Re: Running SQL Server Service as Domain User? - Security Concerns?

From: Ron Talmage (rtalmage@prospice.com)
Date: 08/29/02

• Next message: Chumad: "SQL Server open to the internet: Bad idea?"
• Previous message: BP Margolin: "Re: Want to grant rights to Role to alter a view: Searching for Grant Alter View or something similar"
• In reply to: Mark Johnson: "Running SQL Server Service as Domain User? - Security Concerns?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Ron Talmage" <rtalmage@prospice.com>
Date: Thu, 29 Aug 2002 14:51:11 -0700

Mark,

Run the Microsoft Baseline Security Analyzer against your system to make
sure you have current updates, etc. It will probably recommend that you not
make your domain account a member of the local administrators group. In
Books Online, under "Setting up Windows Services Accounts", you can find
instructions on what rights on the database server the SQL Server and SQL
Agent accounts require.

Ron

--
Ron Talmage
SQL Server MVP
"Mark Johnson" <no-reply@nospam.com> wrote in message
news:#5hjj$rTCHA.2336@tkmsftngp08...
> Hello all:
>
> I was just wondering about what potential security problems I should be
> concerned about if I ran an the SQL server services as a limited access
> domain user.
>
> =======================================================
> The Problem:
> The way I have it set up right now, I have these services running as a
> domain user called "sqlserveruser": MSSQL SERVER, MSSQLServerADHelper, and
> SQLSERVERAGENT.  This domain account, "sqlserveruser", has in turn been
> added to the "Administrators" group of the SQL Server only (the local
> "Administrators" group on the computer, not a domain "Administrators"
> group.)
> =======================================================
>
> =======================================================
> Why I am going through all this trouble in the first place:
> I have a "linked server" connection to a Microsoft Access 97 database
which
> is located in a shared folder on a different server (in the same domain)
> than the SQL server itself.  In order for the SQL server service to have
> access to this share, the user the SQL Server service runs as has to have
> access to this directory.  The domain account "sqlserveruser" is currently
a
> part of the "domain users" group, and I also added this user to the list
of
> users and groups that can access the shared folder that contains the MS
> Access database.
> =======================================================
>
> Please note that I do have it "working" the way it is set up now, but my
> concerns were just to follow the "principal of least privilege" as closely
> as possible here.
>
> Any comments/suggestions would be greatly appreciated.  Thank-you.
>
> - Mark
>
>
>

• Next message: Chumad: "SQL Server open to the internet: Bad idea?"
• Previous message: BP Margolin: "Re: Want to grant rights to Role to alter a view: Searching for Grant Alter View or something similar"
• In reply to: Mark Johnson: "Running SQL Server Service as Domain User? - Security Concerns?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint