Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SQL service accounts and vulnerabilities

Posted on 2014-11-13
3
Medium Priority
?
275 Views
Last Modified: 2014-12-04
One of the checks microsofts baseline security analyser does is:

SQL Server, SQL Server Agent, MSDE and/or MSDE Agent service accounts should not be members of the local Administrators group or run as LocalSystem.

The explanation it gives though is a bit weak on how much of a risk it is if SQL related service accounts are run as system or members of local admin groups.

My question is will the SQL software run fine if these service accounts are run under the context of lesser privelege accounts, and what is the risk in having these serivce accounts run as localsystem or a member of local admins?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 11

Accepted Solution

by:
Joseph O'Loughlin earned 668 total points
ID: 40439745
Yes, the services will run fine.  If you first create a local or domain account for the service, installing SQL and providing that accounts credentials, will add any additional permissions (run as a service) if their needed.  
Local Admin can basically do anything.  There's a history of SQL injection attacks allowing arbitrary code be run.  I have an apostrophe in my surname, and am almost daily disappointed with forms / sql that handles that poorly.
Elevation of privilege exploits from localsystem, or even exploits using permissions localsystem has, to scan for other vunerabilities...
0
 
LVL 52

Assisted Solution

by:Vitor Montalvão
Vitor Montalvão earned 668 total points
ID: 40439921
If you install SQL Server on Windows Server 2008R2 or higher you can use Virtual Accounts for the services which provides more security and you don't need to do anything else like add the accounts to Local Administrator group.
0
 
LVL 43

Assisted Solution

by:Eugene Z
Eugene Z earned 664 total points
ID: 40444682
<will the SQL software run fine if these service accounts are run under the context of lesser privelege accounts, and what is the risk in having these serivce accounts run as localsystem or a member of local admins? >
answer: yes
Risk: it depends on your business needs and sql and depended apps and components needs.
In many cases you'd like to run sql server service account as local admin (and always sa sql)..



Setting Up Windows Service Accounts
http://msdn.microsoft.com/en-us/library/ms143504(v=sql.105).aspx
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What if you have to shut down the entire Citrix infrastructure for hardware maintenance, software upgrades or "the unknown"? I developed this plan for "the unknown" and hope that it helps you as well. This article explains how to properly shut down …
It is possible to export the data of a SQL Table in SSMS and generate INSERT statements. It's neatly tucked away in the generate scripts option of a database.
Via a live example, show how to shrink a transaction log file down to a reasonable size.
Viewers will learn how to use the UPDATE and DELETE statements to change or remove existing data from their tables. Make a table: Update a specific column given a specific row using the UPDATE statement: Remove a set of values using the DELETE s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question