Service Account Security | SQL Server Performance Forums

SQL Server Performance Forum – Threads Archive

Service Account Security

I am running 2000 std ed. In an attempt to tighten security, I have read that where possible, it is advisable to run the sql service under a domain account with no special rights (eg Domain User). As such I have created an account "sqlserver" and made it a member of Domain Users. (Our instance should not require administrator privileges) and made it a member of Domain Users. As per my advice, I have given the account Full Control permissions to the disk/array used for the data files (raid5 – dedicated to the sql data files) and the disk used for the transaction logs (partition on raid 1). I was under the impression that Read Only access would suffice to the directory where SQL Server was installed (c:program filesetc – c: is partition on raid 1 set) and applied this accordingly, however the sql service could not start until i gave the entire c: drive permission to read and execute. I was wondering if someone could explain
1) why this is
2) if I could reduce these permissions to a particular folder/folders rather than the entire c: drive? Is there in fact any increased risk by the sql service having this access to the entire c: drive (which is the used for the entire os & all programs in our case)
1) Because the domain account must have permission to write the information to the data files on the SQL Server it is using. 2) Allow that domain account to have FULL CONTROL permissions on SQL server binaries path, data & transaction lgo files, backup drive path etc. http://databasejournal.com/features/mssql/article.php/3349561 fyi and SQL Server accepts commands after a user gains access to a database. All activities a user performs in a database are communicated to SQL Server through Transact-SQL statements. When an instance of SQL Server receives a Transact-SQL statement, it ensures the user has permission to execute the statement in the database. If the user does not have permission to execute a statement or access an object used by the statement, SQL Server returns a permissions error.
. Satya SKJ
Contributing Editor & Forums Moderator
http://www.SQL-Server-Performance.Com
This posting is provided “AS IS” with no rights for the sake of knowledge sharing.
The exact rights needed should be available in BOL or on the microsoft site. If you can not find it this is what you can do. Perform a new SQL Server install on a test machine and specify a standard domain (or local) user account during installation. Then the install will set the correct rights for this account. After install go through the folders and local security policy options to see what rights the account has.
If the account doesn’t have execute permissions on the "folders" – actually: on the files contained in that folder – how do you expect the program to be able to start under that account?
]]>