locked
SQL server agent as sysadmin RRS feed

  • Question

  • Hi,

    To solve Linked server security issues we plan to add SQL Agent domain service account as server Login and grant sysadmin permissions on each SQL server. Any concerns on this? 

    Thank you very much

    Monday, March 20, 2017 1:35 PM

All replies

  • What security issues are  you talking about?  I have some servers where SQL Agent runs under domain account which is a sysadmin ( no concerns as it based on business requirements) but the best practice is grant only necessary permissions

    Best Regards,Uri Dimant SQL Server MVP, http://sqlblog.com/blogs/uri_dimant/

    MS SQL optimization: MS SQL Development and Optimization
    MS SQL Consulting: Large scale of database and data cleansing
    Remote DBA Services: Improves MS SQL Database Performance
    SQL Server Integration Services: Business Intelligence


    Monday, March 20, 2017 1:41 PM
  • By default it already is in the sysadmin role.

    Most dbas will use a low privilege account to run SQL Server agent under (even though it will still be in the sysadmin role in SQL Server), to minimize the damage it could do on your network if it was exploited.

    If a job needs to access resource on the network you would use a job proxy. Likewise the account a linked server will run under can be controlled to minimize its rights on remote SQL or other RDBMS systems.

    • Proposed as answer by Teige Gao Wednesday, March 29, 2017 9:53 AM
    Monday, March 20, 2017 1:43 PM
  • We want to use "Be made using the login's current security context" for Linked server security. But we have SQL jobs that use Linked servers to access remote tables and change data. 

    As SQL jobs runs under SQL Agent account we think to grant SQL Agent account sysadmin on all servers that the SQL jobs could successfully finish through Linked server.

    By default on newly installed server I was not able to find SQL Agent login and my SQL jobs failed while logging onto remote server though Linked server object.

    Thanks

    Monday, March 20, 2017 1:55 PM