locked
NT Authority and NT Service Accounts RRS feed

  • Question

  • I have the following logins on my SQL Server with sysadmin privileges.

    NT AUTHORITY\SYSTEM

    NT SERVICE\{instance name}

    NT SERVICE\SQLAgent{instance name}

    NT SERVICE\SQLWriter (for SQL2012)

    NT SERVICE\Winmgmt (for SQL2012)

    If I use a domain service account on my Sql Server and Sql Server Agent services (Log on as:),

    1. do I need Logins mentioned above as sysadmin?

    2. can / should I remove them as security hardening?

    on SQL Server 2008 and SQL Server 2012

    thanks

    Tuesday, April 7, 2015 3:14 PM

Answers

  • Thanks! So, I should just remove SYSADMIN from those logins, correct?

    Edit: Report findings - NT SERVICE\SQLSERVERAGENT does need SYSADMIN. Else, SQL Server Agent service cannot be started.

    Hi Amy2013,

    According to the discussion in the similar blog, it depends on the software and services in use that if there is any downside impact on revoking "sysadmin" privileges on these logins.

    In addition, particularly, for the NT SERVICE\winmgmt login, if you revoke “sysadmin" privileges on it, please ensure that it is configured with the following permissions:

    •Membership in the db_ddladmin or db_owner fixed database roles in the msdb database.
    • CREATE DDL EVENT NOTIFICATION permission in the server.
    • CREATE TRACE EVENT NOTIFICATION permission in the Database Engine.
    • VIEW ANY DATABASE server-level permission.

    Reference:
    Configure Windows Service Accounts and Permissions

    Thanks,
    Lydia Zhang


    Lydia Zhang
    TechNet Community Support






    Thursday, April 9, 2015 9:22 AM

All replies

  • Hi,

    AFAIK whatever you do NT Authority/system would always be a account with complete privilege. Others are general account NO NEED to give any account admin privileges.

    Its difficult to say whether you can disable(not remove) NT Authority/system. Disable it and see if it affects anything


    Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it

    My Technet Wiki Article

    MVP

    Tuesday, April 7, 2015 4:08 PM
  • Thanks for replying.

    What are the rest of the accounts / group for? Can I deny login on those?

    Edit:
    Look like I cannot disable NT SERVICE\MSSQLSERVER or NT SERVICE\SQLSERVERAGENT. Got error 15151 (Cannot alter the login 'NT SERVICE\MSSQLSERVER', because it does not exist or you do not have permission.)

    Perhaps, because it's a GROUP rather than a username?

    I can however, DENY "permission to connect to database engine:"

    • Edited by Ami2013 Tuesday, April 7, 2015 6:58 PM
    Tuesday, April 7, 2015 6:53 PM
  • You dont need to worry about those account, they are created by SQL Server and are only service specific

    Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it

    My Technet Wiki Article

    MVP

    Tuesday, April 7, 2015 7:00 PM
  • Thanks! So, I should just remove SYSADMIN from those logins, correct?

    Edit: Report findings - NT SERVICE\SQLSERVERAGENT does need SYSADMIN. Else, SQL Server Agent service cannot be started.
    • Edited by Ami2013 Tuesday, April 7, 2015 7:47 PM
    Tuesday, April 7, 2015 7:37 PM
  • Thanks! So, I should just remove SYSADMIN from those logins, correct?

    Edit: Report findings - NT SERVICE\SQLSERVERAGENT does need SYSADMIN. Else, SQL Server Agent service cannot be started.

    Hi Amy2013,

    According to the discussion in the similar blog, it depends on the software and services in use that if there is any downside impact on revoking "sysadmin" privileges on these logins.

    In addition, particularly, for the NT SERVICE\winmgmt login, if you revoke “sysadmin" privileges on it, please ensure that it is configured with the following permissions:

    •Membership in the db_ddladmin or db_owner fixed database roles in the msdb database.
    • CREATE DDL EVENT NOTIFICATION permission in the server.
    • CREATE TRACE EVENT NOTIFICATION permission in the Database Engine.
    • VIEW ANY DATABASE server-level permission.

    Reference:
    Configure Windows Service Accounts and Permissions

    Thanks,
    Lydia Zhang


    Lydia Zhang
    TechNet Community Support






    Thursday, April 9, 2015 9:22 AM
  • Hi,

    If I use a domain account, with interactive login disabled and deny login locally, does this account need to be explicitly granted sysadmin ? Or it'll have sysadmin rights configured automatically by the SQL configuration Manager ?

    From SQL Server 2012, when I change the service account to a domain account, I don't see this account being granted sysadmin at the SQL Server. Am I right ?

    Please advise. TIA !

    Monday, November 23, 2015 8:26 AM
  • Maybe you should start a new thread rather than piggybacking on one from April.

    It is not clear to me what your question is. But the service account for SQL Server is always sysadmin on its own instance. However, if the instance access another instance which has the same service account, the service account must be granted access on that second instance.

    Tuesday, November 24, 2015 10:41 PM