For optimum security, is it recommended to use a single domain account the SQL Server instances in a network?


Our team supports 150+ SQL Server 2000/2005 instances company-wide. In order to make it easier to manage the services accounts, we use the same domain account for all the SQL Services. This domain account has been granted both local machine and SA privileges. Recently, somebody raised a question about the wisdom of using the same domain account for all SQL Servers, suggesting that it might be a poor security practice. In our case, what is the best security practice?


In a perfect world, assuming we want as perfect as security as we can attain, then we would want to assign a separate domain user account for each active SQL Server service, and for each individual instance. Of course, this is not practical.

The next best option, considering real world realities, would be to assign a different domain account for each of the services, but use the same domain accounts for all SQL Server instances. This is a more practical approach.

One of the things to keep in mind about service accounts is that they should not be members of the Domain Administrators Active Directory global group. In addition, service accounts should not be members of the local administrators local group of each individual SQL Server. In most cases, SQL Server services will work fine with no special rights and permissions. But not all cases. In some cases, SQL Server service accounts need more than basic rights and permissions, which is discussed in the following article. While this article covers SQL Server 2000, it also applies to SQL Server 2005.

So my suggestion is to use separate domain accounts for each service, but use these same domain accounts for all of your instances. In addition, ensure that these domain accounts don’t have more rights and permissions that they need to properly function. Following this suggestion, along other SQL Server best security practices, will minimize security risks to your environment.


Leave a comment

Your email address will not be published.