Posted by: Colin Smith
Roles, Seperation of Roles, SQL Server
I have been finding so many servers that I have now that have application service accounts in the local administrators group. I HATE this. Why why why, do we not determine what the application needs and just give them that. I am only ranting about this because in SQL Server 2005 the local admin group, by default, is sysadmin role on the sql server. In 2008 MS took that out, but most of the 2008 instances I am coming up on still have had it put in. Not a good idea. Why would I ever want to give some generic applications service account the keys to my SQL Server kingdom. I do not even want most real people that I can talk to to have sysadmin role in my servers. I am responsible for that server and all the data in it, I do not know what the random application might do, all I know for sure is that it has the option to do anything, ANYTHING, that it wants. Watch out for it and when you see it, do whatever you can to gte rid of it.
That is all for now.