SQL service accounts and vulnerabilities

One of the checks microsofts baseline security analyser does is:

SQL Server, SQL Server Agent, MSDE and/or MSDE Agent service accounts should not be members of the local Administrators group or run as LocalSystem.

The explanation it gives though is a bit weak on how much of a risk it is if SQL related service accounts are run as system or members of local admin groups.

My question is will the SQL software run fine if these service accounts are run under the context of lesser privelege accounts, and what is the risk in having these serivce accounts run as localsystem or a member of local admins?
LVL 3
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph OLoughlinIT Support SpecialistCommented:
Yes, the services will run fine.  If you first create a local or domain account for the service, installing SQL and providing that accounts credentials, will add any additional permissions (run as a service) if their needed.  
Local Admin can basically do anything.  There's a history of SQL injection attacks allowing arbitrary code be run.  I have an apostrophe in my surname, and am almost daily disappointed with forms / sql that handles that poorly.
Elevation of privilege exploits from localsystem, or even exploits using permissions localsystem has, to scan for other vunerabilities...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Vitor MontalvãoMSSQL Senior EngineerCommented:
If you install SQL Server on Windows Server 2008R2 or higher you can use Virtual Accounts for the services which provides more security and you don't need to do anything else like add the accounts to Local Administrator group.
0
Eugene ZCommented:
<will the SQL software run fine if these service accounts are run under the context of lesser privelege accounts, and what is the risk in having these serivce accounts run as localsystem or a member of local admins? >
answer: yes
Risk: it depends on your business needs and sql and depended apps and components needs.
In many cases you'd like to run sql server service account as local admin (and always sa sql)..



Setting Up Windows Service Accounts
http://msdn.microsoft.com/en-us/library/ms143504(v=sql.105).aspx
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SQL Server

From novice to tech pro — start learning today.