Service Accounts (security related) | SQL Server Performance Forums

SQL Server Performance Forum – Threads Archive

Service Accounts (security related)

Hello, Folks, I had a problem seeking your comments. Our team supports 150+ SQL 2000/2005 instances company wide, in order to manage the services account easier, we used the same domain account for all the SQL Services, this domain account was granted both local windows box and sql instance SA privilege. Recently, somebody raised a question, one single domain account having the SA privileges for all the sql instance, inclusing windows box, seems a bad security practice, we are trying to think about the potential problems and practical changes. Folks, what do you think? ——————
Bug explorer/finder/seeker/locator
——————
there is no second thought in whether the service account should be Domain User Account or built-in account. It should be Domain user account. Service account decides under which context SQL server should access system resources such as files, folders and registry keys etc. If your domain administrator has followed the strict guide lines for domain account, then a plain user account will have no rights on the domain. When you configure Replication and databasemail kind of activity it is always better to have domain user as a service account. But the question is, is it justifiable to have same service account for all the SQL Servers. I think it depends. If all the server’s are under same DBA(s), then there is no problem. after all DBA(s) are responsible for Data Security. It again depend upon organisational policy and politics. At times , you may have isolated wing under same organisation. In short, what i feel is , in any case it should be Domain user. But whether it is one domain user or many is debatable. Thanks Madhu
Using one account for all the service is a bad practice, which I never recommend. Rather you can take out services that are like 24/7 or 9to 5 type of systems and then choose different account for such prime risk systems with a secured password. With recent changes and sort of good practices you might need to change SA password or SQL service account to avoid any mass attach onto your network. In this case it is better to have different accounts to different services to avoid a total failure of systems. Satya SKJ
Microsoft SQL Server MVP
Contributing Editor & Forums Moderator
http://www.SQL-Server-Performance.Com
This posting is provided AS IS with no rights for the sake of knowledge sharing.
Personaly I think you should split your servers in groups.
This depends a lot on your organization layout.
High risk/low risk systems
7/24 5/12 SLA’s
Development/Test/Production Systems
whatever you like… We decided to split our servers into dev/test/prod groups and set for each groupe one domain account where all sql servers in same group run with.
]]>