November 3, 2015 at 5:35 pm
I recently changed companies and noticed the new company sets up a local admin account for each SQL Service to run under. I am use to having one AD user account to run the services and usually only use it for MSSQLSERVER and the Agent service. What is the best practice approach for the SQL Services accounts? Any feedback will be greatly appreciated.
November 3, 2015 at 5:39 pm
Ideally each service should have its own account. That account absolutely should NOT be local admin, they should be limited-permission accounts.
While that's the ideal, in many cases multiple services will share a service account. Doing so makes the admin easier, but it increases the risk if any of the services using it are compromised, or increases what will break if the password changes or the account is disabled.
Such a shared service should absolutely NOT be local admin.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
November 4, 2015 at 12:24 pm
Thank you!
November 6, 2015 at 7:08 am
GilaMonster (11/3/2015)
Ideally each service should have its own account. That account absolutely should NOT be local admin, they should be limited-permission accounts.While that's the ideal, in many cases multiple services will share a service account. Doing so makes the admin easier, but it increases the risk if any of the services using it are compromised, or increases what will break if the password changes or the account is disabled.
Such a shared service should absolutely NOT be local admin.
Using MSA's removes the issues above such as password changes and account compromisation
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply