Solved

SQL service accounts and vulnerabilities

Posted on 2014-11-13
3
261 Views
Last Modified: 2014-12-04
One of the checks microsofts baseline security analyser does is:

SQL Server, SQL Server Agent, MSDE and/or MSDE Agent service accounts should not be members of the local Administrators group or run as LocalSystem.

The explanation it gives though is a bit weak on how much of a risk it is if SQL related service accounts are run as system or members of local admin groups.

My question is will the SQL software run fine if these service accounts are run under the context of lesser privelege accounts, and what is the risk in having these serivce accounts run as localsystem or a member of local admins?
0
Comment
Question by:pma111
3 Comments
 
LVL 11

Accepted Solution

by:
Joseph O'Loughlin earned 167 total points
ID: 40439745
Yes, the services will run fine.  If you first create a local or domain account for the service, installing SQL and providing that accounts credentials, will add any additional permissions (run as a service) if their needed.  
Local Admin can basically do anything.  There's a history of SQL injection attacks allowing arbitrary code be run.  I have an apostrophe in my surname, and am almost daily disappointed with forms / sql that handles that poorly.
Elevation of privilege exploits from localsystem, or even exploits using permissions localsystem has, to scan for other vunerabilities...
0
 
LVL 48

Assisted Solution

by:Vitor Montalvão
Vitor Montalvão earned 167 total points
ID: 40439921
If you install SQL Server on Windows Server 2008R2 or higher you can use Virtual Accounts for the services which provides more security and you don't need to do anything else like add the accounts to Local Administrator group.
0
 
LVL 42

Assisted Solution

by:EugeneZ
EugeneZ earned 166 total points
ID: 40444682
<will the SQL software run fine if these service accounts are run under the context of lesser privelege accounts, and what is the risk in having these serivce accounts run as localsystem or a member of local admins? >
answer: yes
Risk: it depends on your business needs and sql and depended apps and components needs.
In many cases you'd like to run sql server service account as local admin (and always sa sql)..



Setting Up Windows Service Accounts
http://msdn.microsoft.com/en-us/library/ms143504(v=sql.105).aspx
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SQL STANDARD CORE 8 40
Query for timesheet application 3 18
SQL USE DATABASE VARIABLE 5 30
partitioning database after decade growth 8 29
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
I have a large data set and a SSIS package. How can I load this file in multi threading?
Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question