Another Reason to Use A Special Service Account

Another Reason to Use A Special Service Account

  • Comments 1

When I'm asked what the least-used feature of SQL Server is, I often have to reply that it is "good security". Many installations take all the default settings, and most use programmatic security rather than the features built in to SQL Server.

This is especially true of the service accounts used to run the SQL Server engine and SQL Agent. The best practice for these accounts is to create a Windows account with no special privileges. Then just select that account to run the service during the installation or using the SQL Server Configuration Manager. Those tools will give the account everything it needs to run the Instance. They do not need to be domain admins.

Also, use a separate account for each service, with a strong password. By doing that you can track what each service is doing in the logs, rather than having the same account run the Engine and the Agent.

Using the built-in accounts (like Network Service) is the worst thing you can do, and for a reason you might not think of at first. These system accounts are used to run other software as well - and the administrators for those software packages would have access to your SQL Server system if you use the same service accounts.

There's a topic in Books Online on this that you can read here: http://msdn.microsoft.com/en-us/library/ms143691.aspx

Leave a Comment
  • Please add 5 and 4 and type the answer here:
  • Post