Re: SQLServerAgent Service

From: Mark J. McGinty (mmcginty_at_spamfromyou.com)
Date: 06/21/05 

Date: Mon, 20 Jun 2005 16:46:49 -0700

"LvBohemian" <LvBohemian@discussions.microsoft.com> wrote in message
news:8E447237-7BF7-46E0-A542-6EE6BFFD9E1A@microsoft.com...
> Thank you for replying, but as I mentioned; I am well aware that the
> article
> states that the account used to start the SQLServerAgent Service must be a
> member of the sysadmin role...
>
> But that kind of contradicts the best practice that the account that sql
> server runs under not be an administrative account...
>
> What is the point of changing the sql service accounts if the account used
> can do anything in the database?
>
> The MSSQLServer Service does not have to be a member of the Sysadmin role
> and can be a least privileged account as desirable and works fine that
> way...
>
> But the SQLServerAgent Service account itself has to be a member of the
> Sysadmin role in the database, and if you are using both services they
> both
> need to be the same account...
>
> So my point and my original question remains...
> A service account that is a Sysadmin (DBA) is huge security
> vulnerability...
>
> Best practice is when you want to do admin work briefly log in as an
> internal sql account that has the needed privileges to do the job at hand
> and
> log out when done and leave the sql services running as a least privileged
> account...
>
> So why am I forced to leave the sql server running under an admin account
> that if exposed can be exploited?
>
> I am looking for an alternative; which does not include running the
> SQLSeverAgent Service as an admin account nor disabling it and not using
> the
> applicable built-in features of sql server for jobs, notifications, email
> etc.
>
> Thanks in advance.

So what is your objection to running both under the LocalMachine account?
Its password cannot be compromised, it can't be used to login via the
network, it is not a member of any groups and therefore is also not a member
of any roles. It works here.

-Mark

Relevant Pages

  • Re: SQLServerAgent Service
    ... These are the minimum requirements to run the SQL agent and SQL services ... It is my understanding that I need to use the same account to launch ... SQLServerAgent reports the following error when attempting to start... ... internal SQL SysAdmin role it works fine... ...
    (microsoft.public.sqlserver.security)
  • Re: sql problem
    ... Account # is the link field on ... The requirement is I have to come up with a report comparing the two ... customer tables to see if they are in sync. ... what I wanted to do was to get the SQL to return the "like" names ...
    (comp.databases.oracle.server)
  • Re: sql problem
    ... Account # is the link field on ... table1, table2@dblink where ....) ... customer tables to see if they are in sync. ... what I wanted to do was to get the SQL to return the "like" names ...
    (comp.databases.oracle.server)
  • Re: sql problem
    ... Account # is the link field on ... table1, table2@dblink where ....) ... customer tables to see if they are in sync. ... what I wanted to do was to get the SQL to return the "like" ...
    (comp.databases.oracle.server)
  • Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection
    ... If a SQL account is used then the only thing needed on the ... machine running SQL is SQL login and database grants. ... If integrated, then in addition, I have seen the account need ... then changing this to use trusted connection ...
    (microsoft.public.windows.server.security)