September 3, 2008 at 12:08 pm
I've taken over for a previous DBA and the procedures that we used to use was to use the same AD service accounts for each SQL Server (ie: svc_SQLSERVER, svc_SQLAGENT, etc). Now this was done back when we only had less than a dozen instances of SQL up and running. We are now pushing near the 40 instances mark and I'd like to revisit this.
To ensure that our servers are properly secured, I've been thinking about changing this model and creating separate service accounts for each service for each server (ie: svc_Server1SQLSERVER). From what I've been able to gather, these were the tasks that I was going to perform, but wanted to see if anyone has gone through changing the service accounts SQL is running under before:
1. Create the new service accounts for each server in AD
2. Modify Group Policy to ensure service accounts have the proper rights (ie: logon as service, etc)
3. Add the service accounts to the necessary local groups on the server
4. Use SQL Server Configuration Manager to change the service accounts and restart the services
Any other steps or things that we should check for first?
Thanks!
September 3, 2008 at 1:09 pm
Brian,
Before you had only two passwords to forget. Now you are adding 80 more service accounts passwords to forget. Dont you think it is counter productive? Yea, you can secure the DB but you are creating more Windows login that the Network admins have to maintain. The more the logins that are there, the more easier for someone to sneak in. Thats my two cents.
About the list, you have covered it well.
-Roy
September 3, 2008 at 1:17 pm
Thanks for the response Roy....
I'm on the fence on this one too, but we were going to use a random password generator to create the pwds for the service accounts. Once they are entered, I've never actually gone back and changed them, so that really isn't a concern of mine. The thing that I'm concerned about is that if someone were to get ahold of a service account password, they now have access to over 40 servers as opposed to just a single one (once my plan is implemented). In addition, if someone enters the password wrong and locks the account out, that could cause some serious issues as well.
If I setup the security correctly, and only grant the service accounts rights on the local box, that would ensure each service account is isolated to that actual server.
Lastly, as we go forward, I know there is going to be more compliance reasons to do this, so was just trying to get a jump on it.
Does that make sense?
September 3, 2008 at 1:27 pm
It does make sense from DBA's point of view. It is the Network Admins point of view that I am thinking.. 🙂
I know that the network admins will freak out since they have to document each and every object created in the Network.
-Roy
September 3, 2008 at 1:30 pm
Yeap. But on the flip side, our firm is a little different in that we all wear many hats. We are actually in the process of implementing a new password management tool that will allow us to create all the service accounts in there with their passwords and lock it down so that only the SQL DBA's can view it.
September 4, 2008 at 11:46 am
We use service accounts which incorporate the server name and they all have different passwords. It does make it more secure as previously mentioned but would suggest ensuring a sensible way of storing all these usernames and passwords - there are secure password tools that can do this.
September 8, 2008 at 4:14 pm
Brian.Dunat (9/3/2008)
2. Modify Group Policy to ensure service accounts have the proper rights (ie: logon as service, etc)3. Add the service accounts to the necessary local groups on the server
SQL Server Configuration Manager does this for you when you change the account via config manager
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply