LocalSystem VS Local account in Administrators Group

  • Would someone be so kind as to help me out with what are the pros and cons of running the SQL Server Service accounts under LocalSystem verse a Local account that is in the Administrators group.  Is one more secure then the other?

    Gregory A. Larsen, MVP

  • You can do a local account not in the admin group. Localsystem may not be able to do everything you need, but it's a smaller attack vector from what I know.

    Pinged Brian Kelley as this is more in his area.

  • I'm not real sure about the different security issues involved, but one issue that I had that forced me into using a domain user account was the ability to send e-mails from sql agent. In order to be able to send e-mails from SQL, MS Exchange requires a domain user account. The account which SQL starts up as, is the account the system uses to send e-mail. Therefore a local system account would not work. Nor would a local user account. For some places, this is acceptable, but my shop relies heavily on the abilty of scheduled jobs to e-mail failure status' to people.

  • Peter ,

    W.r.t. your post above - does it mean that I will not be able to configure SQL Mail/Notifications to run from a Local Administrator account on my laptop ? ie. I need to be logged into the company LAN with a domain account

    ~Rohit

  • Local SYSTEM is best thought of as Administrators + more. It can do everything an administrator can do... except access HKEY_USERS. It can access HKLM\Security, something Administrators cannot do. Also, some updates in AD are allowed for the local SYSTEM account which aren't allowed for a local administrator. This is why SQL Server 2K has the AD Helper Service configured to run as the SYSTEM account (because typically the SQL Server service account is set to a local or domain account). Based on all that, you can probably make the argument a local account that's a member of the administrators group is more secure.

    Now for the counter argument. You can never get network access with the SYSTEM account except in specially controller situations (AD update above) or cases where anonymous gets in. You can with a local account if the username/passwords match. Likewise, a local account has a password. That means a password to manage and an account an attacker can use to log on to the system with. The local SYSTEM account doesn't require you to manage a password. This is managed by the OS and I believe it's reset every 7 days or so. These were some of the considerations that led Microsoft to configuring Exchange Server 2000 to run as the local SYSTEM account out of the box. Given Microsoft's position, the local SYSTEM account is the way to go.

    Exchange Services Run Under LocalSystem (239762)

    Clear as mud?

    Out of curiousity, do you have the option of setting a local account that's not an administrator?

    K. Brian Kelley
    @kbriankelley

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply