August 17, 2010 at 3:31 am
Hi,
Looking for a sanity check here. On our production servers here (SQL 2005) I am configuring a SQL Backup & Optimisation schedule with maintenance plans. Once I am happy with each job working I change the owner of the maintenance plan sql job (I know it is possible to change the "Plan" owner as well) asI don't want any named accounts as any sql jobs on pre-production and production SQL Instances. If that named domain account is suspended or dropped then the job will fail - is my thinking correct?
So looking on SSC, some people have recommended using 'sa' as sql job owner however I would rather not use that, I would prefer to use the SQL Server Service account or even the SQL Agent Service account, but I would be interested in fellow DBA's thoughts on this - i.e. is there a security best practice for SQL jobs?
Thanks
qh
August 17, 2010 at 3:54 am
Your thinking is indeed correct.
We use sa or the SQL Server Agent account as the job owner. We usually go for the former because it's easier to remember. You don't need to specify the password and sa and the SQL Server Agent account are both sysadmin, so I can't see that using sa is any more or less secure. We have a check that runs every day on all servers and returns a list of jobs that aren't owned by sa or the SQL Server Agent account.
John
August 17, 2010 at 6:16 am
Thank you for that reply John, for a production box I think I am still too paranoid (is there any other type of DBA? :-D) about using sa, as I don't like to use sa for anything, so I will go for the SQL Service/SQL Agent account.
Cheers
qh
August 17, 2010 at 6:35 am
I don't think its a good practice for the sql service account (both mssql & agent service) to have local admin rights to the server. Although it's the other way at most of the installations I've seen As this increases our work (DBA) for configuring the permissions and security...
Rohit
August 17, 2010 at 6:41 am
Ramji29 (8/17/2010)
I don't think its a good practice for the sql service account (both mssql & agent service) to have local admin rights to the server.
Rohit
You're right - they shouldn't have any permissions on the server (or domain) other than those assigned during the installation process. I'm not sure whether you're under the impression that I meant that the service accounts have local admin rights. I didn't - they have sysadmin permissions on SQL Server.
John
August 17, 2010 at 6:45 am
John Mitchell-245523 (8/17/2010)
Your thinking is indeed correct.We use sa or the SQL Server Agent account as the job owner. We usually go for the former because it's easier to remember. You don't need to specify the password and sa and the SQL Server Agent account are both sysadmin, so I can't see that using sa is any more or less secure. We have a check that runs every day on all servers and returns a list of jobs that aren't owned by sa or the SQL Server Agent account.
John
Apologies... I interpreted it incorrectly... but one more suggestion.... you shud always rename your sa account with some other name.... as a good security practice... this will reduce the threat to your sa account.
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply