locked
SQL Server Service Startup Account RRS feed

  • Question

  • Hi,

    I'm wondering why the SQL Server suggests  "Use a specific low-privilege user account or domain account"?
    What would happen if we use a Domain Admin account?
    Thanks for help.

    Jason

    Wednesday, October 23, 2013 3:04 AM

Answers

  • To directly answer your question Jason, the service would start, and it would work.   It just gives more permissions than necessary to the SQL server engine.   This increases your security vulnerabilities.  In my environment, I create a separate account for each SQL server service.  This is according to MS best practice.

    As a side note, I generate a password and store them in a vault, this way I can change them periodically.

    ________________________________________________________________________________

    Please click the Mark as answer button if I answered your question, and vote as helpful if this reply helps you. Thank you!

    • Marked as answer by JasonHuang8888 Wednesday, October 23, 2013 6:15 AM
    Wednesday, October 23, 2013 5:43 AM

All replies

  • Hello,

    You can refer below link:


    If your SQL Server interacts with other servers, services or resources on the network (ex: Files Shares, etc.) or if your SQL Server services uses linked servers to connect to other SQL Servers on the network, then you may use a low privileged domain user account for running SQL Server services. Domain user account is the most recommended account for setting up SQL Server services that interact with other servers on the network. One of the plus points of using a Domain User Account is that the account is controlled by Windows active directory therefore, domain level policy on accounts  apply to SQL Server service account as well.

    http://blogs.technet.com/b/canitpro/archive/2012/02/08/the-sql-guy-post-15-best-practices-for-using-sql-server-service-accounts.aspx

    Also, Service account section in the below link describes bit about your question

    http://technet.microsoft.com/en-us/library/ms144228.aspx


    Please click the Mark as answer button and vote as helpful if this reply solves your problem

    Wednesday, October 23, 2013 3:30 AM
  • To directly answer your question Jason, the service would start, and it would work.   It just gives more permissions than necessary to the SQL server engine.   This increases your security vulnerabilities.  In my environment, I create a separate account for each SQL server service.  This is according to MS best practice.

    As a side note, I generate a password and store them in a vault, this way I can change them periodically.

    ________________________________________________________________________________

    Please click the Mark as answer button if I answered your question, and vote as helpful if this reply helps you. Thank you!

    • Marked as answer by JasonHuang8888 Wednesday, October 23, 2013 6:15 AM
    Wednesday, October 23, 2013 5:43 AM