locked
SQL 2012 service accounts best practice RRS feed

  • Question

  • I'm installing SQL Server 2012 for ConfigMgr 2012 r2 and I wonder what is the best practice for SQL service accounts.

    During the installation of SQL Server, in the server configuration/Service accounts menu I'm allowed to configure following service accounts: SQL Server Agent, SQL Server Agent Database Engine, SQL Server Reporting Services, SQL Server Browser.

    Do I have to create separate domain user (not admin) accounts for each service and configure service principal name (SPN) for all of them?

    For example: Domain user account named SQLSA for SQL Server Agent, another domain user account SQLADBE for SQL Server Agent Database Engine etc.

    Sunday, January 25, 2015 1:18 AM

Answers

  • Hi,

    Please read following article

    https://msdn.microsoft.com/en-us/library/ms143504.aspx


    Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it

    My Technet Wiki Article

    MVP

    Sunday, January 25, 2015 4:55 AM
  • In addition to Shanky notes, please take a look at these links:

    “The SQL Guy” Post #15: Best Practices For Using SQL Server Service Accounts

    Guidelines on choosing Service Accounts for SQL Server Services.

    How to Create Secure SQL Server Service Accounts


    Cheers,
    Saeid Hasani
    Database Consultant

    Please feel free to contact me at DatabaseConsultant@outlook.com as well as on Twitter and Facebook.

    [My Writings on TechNet Wiki] [T-SQL Blog] [Curah!] [Twitter] [Facebook] [Email]

    Sunday, January 25, 2015 6:28 AM
  • During the installation of SQL Server 2012, the user is prompted to provide service account
    credentials. The default service accounts suggested vary depending on whether SQL Server
    2012 is installed on a computer running Windows Vista or Windows Server 2008 or on a computer
    running Windows 7 or Windows Server 2008 R2. On computers running Windows Vista
    or Windows Server 2008 operating systems, the following default service accounts are used:
    - NETWORK SERVICE Database Engine, SQL Server Agent, Analysis Services,
    Integration Services, Reporting Services, SQL Server Distributed Replay Controller,
    SQL Server Distributed Replay Client
    - LOCAL SERVICE SQL Server Browser, FD Launcher (Full-Text Search)
    - LOCAL SYSTEM SQL Server VSS Writer
    On computers running Windows 7 or Windows Server 2008 R2 operating systems, the following
    default accounts are used:
    - Virtual Account or Managed Service Account Database Engine, SQL Server Agent,
    Analysis Services, Integration Services, Replication Services, SQL Server Distributed
    Replay Controller, SQL Server Distributed Replay Client, FD Launcher (Full-Text Search)
    - LOCAL SERVICE SQL Server Browser
    - LOCAL SYSTEM SQL Server VSS Writer
    For Windows 7 and Windows Server 2008 R2, you can use a Managed Service Account
    (MSA) or a Managed Local Account. The differences between these account types are as
    follows:
    - Managed Service Account (MSA) This special kind of domain account managed
    by a domain controller is assigned to a single member computer and used for running
    services. The MSA password is managed by the domain controller. MSAs can register
    a Service Principal Name (SPN) with Active Directory. MSAs use a $ name suffix; for
    example, CONTOSO\SQL-A-MSA$. You must create the MSA prior to running SQL
    Server Setup if you want to use an MSA with SQL Server services.
    - Virtual Accounts or Managed Local Accounts These virtual accounts can access
    the network in a domain environment and are used by default for service accounts
    during SQL Server 2012 setup when run on Windows 7 or Windows Server 2008 R2.
    Such accounts use the NT SERVICE\<SERVICENAME>format. You don’t need to specify
    a password when using virtual accounts with SQL Server 2012 because this is handled
    automatically by the operating system.

    You should run SQL Server services, using the minimum possible user rights, and use an
    MSA or virtual account when possible. If you are manually configuring service accounts, use
    separate accounts for different SQL Server services. If it is necessary to change the properties
    of service accounts used for SQL Server 2012, use SQL Server tools such as SQL Server
    Configuration Manager. This ensures that all necessary dependencies are
    updated, which does not happen if you use only the Services console.
    Although you can configure domain accounts as service accounts, this strategy requires
    more effort because you must ensure that service account passwords are changed regularly.
    You must also manage SPNs, which are required for Kerberos authentication.


