October 7, 2008 at 11:37 am
Dear all
My SQL Server is started by System account of Windows
Now I want to change to Windows user account with minimum privilege for start MSSQL service in order to get more security
So how is minimum user right of this user?
Thanks
October 8, 2008 at 2:18 pm
I know in newer versions (SQL 2008 for example), it'll assign minimum rights to whatever account you use for the Server (or Service)
but I think LOCAL SYSTEM account would work fine as the account in Configuration Manager
not sure about SQL 7.0/2000
November 2, 2008 at 2:00 am
I'm using SQL2000, version 2000 is still popular
I don't want to use LOCAL SYSTEM because it's said that it's not very security, LOCAL SYSTEM has right as an Administrator of Windows
November 2, 2008 at 7:32 am
Create a domain or local user, assign no rights. By default, they should have very few rights on the domain. Meaning EVERYONE shouldn't be assigned any rights.
You can restrict this account to only logging onto the computer running the SQL Services. Then use EM to assign this account as the service account. It will give the minimum rights needed.
November 10, 2008 at 2:31 am
Steve Jones - Editor (11/2/2008)
You can restrict this account to only logging onto the computer running the SQL Services. Then use EM to assign this account as the service account. It will give the minimum rights needed.
Could you please show me detail how to restrict this account to only logging onto the computer running the SQL Services?
Thanks
November 10, 2008 at 3:21 am
use some trace options in SQL Server Service. For info. see SQL BOL.
November 10, 2008 at 3:25 am
Kishore.P (11/10/2008)
use some trace options in SQL Server Service. For info. see SQL BOL.
Could you please explain me about SQL BOL?
Thank you
November 10, 2008 at 5:19 am
SQL Server 2000 really needs to run using an account with local admin rights in Windows. Although there is a theoretical possibility of running it with less rights, there is a very long list of functions that do not work if you do this. Although some of the restrictions are given in Books Online (BOL), I have discovered other restrictions in KB articles and blogs, and do not know of any consolidated list.
For SQL Server 2005 and above, there is no need to run SQL Server using an account with local admin rights. All functionality (apart from 1 minor item in SQL Agent) works OK without local admin rights.
If your security people are concerned about the use of local admin rights by SQL Server 2000, use this concern to push for an upgrade to SQL Server 2008.
Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.
When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara
November 11, 2008 at 2:07 pm
Try this article
and scroll to the bottom of this for some more details of what the account really needs
http://www.windowsecurity.com/articles/Hacking_an_SQL_Server.html
Using Regmon and Filemon, you can troubleshoot access/bootup problems, and restrict this down even further by starting from scratch with just a plain domain user. As you can see from the second article, there isn't a large list.
Greg E
November 16, 2008 at 8:05 am
As about info, is it follow?
- Create a normal windows user (group Users)
- Set security rights: Read-Write for relevant folders that SQL service uses, example folder contains data file, folder contains files that DTS interactives
Is it enough?
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply