Running SQL Server Service as Domain User? - Security Concerns?

From: Mark Johnson (no-reply@nospam.com)
Date: 08/28/02 

From: "Mark Johnson" <no-reply@nospam.com>
Date: Wed, 28 Aug 2002 14:23:35 -0400

Hello all:

I was just wondering about what potential security problems I should be
concerned about if I ran an the SQL server services as a limited access
domain user.

=======================================================
The Problem:
The way I have it set up right now, I have these services running as a
domain user called "sqlserveruser": MSSQL SERVER, MSSQLServerADHelper, and
SQLSERVERAGENT. This domain account, "sqlserveruser", has in turn been
added to the "Administrators" group of the SQL Server only (the local
"Administrators" group on the computer, not a domain "Administrators"
group.)
=======================================================

=======================================================
Why I am going through all this trouble in the first place:
I have a "linked server" connection to a Microsoft Access 97 database which
is located in a shared folder on a different server (in the same domain)
than the SQL server itself. In order for the SQL server service to have
access to this share, the user the SQL Server service runs as has to have
access to this directory. The domain account "sqlserveruser" is currently a
part of the "domain users" group, and I also added this user to the list of
users and groups that can access the shared folder that contains the MS
Access database.
=======================================================

Please note that I do have it "working" the way it is set up now, but my
concerns were just to follow the "principal of least privilege" as closely
as possible here.

Any comments/suggestions would be greatly appreciated. Thank-you.

- Mark

Relevant Pages

  • Re: Running SQL Server Service as Domain User? - Security Concerns?
    ... make your domain account a member of the local administrators group. ... instructions on what rights on the database server the SQL Server and SQL ... > domain user called "sqlserveruser": ... the user the SQL Server service runs as has to have ...
    (microsoft.public.sqlserver.security)
  • Re: file backup component
    ... Otherwise you can try to use audit techniques to find out who's trying to access the LDF file. ... file backup app or any other app that need LDF file a while. ... he meant something that belongs to the SQL server itself. ... Delay the start of the SQL server service until manual start. ...
    (microsoft.public.windowsxp.embedded)
  • Re: Who is using MSMQ?
    ... To add on to the other responses, the MSMQ warning messages you get from the ... SQL Server Service Manager are the same ones you get from the Windows MMC ...
    (microsoft.public.sqlserver.security)
  • Re: SQL 2K SSL Connection Problem
    ... Why did not you check the SQL Server service itself? ... So ensure your SQL Server service runs and the best practice for SQL Server service is using a domain account in domain environments. ... supporting Microsoft Groove Server. ...
    (microsoft.public.sqlserver.setup)
  • Re: SPN Requirement
    ... Making SQLSrvRunas member of Domain Admin and restarting SQL Server - ... As Sue point out, making the SQL Service account member of the domain ... The SQL Server service account should not be ...
    (microsoft.public.sqlserver.security)