August 31, 2012 at 5:26 am
What I'm trying to establish is how many people actually conform to best practice and have separate an unique service accounts for SQL Server and SQL agent for every server in your organisation or whether you use one service account for both server and agent but is unique for each instance or whether you use one service account across multiple servers.
August 31, 2012 at 5:39 am
While the best practice says that you should, realistically, there's not much to be gained. After all, the SQL Server Agent service has sysadmin rights into SQL Server. Since you posted in the SQL 2008 forum, with Vista and newer OSes, Agent will come in as the service, not as the account. Therefore, even though the account is the same, it doesn't matter. The account isn't what has access; it is the service itself.
K. Brian Kelley
@kbriankelley
August 31, 2012 at 10:12 am
Mostly I see one service account used on all instances for all SQL Server services. This is typically not an issue, even for auditors as long as you can list who can do what and where. A security consultant may point this out as a potential weakness though, I am not a security consultant but I would. Ideally you would have separate accounts for each service, and different accounts for each machine, but there is overhead associated with that especially if your apps are highly distributed and you're initiating operations from the database instance.
SQL Agent's access to the local SQL Server instance is not as much of a concern as Brian pointed out, but access to external resources is (e.g. the file system and network resources). Jobs owned by a sysadmin will access external resources using the SQL Agent service account so granularity of service accounts should be consistent with the level of auditing and control over who can do what that is required.
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply