none
Account for running SQL services

    Question

  • I have read that you should use seperate logins for all services that SQL server uses.  Is this necessary?  Should I use a domain admin account or create a domain account and grant the user account sysadmin rights?

    Nick

    Wednesday, July 22, 2009 1:13 PM

Answers

  • Microsoft recommends that you configure service accounts individually to provide least privileges for each service, where SQL Server services are granted the minimum permissions they need to complete their tasks. For more information, see Setting Up Windows Service Accounts .


    http://msdn.microsoft.com/en-us/library/ms143504.aspx#Use_startup_accounts
     

    Always run SQL Server services by using the lowest possible user rights. Use a specific low-privilege user account or domain account instead of a shared account for SQL Server services. Use separate accounts for different SQL Server services. Do not grant additional permissions to the SQL Server service account or the service groups. Permissions will be granted through group membership or granted directly to a service SID.

    Sivaprasad S http://sivasql.blogspot.com Please click the Mark as Answer button if a post solves your problem!
    • Marked as answer by nickswoca Wednesday, July 22, 2009 5:08 PM
    Wednesday, July 22, 2009 3:43 PM
  • I guess it all depends on how seriously you are taking security.

    For development environments or scratch pad installs where security might not be a concern then i tend to just take the quickest dirtiest approach and use LocalSystem. However, for production environements its well worth taking the extra time to set up relevant domain accounts to comply with MS best practice as highlighted above.


    every day is a school day
    • Marked as answer by nickswoca Wednesday, July 22, 2009 5:08 PM
    Wednesday, July 22, 2009 4:14 PM
    Moderator

All replies

  • Microsoft recommends that you configure service accounts individually to provide least privileges for each service, where SQL Server services are granted the minimum permissions they need to complete their tasks. For more information, see Setting Up Windows Service Accounts .


    http://msdn.microsoft.com/en-us/library/ms143504.aspx#Use_startup_accounts
     

    Always run SQL Server services by using the lowest possible user rights. Use a specific low-privilege user account or domain account instead of a shared account for SQL Server services. Use separate accounts for different SQL Server services. Do not grant additional permissions to the SQL Server service account or the service groups. Permissions will be granted through group membership or granted directly to a service SID.

    Sivaprasad S http://sivasql.blogspot.com Please click the Mark as Answer button if a post solves your problem!
    • Marked as answer by nickswoca Wednesday, July 22, 2009 5:08 PM
    Wednesday, July 22, 2009 3:43 PM
  • I guess it all depends on how seriously you are taking security.

    For development environments or scratch pad installs where security might not be a concern then i tend to just take the quickest dirtiest approach and use LocalSystem. However, for production environements its well worth taking the extra time to set up relevant domain accounts to comply with MS best practice as highlighted above.


    every day is a school day
    • Marked as answer by nickswoca Wednesday, July 22, 2009 5:08 PM
    Wednesday, July 22, 2009 4:14 PM
    Moderator
  • What I have done is set-up a domain account and granted minimal privledges to this account.  I added this account to SQL and granted this account a sysadmin role.  Is this correct?

    Nick
    Friday, July 24, 2009 2:27 PM
  • If that account will be running SQL Agent, then it does need to be a sysadmin. If its just the account to run SQL Server it does not require this role.


    every day is a school day
    Friday, July 24, 2009 3:24 PM
    Moderator
  • Which role does it need?
    Friday, July 24, 2009 3:29 PM