November 3, 2011 at 8:09 am
Can anyone provide a list of ALL of the domain accounts they would have set up to do a "proper" or "best practices" install of all SQL Server services? Maybe this is a topic for a nice article by someone...
Thanks,
Jared
Jared
CE - Microsoft
November 3, 2011 at 9:29 am
jared-709193 (11/3/2011)
Can anyone provide a list of ALL of the domain accounts they would have set up to do a "proper" or "best practices" install of all SQL Server services? Maybe this is a topic for a nice article by someone...Thanks,
Jared
Not sure where you are going with this.. you need a domain service account for the SQL Server service and one for the Agent. If there are other services running like SSIS or reporting services, you should have a domain account for those too.
November 3, 2011 at 9:33 am
http://msdn.microsoft.com/en-us/library/ms143504.aspx
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
November 3, 2011 at 9:43 am
NJ-DBA (11/3/2011)
jared-709193 (11/3/2011)
Can anyone provide a list of ALL of the domain accounts they would have set up to do a "proper" or "best practices" install of all SQL Server services? Maybe this is a topic for a nice article by someone...Thanks,
Jared
Not sure where you are going with this.. you need a domain service account for the SQL Server service and one for the Agent. If there are other services running like SSIS or reporting services, you should have a domain account for those too.
I guess I am asking how many domain accounts would "someone" create and assign to which services? For example, default SQL Server service runs under the Local System account. Why change it? What would you change it to? Would you use the domain account that you created for this for other services? Why or why not?
There are 9 services in the article Gail mentioned above. Why would someone use the defaults assigned during installation versus using 9 separate domain user accounts (domain\SQLAgent or domain\FTSearch)?
This is really a theoretical question to gain insight into how best to set up these services for maximum benefit/security.
Thanks,
Jared
Jared
CE - Microsoft
November 3, 2011 at 9:50 am
The LocalSystem account is the most highly privledge account on the server. It has permissions even beyond what is assiged to the local administrators group.
I like the term "principle of least privelege"- basically, assign the least amount of permissions needed. This is a security best practice. Basically, dont give more than is needed and you narrow the opportunity for exploitation. Lucky for us, SQL Server will grant the minimum required privledges to a domain account during installation. The best way to do it is to use a different domain account for each service on each server.
November 3, 2011 at 1:01 pm
For most systems, I will setup a single domain account per SQL Server instance and run all services under that account.
Only on systems where there is a requirement to make sure the other services are separated will I create additional accounts.
With SQL Server 2008 and Windows Server 2008, they changed the security model and you can now use Service SID's. This tightens up the security even more and allows you to use the same service account for multiple services and the service account only has privileges through that service, unless you specifically add the service account as a login and grant specific rights to that login/user.
Jeffrey Williams
“We are all faced with a series of great opportunities brilliantly disguised as impossible situations.”
― Charles R. Swindoll
How to post questions to get better answers faster
Managing Transaction Logs
November 3, 2011 at 1:22 pm
Jeffrey Williams 3188 (11/3/2011)
For most systems, I will setup a single domain account per SQL Server instance and run all services under that account.Only on systems where there is a requirement to make sure the other services are separated will I create additional accounts.
With SQL Server 2008 and Windows Server 2008, they changed the security model and you can now use Service SID's. This tightens up the security even more and allows you to use the same service account for multiple services and the service account only has privileges through that service, unless you specifically add the service account as a login and grant specific rights to that login/user.
While I'll admit to sometimes configuring server with a single domain acct running vairous services, I do so knowing it's not the best practice. The most secure way, and the best practice is to use a different account for each service.
MS says " Microsoft recommends that you configure service accounts individually to provide least privileges for each service, where SQL Server services are granted the minimum permissions they need to complete their tasks." here http://technet.microsoft.com/en-us/library/cc281953.aspx (is this the same link Gail posted... we should have just stopped there because we all know she is always right ;)...
That said, I have plenty of servers running with only one account, and some with the local system account- simply because I know that the real risk is very small... for example, the sql server is exposed to only a small network subnet.... but if we are dicussing what's "the most secure", the answer is seprate accounts with minimal privs.
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply