November 27, 2017 at 10:04 am
Hi:
Is there any restriction like why the Full Text Search should need to run using "NT Service\MSSQLFDLauncher" and not preferred to run using SQL Service accounts?
Sincere Request: Those who feel this is a "By design" feature or it is a "Trivial" or "Trivial to Trivial" question, please do not bother to reply. I am here to learn technology and share my ideas, scripts on SQL Track. Those who would like to share his/her technical thoughts to educate others, please do respond only. Thanks!!
Thanks.
November 27, 2017 at 10:15 am
I'm not really sure what you're asking here. It seems (to me) that you're implying that you've been told that the Full Text Search should only run under the local service account [NT Service\MSSQLFDLauncher]; this isn't the case. Just like any other service, you can run it under any credential you like, including a different local account, or a Domain account. MS Docs even has a guide on how to change it: https://docs.microsoft.com/en-us/sql/relational-databases/search/set-the-service-account-for-the-full-text-filter-daemon-launcher (there's no recommendation on that page to state it's a "bad" idea).
I'd say it more depends on your environment (and what permissions the Service Account needs within it), and your security policies.
Thom~
Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
Larnu.uk
November 27, 2017 at 10:15 am
I'm not sure what the question is here. You're asking if something should happen. I think your question is must this happen, not should. This is a service account like others. Since 2008 R2, this is set as a virtual account. This can be changed, but as with any account, the permissions are minimized to ensure security.
I'm not sure what you mean about this not running as a SQL Server service account. This is a SQL Server service account. "not preferred to run using SQL Service accounts" doesn't make sense.
November 27, 2017 at 10:27 am
Thom A - Monday, November 27, 2017 10:15 AMI'm not really sure what you're asking here. It seems (to me) that you're implying that you've been told that the Full Text Search should only run under the local service account [NT Service\MSSQLFDLauncher]; this isn't the case. Just like any other service, you can run it under any credential you like, including a different local account, or a Domain account. MS Docs even has a guide on how to change it: https://docs.microsoft.com/en-us/sql/relational-databases/search/set-the-service-account-for-the-full-text-filter-daemon-launcher (there's no recommendation on that page to state it's a "bad" idea).I'd say it more depends on your environment (and what permissions the Service Account needs within it), and your security policies.
Do you know if there is any best practice tagged that why Full TExt search engine should run with Local Service ac.
Thanks.
November 27, 2017 at 10:34 am
Steve Jones - SSC Editor - Monday, November 27, 2017 10:15 AMI'm not sure what the question is here. You're asking if something should happen. I think your question is must this happen, not should. This is a service account like others. Since 2008 R2, this is set as a virtual account. This can be changed, but as with any account, the permissions are minimized to ensure security.I'm not sure what you mean about this not running as a SQL Server service account. This is a SQL Server service account. "not preferred to run using SQL Service accounts" doesn't make sense.
I was asking more in terms like best practice. Do we need to prefer running that under local service account say (NT Service\MSSQLFDLauncher) or is it recommended to run under a specific "SQL Service Account"? Also when you say that yo are not sure about the question. Are you saying that the question has any grammatical jargon?
Thanks.
November 27, 2017 at 11:02 am
SQL-DBA-01 - Monday, November 27, 2017 10:27 AMDo you know if there is any best practice tagged that why Full TExt search engine should run with Local Service ac.
Attack surface. The FS service shouldn't need to access network resources, so no need to not have a local account.
November 27, 2017 at 11:12 am
SQL-DBA-01 - Monday, November 27, 2017 10:34 AMI was asking more in terms like best practice. Do we need to prefer running that under local service account say (NT Service\MSSQLFDLauncher) or is it recommended to run under a specific "SQL Service Account"? Also when you say that yo are not sure about the question. Are you saying that the question has any grammatical jargon?
Yes, your phrasing / grammar doesn't make sense. "restriction like why" doesn't make sense. If you want to know about a BP, then you should ask if there is a BP related to the service account.
"and not preferred to run using SQL Service accounts?" also doesn't quite make sense. You should ask if there is a reason a user wouldn't prefer to run with an account, but specify what you mean by SQL Service account. There's no such thing as SQL Service account. There are SQL Server service accounts, or really database engine service accounts.
November 27, 2017 at 12:27 pm
Steve Jones - SSC Editor - Monday, November 27, 2017 11:12 AMSQL-DBA-01 - Monday, November 27, 2017 10:34 AMI was asking more in terms like best practice. Do we need to prefer running that under local service account say (NT Service\MSSQLFDLauncher) or is it recommended to run under a specific "SQL Service Account"? Also when you say that yo are not sure about the question. Are you saying that the question has any grammatical jargon?Yes, your phrasing / grammar doesn't make sense. "restriction like why" doesn't make sense. If you want to know about a BP, then you should ask if there is a BP related to the service account.
"and not preferred to run using SQL Service accounts?" also doesn't quite make sense. You should ask if there is a reason a user wouldn't prefer to run with an account, but specify what you mean by SQL Service account. There's no such thing as SQL Service account. There are SQL Server service accounts, or really database engine service accounts.
Ok..now as you know my question, are you aware if there is any best practices mentioned by Microsoft to run the FT engine service using the SQL Server Service account or does it need to leave running with local service account say NT Service\MSSQLFDLauncher
Thanks.
November 27, 2017 at 12:48 pm
SQL-DBA-01 - Monday, November 27, 2017 12:27 PMOk..now as you know my question, are you aware if there is any best practices mentioned by Microsoft to run the FT engine service using the SQL Server Service account or does it need to leave running with local service account say NT Service\MSSQLFDLauncher
Steve basically covered this off earlier:
Steve Jones - SSC Editor - Monday, November 27, 2017 11:02 AMAttack surface. The FS service shouldn't need to access network resources, so no need to not have a local account.
Unless, for some reason, the FS Service account needs access to a network resource (I can't think of one off the top of my head (that isn't me saying there isn't)), then why not leave it as a local account? There's no good reason to change it.
Thom~
Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
Larnu.uk
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply