service accounts - domain vs. local

  • Hello,

    I run SQL Server 2005 instances under local service accounts for Servers, Agents, and Browser services in order to follow less privilege account practice. I have no problem so far. However, Best Practice Analyzer says "we recommend using domain service accounts". What conditions would require using domain accounts instead of local ones?

    Thank you.

  • A domain account would allow SQL Server to connect to resources on other machines. For example it could write files to a network share or connect to SQL Server on another machine.

  • DNA, thank you for your reply.

    SQL Server as an application will be used for the two purposes: 1) to serve management and monitoring systems like HP SIM, Dell OpenManage, MOM etc.; 2) to serve developers for their web-apps. The systems that use SQL Server to store their data reside on the other machines. However, neither sharing resources, nor connecting to an other SQL Servers will be used.

    Considering this environment, what service accounts - local or domain - would you recommend to use for Server, Agent and Browser services?

    Thank you.

  • When you can use Windows authentication, do that. However, applications using the database, are mostly not on the same domain, so that requires using SQL Server authentication. Means you'll end up with Mixed Mode. I think for most of the databases this is the case.

    Ronald HensbergenHelp us, help yourself... Post data so we can read and use it: http://www.sqlservercentral.com/articles/Best+Practices/61537/-------------------------------------------------------------------------2+2=5 for significant large values of 2

  • R.Hensbergen, thank you for your reply.

    First, all the applications will be on the same domain as the system with SQL Server is. So only Windows Authentication will be used.

    Second, by "local accounts", I mean the accounts local to the Windows machine, but NOT internal SQL Server accounts for SQL Server Authentication.

    So the question is about comparing using domain accounts and local OS accounts as service accounts.

    Thank you.

  • I think using the local service account would probably work if the SQL Server services do not have to interact with anything outside of that server.

    As soon has the service account has to interact with another server then you're likely going to run into security problems.



    Alvin Ramard
    Memphis PASS Chapter[/url]

    All my SSC forum answers come with a money back guarantee. If you didn't like the answer then I'll gladly refund what you paid for it.

    For best practices on asking questions, please read the following article: Forum Etiquette: How to post data/code on a forum to get the best help[/url]

  • VEB (1/29/2009)


    R.Hensbergen, thank you for your reply.

    First, all the applications will be on the same domain as the system with SQL Server is. So only Windows Authentication will be used.

    Second, by "local accounts", I mean the accounts local to the Windows machine, but NOT internal SQL Server accounts for SQL Server Authentication.

    So the question is about comparing using domain accounts and local OS accounts as service accounts.

    Thank you.

    I, personally, always use domain accounts, especially for the agent services, because you never know what tasks wil be asked of you in the future. Depending on your business, you may not have large windows of "maintenance" time (or appropriate time - 2 AM on Sunday is NOT appropriate to me!:P) to stop and restart services because you need to change the account. In addition, I always leave mine in mixed-mode so that I can log in with the local sa account. For end-users, it's always windows authentication from the applications but for me, I simply feel safer knowing I can get in either way. It's another of those "it depends" responses, what works for me may not necessarily work for you. What works best for your environment?

    -- You can't be late until you show up.

  • Thank you for your replies.

    So, the only summary is that use domain account for Agent service just for a case it ever could be usefull, isn't it? Are there any more opinions?

    Also, what about Server and Browser services?

    I appreciate your help.

  • I, personally, run all my services with the same domain account, less passwords to remember! 😉

    -- You can't be late until you show up.

  • tosscrosby (1/30/2009)


    I, personally, run all my services with the same domain account, less passwords to remember! 😉

    It's not only fewer passwords to remember, especially since you could make them all the same, it's also accounts to maintain.



    Alvin Ramard
    Memphis PASS Chapter[/url]

    All my SSC forum answers come with a money back guarantee. If you didn't like the answer then I'll gladly refund what you paid for it.

    For best practices on asking questions, please read the following article: Forum Etiquette: How to post data/code on a forum to get the best help[/url]

  • You guys are talking about convinience, whereas I'm asking about security. 🙂

    As it well known, these two are mutually exclusive. 🙂

    I must adhere to the least-privileged-account practice. If it's possible to use local account, it should be so. If only one service must be run under domain account, the other should still run under local ones. No matter the number of accounts and passwords to remember.

    So, the question remains the same: for each of services - Server, Agent, Browser - what are the conditions when each of them must run under domain account instead of local one?

    Thank you.

  • VEB (1/31/2009)


    You guys are talking about convinience, whereas I'm asking about security. 🙂

    As it well known, these two are mutually exclusive. 🙂

    Oh. Well if that is true then clearly you should be doing the most inconvenient thing possible in order to maximize security.

    Therefore, I would recommend that you use an Invalid account. This is about as inconvenient as I can imagine, AND I believe that testing will show that it is also more secure than any other choice.

    😀

    [font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
    Proactive Performance Solutions, Inc.
    [/font]
    [font="Verdana"] "Performance is our middle name."[/font]

  • Yeah, quite funny... Seems to be a wrong forum chosen for this question...

    Nevertheless, does anybody can share his or her knowledge and experience on my problem?

    Or should I re-post this question to Administration forum branch?

    I appreciate your help.

  • domain or local the account should be low permission. Setup will assign the correct permissions for the account when installing the system or when setting through SQL configuration manager

    domain account simply allows more flexibilty for a sql server that is part of a domain. It the server is a stand alone and not member server then local accounts are used

    -----------------------------------------------------------------------------------------------------------

    "Ya can't make an omelette without breaking just a few eggs" 😉

  • Thank you.

    I do know that the accounts should be low permission ones, and that setup assign necessary permissions for them, and this is exactly what I did, and wrote about it earlier. Also, I do know those general words regarding more flexibility in a domain environment. Also, as I'm asking about domain accounts, I'm obviously interested in a domain environment where SQL Server functions. I am asking very certain question (again) and looking for a certain answer from PROs and experts:

    For EACH of services - Server, Agent, Browser - what are the conditions (certain, specific, namely) when EACH of them must run under domain account instead of local one?

    Still hoping for the certain answer.

    Thank you.

Viewing 15 posts - 1 through 15 (of 41 total)

You must be logged in to reply to this topic. Login to reply