Re: Specifying a logon account for SQL Server 2005 services
- From: Ben Nevarez <BenNevarez@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 4 Nov 2007 20:11:05 -0800
As I mentioned using a Windows domain account with no permissions is the
recommended way to define a service account, the SQL Server setup program
will assign this account ALL the required permissions to do its job. Perhaps
the setup program does not give the 'Lock pages in memory' permission because
AWE is not configured during the software installation and instead, it is
configured only for very specific server and memory configurations.
Using an account with local administrator permissions is not a good security
practice as you are giving too much permissions.
If later you want to configure AWE you will need to assign the 'Lock pages
in memory' permission manually.
Hope this helps,
Ben Nevarez
Senior Database Administrator
AIG SunAmerica
"Hotmail User" wrote:
Well, if I create a least privileged domain account, and specify that as the.
account to use while installing SQL Server, will SQL Server give this account
the privileges that you've mentioned like "Lock pages in memory", and the
ability to write to port 135, etc., since I guess I might at least need the
debugging capability.
Thanks.
"Erland Sommarskog" wrote:
Hotmail User (HotmailUser@xxxxxxxxxxxxxxxxxxxxxxxxx) writes:
Is it a less secure practice to specify the LOCALSYSTEM account as the
logon account for services when installing SQL Server 2005? Is it
possible to specify a lesser privileged account? Will that cause
problems for SQL Server?
The recommendation this days is to never give away more privileges than
necessary. The idea is that if you have a hole in an application by
for SQL injection, and xp_cmdshell is open, the intruder should not
have too many privs to play with. So, bascially use a plain user-domain
account.
Then again, LocalSystem has its point. It has strong permissions on
the machine, but cannot have network connections, so the intruder is a
bit contained in such a case. But you lock yourself in two, and cannot
backup to network drives etc.
There are two cases I know SQL Server needs extra privs:
o To use AWE, the account needs the permission "Lock pages in memory".
o For SQL debugging to work, SQL Server needs to have permission to
write back to you on port 135. (I don't know the exact permissions.)
But there may be more that I am ignorant of.
--
Erland Sommarskog, SQL Server MVP, esquel@xxxxxxxxxxxxx
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx
- Follow-Ups:
- Re: Specifying a logon account for SQL Server 2005 services
- From: Erland Sommarskog
- Re: Specifying a logon account for SQL Server 2005 services
- References:
- Re: Specifying a logon account for SQL Server 2005 services
- From: Erland Sommarskog
- Re: Specifying a logon account for SQL Server 2005 services
- Prev by Date: Re: Specifying a logon account for SQL Server 2005 services
- Next by Date: Re: Specifying a logon account for SQL Server 2005 services
- Previous by thread: Re: Specifying a logon account for SQL Server 2005 services
- Next by thread: Re: Specifying a logon account for SQL Server 2005 services
- Index(es):
Relevant Pages
|
