December 11, 2019 at 12:55 pm
Hi All
I was asked to change the SQL service account name. I asked for a reason, I was told this is for security reasons. As far as I know, the default service account is a virtual user found in NT Services, (for default instances it is NT Services\MSSQLSERVER ) which has access only to resources needed by the SQL server (e.g the directories of the executable files, data and log), and no one can log in using this virtual user or impersonating it. So is there a good reason to change the service account, and if there is, what is it?
December 11, 2019 at 1:04 pm
Were you asked to change just the name of the service account, or to change the account the service runs under entirely (perhaps to use a domain account)?
December 11, 2019 at 1:32 pm
I was asked to use a domain account.
December 11, 2019 at 2:05 pm
One very good reason to use a domain account instead of the default account is to get access to network resources so that you can, for example, back up your databases to a file share instead of to a folder on the same server.
John
December 11, 2019 at 2:08 pm
I was asked to use a domain account.
Yes, use domain account, you will have a more control.
Muthukkumaran Kaliyamoorthy
https://www.sqlserverblogforum.com/
December 12, 2019 at 6:17 am
Thank you for the answers. I didn't think about backing up the DBs to a share in the network, and it can be a good reason, but I suspect the manager who asked me to change the service account did not think about it as well, since he said this is a security policy, and the DB is backed to a local directory in this instance. So, does anyone knows any security related reason to change the service account?
(I did change it as I was requested, I just want to know if I'm missing here something)
December 12, 2019 at 7:42 am
Note that the domain account in this case should be a GMSA/MSA account - not a normal user account.
If this is not the type of account you created/used I would go back to them and confirm this aspect - Normal user account is insecure while GMSA/MSA is fully managed by AD and can't be used interactively.
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply