June 29, 2006 at 10:09 am
I’m trying to set up some guidelines for setting up the SQL Server service accounts for both SQL Server 2000 and SQL Server 2005. I’d like to run this by the DBA community to ensure my guidelines provides the necessary permissions required for each of these services service, but yet minimizes the impact (security risk) should one of this accounts be exploited by someone. Here are my guidelines. Any are these good enough? Should I clarify, or expand?
Guidelines for setting up SQL Server service accounts:
Gregory A. Larsen, MVP
June 29, 2006 at 1:16 pm
Greg,
Startup accounts should depend on the business and security need. I would not do a domain startup account for the secure server where the app is located on the same computer. I would do a local one.
Also, it is not really required to specify the account during the installation. If you change accounts in the Enterprise Manager (2000) or SQL Server Configuration Manager (2005) the rights are assigned to the account correctly.
What I would add to your list is "The account requires Password Never Expires" checked. Because if you want the accounts created before the installation and it is usually the network administrator who DBAs has to ask for account creation, then they may as well ask for certain account properties.
Regards,Yelena Varsha
June 30, 2006 at 11:59 am
Revoke 'interactive login' for all service accounts is another addition to the list.
RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."
July 3, 2006 at 10:06 am
Yelena, thank you for the thoughts.
We do not have applications running on the same machine as our SQL Server machines. But our SQL server machines need to access to directories on the network so they can right files to networks shares and access other network resources.
I assumed our accounts would have non-expiring passwords. But then one should never make assumptions when it comes to what system admins might do. I will add this to my list, its good to highlight this small issue.
Gregory A. Larsen, MVP
July 3, 2006 at 10:09 am
Rudy, thanks for your input. I think on the whole our service accounts will not be used to login and interactive things. Although I'm not sure this is true in all cases. We are currently have the outlook client installed so we can set up a mail profile. In order to get the mail to work we need to logon with the service account in order to cofigure the mail profile. So I suppose one this is completed we could set this option.
Gregory A. Larsen, MVP
July 3, 2006 at 10:18 am
Yelena, I was kind of thinking that EM does not correctly set all the folder permissions when you change the services account through EM. I have not confirmed this. It make sense you should be able to change the service acounts via EM.
Gregory A. Larsen, MVP
July 3, 2006 at 9:38 pm
Greg,
The manuals usually say that EM changes everything correctly. I did not have any issues so far, but I can not garantee that there is no issues. As I say, I normally install on Local System and after that change to Domain Account if needed because the app support may not have the domain account ready by the time they ask me to install.
As for the Password Never Expires, then Network Admins normally don't like to do that and you do have to tell them and you have to give them references that in fact you need it based on ...<the name of your list goes here>
All: kids, have a happy 4th of July Holiday here in US and all other folks feel like you have a Holiday too!
Regards,Yelena Varsha
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply