December 9, 2002 at 12:41 pm
If you are not using a system account, what is the best practice to configure a domain account. I was thinking you would just configure a domain user account that has local admin priviledges; Is this correct?
December 9, 2002 at 1:00 pm
That is how our SQL Server Server account is set up, although it is my understanding that having local admin access is not a requirement to getting it to work. Also having admin writes opens the door a little security wise. I'm not exactly sure what the minimum set of writes is needed. Hopefully someone will tell you.
Gregory Larsen, DBA
If you looking for SQL Server Examples check out my website at http://www.geocities.com/sqlserverexamples
Gregory A. Larsen, MVP
December 9, 2002 at 1:00 pm
That is how our SQL Server Server account is set up, although it is my understanding that having local admin access is not a requirement to getting it to work. Also having admin writes opens the door a little security wise. I'm not exactly sure what the minimum set of rights is needed. Hopefully someone will tell you.
Gregory Larsen, DBA
If you looking for SQL Server Examples check out my website at http://www.geocities.com/sqlserverexamples
Gregory A. Larsen, MVP
December 9, 2002 at 1:18 pm
Anyone know what the minimum bare bones rights are if you are scrutinizing security to make SQL Server hum!!
December 9, 2002 at 1:23 pm
Easiest way to set the needed rights is to create a minimum privileged account, then in Enterprise Manager (this is one of those rare times where you actually 'need' to use EM) you choose this account as the SQL Server service account. EM will now set all the necessary rights for this account. MS has some KB about how to set it manually, but I think this method is nice and easy.
--
Chris Hedgate @ Apptus Technologies (http://www.apptus.se)
December 9, 2002 at 1:53 pm
Thanks! Let me know if I can ever be of help to you'll.
December 9, 2002 at 2:37 pm
Here's the BOL info:
The important point here is the local system account doesn't allow you to access any network resources.
Services Accounts
Use the Services Accounts screen in Setup to assign a logon account to each of the two Microsoft® SQL Server™ services, SQL Server and SQL Server Agent. Either the local system or the domain user account is used, and you can use the same account for each service. The default setting is to use the same account for each service, and to automatically start each service. To use the default setting, enter your domain password and click Next.
You can also customize settings for each service. You can enter one logon account for both services, or specify an account for each. To later change options set on the Services Accounts screen, run the Services application in Windows Control Panel.
Important To create or maintain a Microsoft SQL Server™ 2000 failover cluster, you must be logged on to the computer with administrator privileges, that is, be a member of the Administrators local group of the computer or domain. For clustering this means that you must be an administrator of all nodes of the cluster.
When running SQL Server 2000 on Microsoft Windows NT 4.0, in addition to being logged on as an administrator, you must configure both SQL Server and SQL Server Agent to run as administrator accounts.
Options
Use the same account for each service. Auto start SQL Server Service.
The default option: One account is used for both SQL Server and SQL Server Agent. These services start automatically when the operating system starts.
Customize the settings for each service.
Allows you to use different settings for the two services.
Services
Select a service for which you want to customize settings.
SQL Server
Select this option to customize settings for the service, Microsoft SQL Server.
SQL Server Agent
Select this option to customize settings for the service, Microsoft SQL Server Agent.
Service Settings
Select service settings as required.
Use the Local System account
The local system account does not require a password, does not have network access rights in Windows NT 4.0, and may restrict your SQL Server installation from interacting with other servers.
Note In Windows 2000, the local system account does allow network access.
Use a Domain User account
A domain user account uses Windows Authentication to set up and connect to SQL Server. By default, account information appears for the domain user account currently logged on to the computer.
Username
Accept or change the domain username.
Password
Enter the domain password.
Domain
Accept or change the domain name.
Auto Start Service
Select this option to automatically start a service when your operating system starts. This option is available only when customizing the settings for each service.
The SQL Server Agent service is dependent on the SQL Server service in that you can autostart the SQL Server Agent service only if you autostart the SQL Server service as well.
Note When you click Back in the Services Accounts dialog box, the window you return to reverts to the default options. Options specified earlier are not retained.
December 9, 2002 at 2:57 pm
Another important point is the localsystem account has full administrative rights to the system, meaning if a client can compromise a sysadmin account, the client compromises the server.
I used to be of the mindset to save on all the settings you've got to play with to make the service account (at least SQL Server) an administrator on the box. However, the potential for abuse is much, much too high. Books Online has the minimum requirements as well as what is lost should you not use an administrator account.
Besides, if you want to implement things like SSL and EFS, you'll want a domain or local computer user account.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply