Pau Lo
asked on
SQL Service permissions
can anyone provide some input as to what the risks are in running SQL Services (MSSQLServer, SQLServerAgent) as
local admin
domain admin
local SYSTEM
what is the risk, I presume this comes from a security concern? Is it common to run these services with such permissions, do they in fact even need these permissions? Is there a list of what permissions are required to run these services, or any specific best practices from Microsoft themselves?
local admin
domain admin
local SYSTEM
what is the risk, I presume this comes from a security concern? Is it common to run these services with such permissions, do they in fact even need these permissions? Is there a list of what permissions are required to run these services, or any specific best practices from Microsoft themselves?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>Depending on if the server instance will need to access other domain resources or not
Can you provide some examples of when a SQL Server would require access to other domain resources?
Can you provide some examples of when a SQL Server would require access to other domain resources?
within SQL itself there is the ability to query outside the database and onto file systems under the context of a domain admin...That's true but that's why the MSSQL Service account should be used only by the SQL Server and no extra permissions should be granted but the necessary ones.
Can you provide some examples of when a SQL Server would require access to other domain resources?When you want to Replicate data between SQL Server instances in different domains or when you want to Import/Export data from/to a network share that is in a different domain.
with this:
>Depending on if the server instance will need to access other domain resources or not
i mean there could be other services on that server that connect to other recources. (clustering)
greetings
>Depending on if the server instance will need to access other domain resources or not
i mean there could be other services on that server that connect to other recources. (clustering)
greetings
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER