Solved

SQL service accounts and vulnerabilities

Posted on 2014-11-13
3
256 Views
Last Modified: 2014-12-04
One of the checks microsofts baseline security analyser does is:

SQL Server, SQL Server Agent, MSDE and/or MSDE Agent service accounts should not be members of the local Administrators group or run as LocalSystem.

The explanation it gives though is a bit weak on how much of a risk it is if SQL related service accounts are run as system or members of local admin groups.

My question is will the SQL software run fine if these service accounts are run under the context of lesser privelege accounts, and what is the risk in having these serivce accounts run as localsystem or a member of local admins?
0
Comment
Question by:pma111
3 Comments
 
LVL 11

Accepted Solution

by:
Joseph O'Loughlin earned 167 total points
ID: 40439745
Yes, the services will run fine.  If you first create a local or domain account for the service, installing SQL and providing that accounts credentials, will add any additional permissions (run as a service) if their needed.  
Local Admin can basically do anything.  There's a history of SQL injection attacks allowing arbitrary code be run.  I have an apostrophe in my surname, and am almost daily disappointed with forms / sql that handles that poorly.
Elevation of privilege exploits from localsystem, or even exploits using permissions localsystem has, to scan for other vunerabilities...
0
 
LVL 47

Assisted Solution

by:Vitor Montalvão
Vitor Montalvão earned 167 total points
ID: 40439921
If you install SQL Server on Windows Server 2008R2 or higher you can use Virtual Accounts for the services which provides more security and you don't need to do anything else like add the accounts to Local Administrator group.
0
 
LVL 42

Assisted Solution

by:EugeneZ
EugeneZ earned 166 total points
ID: 40444682
<will the SQL software run fine if these service accounts are run under the context of lesser privelege accounts, and what is the risk in having these serivce accounts run as localsystem or a member of local admins? >
answer: yes
Risk: it depends on your business needs and sql and depended apps and components needs.
In many cases you'd like to run sql server service account as local admin (and always sa sql)..



Setting Up Windows Service Accounts
http://msdn.microsoft.com/en-us/library/ms143504(v=sql.105).aspx
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Foxpro errors 4 28
What is the proper way to use for criteria in left join? 7 24
Querying data from 3 SQL tables 2 30
SQL view 2 25
Slowly Changing Dimension Transformation component in data task flow is very useful for us to manage and control how data changes in SSIS.
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Viewers will learn how to use the UPDATE and DELETE statements to change or remove existing data from their tables. Make a table: Update a specific column given a specific row using the UPDATE statement: Remove a set of values using the DELETE s…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now