    Best regads

    P.Ceglie

    Sunday, January 25, 2015 11:09 AM

All replies

  • Hi,

    Please read following article

    https://msdn.microsoft.com/en-us/library/ms143504.aspx


    Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it

    My Technet Wiki Article

    MVP

    Sunday, January 25, 2015 4:55 AM
  • In addition to Shanky notes, please take a look at these links:

    “The SQL Guy” Post #15: Best Practices For Using SQL Server Service Accounts

    Guidelines on choosing Service Accounts for SQL Server Services.

    How to Create Secure SQL Server Service Accounts


    Cheers,
    Saeid Hasani
    Database Consultant

    Please feel free to contact me at DatabaseConsultant@outlook.com as well as on Twitter and Facebook.

    [My Writings on TechNet Wiki] [T-SQL Blog] [Curah!] [Twitter] [Facebook] [Email]

    Sunday, January 25, 2015 6:28 AM
  • During the installation of SQL Server 2012, the user is prompted to provide service account
    credentials. The default service accounts suggested vary depending on whether SQL Server
    2012 is installed on a computer running Windows Vista or Windows Server 2008 or on a computer
    running Windows 7 or Windows Server 2008 R2. On computers running Windows Vista
    or Windows Server 2008 operating systems, the following default service accounts are used:
    - NETWORK SERVICE Database Engine, SQL Server Agent, Analysis Services,
    Integration Services, Reporting Services, SQL Server Distributed Replay Controller,
    SQL Server Distributed Replay Client
    - LOCAL SERVICE SQL Server Browser, FD Launcher (Full-Text Search)
    - LOCAL SYSTEM SQL Server VSS Writer
    On computers running Windows 7 or Windows Server 2008 R2 operating systems, the following
    default accounts are used:
    - Virtual Account or Managed Service Account Database Engine, SQL Server Agent,
    Analysis Services, Integration Services, Replication Services, SQL Server Distributed
    Replay Controller, SQL Server Distributed Replay Client, FD Launcher (Full-Text Search)
    - LOCAL SERVICE SQL Server Browser
    - LOCAL SYSTEM SQL Server VSS Writer
    For Windows 7 and Windows Server 2008 R2, you can use a Managed Service Account
    (MSA) or a Managed Local Account. The differences between these account types are as
    follows:
    - Managed Service Account (MSA) This special kind of domain account managed
    by a domain controller is assigned to a single member computer and used for running
    services. The MSA password is managed by the domain controller. MSAs can register
    a Service Principal Name (SPN) with Active Directory. MSAs use a $ name suffix; for
    example, CONTOSO\SQL-A-MSA$. You must create the MSA prior to running SQL
    Server Setup if you want to use an MSA with SQL Server services.
    - Virtual Accounts or Managed Local Accounts These virtual accounts can access
    the network in a domain environment and are used by default for service accounts
    during SQL Server 2012 setup when run on Windows 7 or Windows Server 2008 R2.
    Such accounts use the NT SERVICE\<SERVICENAME>format. You don’t need to specify
    a password when using virtual accounts with SQL Server 2012 because this is handled
    automatically by the operating system.

    You should run SQL Server services, using the minimum possible user rights, and use an
    MSA or virtual account when possible. If you are manually configuring service accounts, use
    separate accounts for different SQL Server services. If it is necessary to change the properties
    of service accounts used for SQL Server 2012, use SQL Server tools such as SQL Server
    Configuration Manager. This ensures that all necessary dependencies are
    updated, which does not happen if you use only the Services console.
    Although you can configure domain accounts as service accounts, this strategy requires
    more effort because you must ensure that service account passwords are changed regularly.
    You must also manage SPNs, which are required for Kerberos authentication.


    Best regads

    P.Ceglie

    Sunday, January 25, 2015 11:09 AM