Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

SQL service accounts and vulnerabilities

Posted on 2014-11-13
3
Medium Priority
?
277 Views
Last Modified: 2014-12-04
One of the checks microsofts baseline security analyser does is:

SQL Server, SQL Server Agent, MSDE and/or MSDE Agent service accounts should not be members of the local Administrators group or run as LocalSystem.

The explanation it gives though is a bit weak on how much of a risk it is if SQL related service accounts are run as system or members of local admin groups.

My question is will the SQL software run fine if these service accounts are run under the context of lesser privelege accounts, and what is the risk in having these serivce accounts run as localsystem or a member of local admins?
0
Comment
Question by:pma111
3 Comments
 
LVL 11

Accepted Solution

by:
Joseph O'Loughlin earned 668 total points
ID: 40439745
Yes, the services will run fine.  If you first create a local or domain account for the service, installing SQL and providing that accounts credentials, will add any additional permissions (run as a service) if their needed.  
Local Admin can basically do anything.  There's a history of SQL injection attacks allowing arbitrary code be run.  I have an apostrophe in my surname, and am almost daily disappointed with forms / sql that handles that poorly.
Elevation of privilege exploits from localsystem, or even exploits using permissions localsystem has, to scan for other vunerabilities...
0
 
LVL 52

Assisted Solution

by:Vitor Montalvão
Vitor Montalvão earned 668 total points
ID: 40439921
If you install SQL Server on Windows Server 2008R2 or higher you can use Virtual Accounts for the services which provides more security and you don't need to do anything else like add the accounts to Local Administrator group.
0
 
LVL 43

Assisted Solution

by:Eugene Z
Eugene Z earned 664 total points
ID: 40444682
<will the SQL software run fine if these service accounts are run under the context of lesser privelege accounts, and what is the risk in having these serivce accounts run as localsystem or a member of local admins? >
answer: yes
Risk: it depends on your business needs and sql and depended apps and components needs.
In many cases you'd like to run sql server service account as local admin (and always sa sql)..



Setting Up Windows Service Accounts
http://msdn.microsoft.com/en-us/library/ms143504(v=sql.105).aspx
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It is possible to export the data of a SQL Table in SSMS and generate INSERT statements. It's neatly tucked away in the generate scripts option of a database.
Ready to get certified? Check out some courses that help you prepare for third-party exams.
This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question