January 11, 2005 at 3:10 am
Can anybody advise me what is the best type of account to run my sql services as?
I have read from Microsoft to use a restricted domain account and to never to use a local system account but have also read on the web that if no network access is required to use a local system account.
I intend to use a restricted domain account and to deny login locally to the SQL Server box. I have a number of DTS packages that write their output to reports on the C: of the SQL Server box and currently only have one report that attempts to write to the network. If I go domain account I could change the report directories to write to the network. We currently use Backup Exec to backup up our databases so don't currently need network access.
Regards
Carl
January 11, 2005 at 5:23 am
Domain account is the way to go. This way you don't have to worry about "@W*&#*$&*#Y my server just crashed NOW I have to recreate everything on my NEW server, then add SQL then add users.. THEN etc.....
Plus it gives your network security folks something to do...
Good Hunting!
AJ Ahrens
webmaster@kritter.net
January 11, 2005 at 8:37 am
Using a domain account also allows you to use the debugger function of SQL QA. This is definitely not to be sniffed at!
We have a specific domain login for each SQL Server and this allows us to have tight control over a specific exchange mailbox for each server so we can use e-mail alerts.
January 11, 2005 at 12:50 pm
If you can, you always avoid accounts with full administrative rights. The local System account has that and more. Hence the reason it's generally advised against.
As far as that goes, if the account has no reason to access the network (and, as David pointed out) you have no need to use the debugger function (most production environments would consider this a no-no), the most secure option is a local account on the server, just not the local System account. Reason being a local account has no network rights. If someone compromises the SQL Server they can't jump from it to somewhere else (such as through xp_cmdshell).
A lot of security setups for files servers and the like allow Domain\Users or Domain\Authenticated Users or even Everyone (but it still requires a validatable account). If you use a domain account for SQL Server or Agent, those resources now become accessible. If you use a local account, they are not.
K. Brian Kelley
@kbriankelley
January 12, 2005 at 3:18 am
Brian
Thanks for the information about the local system account permissions. I can see why Microsoft advise against using this account now. The only other question I have got is
Is it possible to set up the service account as a local account? When installing SQL it asks whether you want to set the service accounts as
Local System account
or
Domain Account
If you run as a domain account and deny login locally to the domain account and revoke access to execute the xp_cmdshell stored procedure to this account isn't that the best way to go?
Carl
January 12, 2005 at 3:45 am
You can specify a local account by \.
Since the service account will be a sysadmin role member, it will disregard any permissions you might set or revoke on the xp_cmdshell stored procedure. If you choose to remove this extended stored procedure, a knowledgeable attacker will simply put the reference back.
As for denying logon locally, you are doing quite a bit to protect the local box. However, the reason for going with a local account and not a domain account is that you ensure an attacker can't hop as easily from the SQL Server to another system. For instance, imaging you had a time-entry system which every user had access to. If security is set to say, Domain\Users, then the service account (as a domain account) now has access.
Now, there are times when you need to domain account. Things like SQLMail come to mind. So I'm not recommending a local account in all cases. Certainly with clusters a domain account is required. However, if you have the time to carefully consider the type of account, you might find that a local account works best.
K. Brian Kelley
@kbriankelley
January 12, 2005 at 3:57 am
Brian,
Thanks again for your advice.
So if you don't necessarily need network access for backups or outputting of reports to File Severs the best way is a local account.
If I use a domain account I will need to give it sysadmin rights on the SQL Server to run the Services? That way it will have similar access to a local system account won't it?
I'd like the ability to write to the network for backups/reporting but not particularly at the expense of Security.
Local account limits your ability but tightens security.
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply