December 14, 2010 at 12:45 pm
Getting ready for a major upgrade to R2 from SQL2k5 in 2011 and want to do things rights. The best practices recommendations I'm reading say to have a separate service account for each services (SSIS, SSRS, Engine etc) with no reuse across servers. Even in a small to medium size environment, that quickly generates a lot of accounts and passwords to keep track of. Even using a standard convention for names and passwords it seems impractical.
So the conversation I would like to start is, has anyone implemented this in a manageable way?
Under the assumption the service accounts, aren't Windows Admins, have strong passwords and are only used for running their respective services. Is creating a set of service accounts for each service and using them on across multiple SQL Servers that poor of practice?
All wit and wisdom is welcome.
David
December 14, 2010 at 1:00 pm
We use a different service account for each of the main services in the different environments. We also reuse the service account from one prod server to the next. Passwords are very complex and very long.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
December 14, 2010 at 1:04 pm
If you use the same service account on multiple servers it is a security hole because anyone who is sysadmin on one of the servers can gain sysadmin access to any of the other servers that is using the same service account.
Also, it becomes impossible to ever change the service account password, because as soon as you do it will take down all the servers due to login failures.
We have 300+ SQL Servers and we have a different service account for each server, and have separate accounts for each instance of reporting services. We generate random long passwords for each account and store them with a password safe program. You only really need them when you are setting up SQL Server or maybe once in a while to debug a problem.
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply