Re: SQLServerAgent Service

From: LvBohemian (LvBohemian_at_discussions.microsoft.com)
Date: 06/20/05 

Date: Sun, 19 Jun 2005 22:21:01 -0700

Thank you for replying, but as I mentioned; I am well aware that the article
states that the account used to start the SQLServerAgent Service must be a
member of the sysadmin role...

But that kind of contradicts the best practice that the account that sql
server runs under not be an administrative account...

What is the point of changing the sql service accounts if the account used
can do anything in the database?

The MSSQLServer Service does not have to be a member of the Sysadmin role
and can be a least privileged account as desirable and works fine that way...

But the SQLServerAgent Service account itself has to be a member of the
Sysadmin role in the database, and if you are using both services they both
need to be the same account...

So my point and my original question remains...
A service account that is a Sysadmin (DBA) is huge security vulnerability...

Best practice is when you want to do admin work briefly log in as an
internal sql account that has the needed privileges to do the job at hand and
log out when done and leave the sql services running as a least privileged
account...

So why am I forced to leave the sql server running under an admin account
that if exposed can be exploited?

I am looking for an alternative; which does not include running the
SQLSeverAgent Service as an admin account nor disabling it and not using the
applicable built-in features of sql server for jobs, notifications, email etc.

Thanks in advance.

Relevant Pages

  • Re: SQLServerAgent Service
    ... These are the minimum requirements to run the SQL agent and SQL services ... It is my understanding that I need to use the same account to launch ... SQLServerAgent reports the following error when attempting to start... ... internal SQL SysAdmin role it works fine... ...
    (microsoft.public.sqlserver.security)
  • Re: sql problem
    ... Account # is the link field on ... The requirement is I have to come up with a report comparing the two ... customer tables to see if they are in sync. ... what I wanted to do was to get the SQL to return the "like" names ...
    (comp.databases.oracle.server)
  • Re: sql problem
    ... Account # is the link field on ... table1, table2@dblink where ....) ... customer tables to see if they are in sync. ... what I wanted to do was to get the SQL to return the "like" names ...
    (comp.databases.oracle.server)
  • Re: sql problem
    ... Account # is the link field on ... table1, table2@dblink where ....) ... customer tables to see if they are in sync. ... what I wanted to do was to get the SQL to return the "like" ...
    (comp.databases.oracle.server)
  • Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection
    ... If a SQL account is used then the only thing needed on the ... machine running SQL is SQL login and database grants. ... If integrated, then in addition, I have seen the account need ... then changing this to use trusted connection ...
    (microsoft.public.win32.programmer.wmi)