Tech or Treat! Write an article about your scariest tech disaster to win gadgets!Learn more

x
?
Solved

sql services

Posted on 2011-09-06
17
Medium Priority
?
219 Views
Last Modified: 2012-05-12
do the below look OK/appropriate.. are any of the service accounts not best?

i see in
http://social.msdn.microsoft.com/Forums/en-US/sqlsecurity/thread/2986a020-b1bd-46a9-8f97-dbd439664f6a/
that locaservice is not a good idea..
sa.jpg
0
Comment
Question by:25112
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
  • 4
  • +1
17 Comments
 
LVL 42

Accepted Solution

by:
dqmq earned 888 total points
ID: 36492727
It says LocalService MUST not be used for SQL Server Agent. That's not the same account as LocalSystem, which is shown in your graphic.  
0
 
LVL 5

Author Comment

by:25112
ID: 36492899
OK I see what you are saying.. other than that, are all the other services ok/appropriate?
0
 
LVL 3

Assisted Solution

by:JHolycloud
JHolycloud earned 224 total points
ID: 36493610
They seem ok, as long as you don't use the SQL Server in a domain. If your SQL Server is a part of a domain, you should consider to change the service using domain user account.
Because by using local system account, you'll have problem when you need SQL Server to access other computer in your network/domain.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LVL 42

Assisted Solution

by:dqmq
dqmq earned 888 total points
ID: 36493788
That's a workable approach, but not considered extremely secure.  The reason being that those accounts are shared by other packages and whoever administers those packages gains a free ride to SQL Server resources.

For stronger security, it's preferable to use special service accounts with strong passwords.  Dedicate a different local windows account for each running service. If you are running Windows Server 2008 R2, then you can use the Managed Service Account feature to administer the service accounts from active directory.
0
 
LVL 5

Author Comment

by:25112
ID: 36495943
OK-
JHolycloud - you are recommending a domain account and dqmq would recommend a local account, is that right? (just trying to make sure I understand correctly)

dqmq : the following says Managed Service Account not applicable for SS?
http://technet.microsoft.com/en-us/library/ff641729%28WS.10%29.aspx
0
 
LVL 21

Assisted Solution

by:mastoo
mastoo earned 888 total points
ID: 36496253
Using a domain account for sql can be more convenient but is less secure.
0
 
LVL 5

Author Comment

by:25112
ID: 36496398
>>For stronger security, it's preferable to use special service accounts with strong passwords
what are these special service accounts?
0
 
LVL 5

Author Comment

by:25112
ID: 36496403
>>Using a domain account for sql can be more convenient but is less secure.
what is the alternative you would suggest ? local accounts or OS default accounts (local service etc)
0
 
LVL 21

Assisted Solution

by:mastoo
mastoo earned 888 total points
ID: 36496928
My book I use for all things sql server says "it depends".  At the most secure end, you're using separate accounts for each sevice and each is tailored to have the minimum requirements.  I don't carry it that far, so I'm just suggesting don't grant your sql engine network permissions unless it is really a requirement.  In our case, sql has no business talking to the network although sql agent needs to on a few servers.  If network isn't required, you could use a local account or a fairly restricted domain account.
0
 
LVL 42

Assisted Solution

by:dqmq
dqmq earned 888 total points
ID: 36497305
>what are these special service accounts?

Local Accounts that you create and dedicate to the service.  Each has the minimal set of permissions it needs to do it's job and is independent from other service accounts.  If you use configuration manager to assign the account to the service, then configuration manager will take care of the permissions.
0
 
LVL 5

Author Comment

by:25112
ID: 36498150
mastoo, if the app server needs to access sql server, then it is needing network, right? your app and db are on the same server? and hence not needing network?
0
 
LVL 5

Author Comment

by:25112
ID: 36498171
   >>Local Accounts that you create and dedicate to the service.
you are referring to one of the below?
LocalService
    NetworkService
    LocalSystem

can they still be able to work domain wide communication to other servers for data transfers?
0
 
LVL 21

Assisted Solution

by:mastoo
mastoo earned 888 total points
ID: 36498336
Even if your app server is a different server, your sql engine doesn't need network credentials.  It would just be "outbound" things from sql that would necessitate network credentials.

And for your other question, NEtworkService and LocalSystem refer to built-in accounts.  The term "Local Accounts that you create and dedicate" means you create a "user" on the server and that user is specifically used by one of the sql services.  This gives you a high level of isolation for each service, which makes security people feel good.
0
 
LVL 42

Assisted Solution

by:dqmq
dqmq earned 888 total points
ID: 36499038
>you are referring to one of the below?
    LocalService
    NetworkService
    LocalSystem
No, those are built-in, shared accounts.

I am referring to special accounts that YOU create and dedicate to a service.  Usually, they are named according a convention that includes the dbms server and service that they are supporting.
0
 
LVL 5

Author Comment

by:25112
ID: 36499797
mastoo, do you use built-in or dedicated accounts in your case - when you mentioned that you do not need network access for sql service account.

>> It would just be "outbound" things from sql that would necessitate network credentials.
app server initiates the request, right? so it will be 2-way always?

thanks for confirming, dqmq
0
 
LVL 21

Assisted Solution

by:mastoo
mastoo earned 888 total points
ID: 36499923
We're sort of inbetween.  We use one domain account for our sql agents that need network access, and the other sql services run under an account local to the server that we create during install (one local account per server).

Yes, app server sends questions to sql and sql responds with results and sql wouldn't require network credentials.  Our sql agent only requires a domain account for network access because some of the jobs are copying backup files over the network and things like that.
0
 
LVL 5

Author Comment

by:25112
ID: 36542708
thanks for the pro & con.
0

Featured Post

Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Why is this different from all of the other step by step guides?  Because I make a living as a DBA and not as a writer and I lived through this experience. Defining the name: When I talk to people they say different names on this subject stuff l…
Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
Using examples as well as descriptions, and references to Books Online, show the different Recovery Models available in SQL Server and explain, as well as show how full, differential and transaction log backups are performed
Via a live example, show how to extract insert data into a SQL Server database table using the Import/Export option and Bulk Insert.

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question