none
Local System, Local Service, Network Service Account.

    Question

  •  

    Hi Guys,

    I just started to learn about DBA.  Just wanted to ask a very basic question. Used so many times but not sure what EXACTLY these means. 

     

    What are these diffrent Logins/users means...

    Local System, Local Service, NT Authority/Network Service?

    What is there siginficance? What are there roles in Sql Server?

     

    Also what is  ASPNET user?

     

    A more descriptive answer will be appreciated.

     

     

    Regards.

     

    Saturday, August 23, 2008 8:30 AM
    Moderator

All replies

  •  Mangal9i wrote:

    What are these diffrent Logins/users means...

    Local System, Local Service, NT Authority/Network Service?

    What is there siginficance? What are there roles in Sql Server?

     

    Also what is  ASPNET user?

     

    It really depends on your environment as to the role that these users play in SQL Server.  If you follow best practices, then the SQL Services run under accounts that don't require the use of any of these accounts.  ASPNET is the user account under which ASP.NET web applications run.  You can use Impersonation and or SQL User Accounts to eliminate the need for this user to have access to SQL Server.  The same goes for the Local System, Local Service, NT Authority/Network Service accounts.  If your services are configured properly and use either a low level domain/local user account to run under, then you don't need any of the listed accounts in SQL Server.  You should strive to run SQL Server and the associated Services under the lowest level Service account possible. 

    Sunday, August 24, 2008 1:46 AM
    Moderator

  • Hi Jonathan,

     

    I having some issues about the SQL authentication.
    The environment setup as below :-

    1. Web Apps (.NET 1.1) running in IIS
    - Set Anonymous user to a Domain Service Account user.

     

    2. Web Apps will access the MS SQL 2005 DB.
    - Added domain Service Account into the apps database
    - Granted datareader / datawriter / ddladmin rights

     

    ISSUE : Not able to login into the database.
    SOLUTION : Granted with dbowner then able to login.

     

    Please advise...

     

    Thank you,

     

    Herries E

     

    Wednesday, August 27, 2008 6:15 AM
  • You should use Local non-system or Service account. If this SQL Server service require to access the network resources you can use a ordinary Domain account.

    • Domain User Account
      If the service must interact with network services, access domain resources like file shares or if it uses linked server connections to other computers running SQL Server, you might use a minimally-privileged domain account. Many server-to-server activities can be performed only with a domain user account. This account should be pre-created by domain administration in your environment.
    • Local User Account
      If the computer is not part of a domain, a local user account without Windows administrator permissions is recommended.

    Following are NOT advised as it grant more privileges than required for running SQL Server Services

    • Local System is a very high-privileged built-in account. It has extensive privileges on the local system and acts as the computer on the network. The actual name of the account is "NT AUTHORITY\SYSTEM".
    • The Local Service account is a built-in account that has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard the system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session without credentials. Be aware that the Local Service account is not supported for the SQL Server or SQL Server Agent services. The actual name of the account is "NT AUTHORITY\LOCAL SERVICE".
    • The Network Service account is a built-in account that has more access to resources and objects than members of the Users group. Services that run as the Network Service account access network resources by using the credentials of the computer account. The actual name of the account is "NT AUTHORITY\NETWORK SERVICE"

    Please consider the below recomendataions:

    • Always run SQL Server services by using the lowest possible user rights.
    • Use a specific low-privilege user account or domain account instead of a shared account for SQL Server services.
    • Use separate accounts for different SQL Server services.
    • Do not grant additional permissions to the SQL Server service account or the service groups

    Reference: Setting Up Windows Service Accounts



    Mark as Answer if it helps. This posting is provided "AS IS" with no warranties, confers no rights.
    Thursday, January 27, 2011 6:39 AM