SQL Service permissions

can anyone provide some input as to what the risks are in running SQL Services (MSSQLServer, SQLServerAgent) as

local admin
domain admin
local SYSTEM

what is the risk, I presume this comes from a security concern? Is it common to run these services with such permissions, do they in fact even need these permissions? Is there a list of what permissions are required to run these services, or any specific best practices from Microsoft themselves?
LVL 3
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vitor MontalvãoMSSQL Senior EngineerCommented:
Hi pma111,

I wrote an article about the SQL Server service account where I talked about the security risks.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kulboyCommented:
Local System is not recommended, it is an administrator equivalent account and thus can lead to questionable coding that takes advantage of administrator privileges which would not be allowed in a production system since security conscious Admins/DBA's really don't like to run services as admin.

Depending on if the server instance will need to access other domain resources or not should determine which type of low privilege account it should run under.

If it does not need to access any (non-anonymous) domain resources than I normally create a unique local, low privilege account for it to run under in order to gain the additional security benefit of not having multiple services running in the same identity context. Be aware that the Local Service account is not supported for the SQL Server or SQL Server Agent services.

If it does need to access non-anonymous domain resources then you have three options:

Run as Network Service which is also a low privilege account but one that retains the computers network credentials.
Run under a Local Service Account
Run under a custom domain account with low local privileges. One advantage to running under the developers account is that it is easier to attach debuggers to processes in your own identity without compromising security so debugging is easier (since non-Admin accounts do not have the privilege to attach a debugger to another identities process by default). A disadvantage to using another domain account is the overhead of managing those accounts, especially since each service for each developer should ideally have unique credentials so you do not have any leaks if a developer were to leave.
Most of what I tend to do does not require the service to access domain resources so I tend to use unique local low privilege accounts that I manage. I also run exclusively as a non-admin user (and have done so under XP SP2, Server 2003, Vista and Server 2008 with no major problems) so when I have cases where I need the service to access domain resources then I have no worries about using my own domain credentials (plus that way I don't have to worry the network admins about creating/maintaining a bunch of non-production domain identities).

source: http://stackoverflow.com/a/63944

Olso good microsoft reading here:  https://msdn.microsoft.com/en-us/library/ms143504(v=sql.105).aspx
0
pma111Author Commented:
thanks... from a security angle is it saying within SQL itself there is the ability to query outside the database and onto file systems under the context of a domain admin... or is it a case of if there was a security bug in SQL that if exploited that you could elevate permissions up to domain admin...
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

pma111Author Commented:
>Depending on if the server instance will need to access other domain resources or not

Can you provide some examples of when a SQL Server would require access to other domain resources?
0
Vitor MontalvãoMSSQL Senior EngineerCommented:
within SQL itself there is the ability to query outside the database and onto file systems under the context of a domain admin...
That's true but that's why the MSSQL Service account should be used only by the SQL Server and no extra permissions should be granted but the necessary ones.

Can you provide some examples of when a SQL Server would require access to other domain resources?
When you want to Replicate data between SQL Server instances in different domains or when you want to Import/Export data from/to a network share that is in a different domain.
0
kulboyCommented:
with this:

>Depending on if the server instance will need to access other domain resources or not

i mean there could be other services on that server that connect to other recources. (clustering)

greetings
0
Anthony PerkinsCommented:
If you are using Windows 2008/2012 consider using Managed or Virtual Accounts.  That is the way going forward.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SQL Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.