35 am
You can use a single account, but it will be less secure.
With a single account, you will have to give the account permissions to handle all actions that need to be accomplished by any server. So, if one server needs to be able to access a particular network resource, all servers will typically be granted access to this resource.
Also, if someone happens to get the password for your single account, they can cause havoc in all 10 servers rather than just one. That could be a pretty big headache. Increasing the scope of a vulnerability is usually a bad idea.
There is also the problem of account maintenance. If you use the same login for all of your services, when it comes time to change that password (which I hope is pretty regularly) you end up having to bring all of the servers down at the same time. This can be a bit of a problem in environments requiring very little down-time.
Finally, the simple problem of someone deciding to brute-force attack your login becomes a much bigger issue. Just to cause a problem for you, someone may programatically attempt to log into your service account enough times to lock it out (it is a good idea to lock out an account after a certain number of failures). This type of attack would impact 10 servers rather than 1.
It is almost always worth the little bit of extra maintenance and password tracking to create individual service accounts.
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply