May 15, 2017 at 5:02 am
Dear MVPs
I hope you guys are doing great
I am installing a new instance of SQL Server 2012 standard edition and came to the service accounts page
It is recommended to use a different user account for each of the following services:
SQL Server Agent
Database Engine
Reporting Server
We have one dedicated SQL Server domain account which we use in the office for all accounts so MS recommends different accounts and i need to run Admin agent jobs so the Agent will use the Domain account but the engine and reporting shall i use a local account?
Remind me what is the engine primarily used for besides data processing, etc and The reporting server is mainly used for well generating reports
So shall i use different domain accounts for each server or create local accounts and assign privs?
KY
May 15, 2017 at 5:11 am
hurricaneDBA - Monday, May 15, 2017 5:02 AMSo shall i use different domain accounts for each server or create local accounts and assign privs?
A different domain account for each service. If you use local accounts, you can't manage them centrally, and services won't have access to resources on other computers (for example to back up databases across the network). And if you use the same account for all services, then each permission you assign will apply to all services that use that account, which will violate the principle of least privilege (that is to say, only assign the privileges that a particular service needs).
John
May 15, 2017 at 5:21 am
Hi John
How are you?
So when i use a different domain account for each server i am guessing the highest privileges goes to the Agent then Engine then Reporting but which privs do we need to get to each domain account? In the MS document it mentions 4 privs for all accounts:
Log on as a service (SeServiceLogonRight)
Replace a process-level token (SeAssignPrimaryTokenPrivilege)
Bypass traverse checking (SeChangeNotifyPrivilege)
Adjust memory quotas for a process (SeIncreaseQuotaPrivilege
So i just make 3 different domain accounts and assign the same privs?
Isnt that not practical?
Do let me know which privs go to which account for 'Basic functioning' for each account
thanks
Kal
May 15, 2017 at 5:36 am
No, don't assign the same privileges. That defeats the object of having separate accounts. Chances are, you don't need to assign anything manually: if you use SQL Server Configuration Manager to change the service account, then the basic privileges are assigned automatically. You only need to add them manually if you want to access additional resources. For example, SQL Server Agent might need to run an SSIS package located on a separate drive, or you might want to back up databases to a file server, or maybe you want to enable Instant File Initialization.
John
May 15, 2017 at 8:25 am
Ok but we still use a domain account (non-administrative) right?
May 15, 2017 at 8:30 am
Yes.
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply