April 29, 2011 at 10:04 am
Just to a new working place.
I found in some our SQL 2008 servers, we use SQL server agent service account to run most of sql agent jobs.
In SQL 2008 server, the service account is no longer a sysadmin by default(I have verified this by another thread), instead the service itself is a sysadmin for it tied to SID.
So I see current our setup is to manually add the service account to seurity- login, and grant it sysadmin, and use it as job owner of our sql jobs, is it a good practice to set it up?
Thanks
April 29, 2011 at 11:26 am
I'm not clear on your question.
Are you asking if the service account should be a sysadmin? If so, no, it shouldn't. That allows rights escalation attacks by anyone who can create an agent job.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
April 30, 2011 at 1:25 pm
It needn't be a Sysadmin. It may cause security issues as GSquared mentioned. Just make sure that it's a domain account and it has the necessary OS level privileges.
Thank You,
Best Regards,
SQLBuddy.
April 30, 2011 at 1:39 pm
Thanks all.
In our case, most of the job owners are the ssis package author themselves, they are not sysadmin, so the job running under their account. And once they left the company, the job will be broken. So I setup a proxy account using sql service agent account, and in their job they will change it run under that proxy account.
And the service account itself is not a sysadmin, I just add the permissions those jobs need to the account.
Does this sound right? Thanks
May 1, 2011 at 7:51 am
Granting only the required privileges to the Service account is a good practice.
But making SSIS Package creators as the Job owners is not a good practice bcs the jobs fail once the SSIS Package creators leave the company. So make the Job owners as Sa instead.
Thank You,
Best Regards,
SQLBuddy
May 2, 2011 at 11:26 pm
Dear SQLBUDDY I have also same query...But u r saying two cross things...Please clear it...
But making SSIS Package creators as the Job owners is not a good practice bcs the jobs fail once the SSIS Package creators leave the company. So make the Job owners as Sa instead.
It needn't be a Sysadmin. It may cause security issues as GSquared mentioned. Just make sure that it's a domain account and it has the necessary OS level privileges.
Thanks
May 3, 2011 at 1:17 am
As i know, MS suggest the SQL Server agent service should run as a member of sysadmin fixed server roles. But i made some testing, even without sysadmin right, the agent still work. But i would suggest add them as sysadmin role to avoid potential issue.
http://msdn.microsoft.com/en-us/library/ms191543.aspx
However, for security reason, i would suggest to use SQL Server Agent proxy instead of SQL Agent servcie account to run job ssteps.
http://msdn.microsoft.com/en-us/library/ms189064.aspx
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply