best practice for SQL Agent account security
Hello... kind of a "newbie" question here, but appreciate the insight.
In order to bring our systems in line with best practices, I'm changing a couple of SQL instances from running under LocalSystem to running under a specific account. Same goes for the SQL Agent.
Note that these accounts are local Windows accounts, not AD accounts.
I've made all the Books Online-recommended security settings but was wondering the following:
Should the Agent/Server accounts be part of the Users group? In other words, are the permissions specified in Books Online ALL that's needed (and I can therefore remove them from the Users group)?
Should the Agent/Server account be allowed to logon locally?
Thanks for tips.
Software/Hardware used:
Software/Hardware used:
ASKED:
May 28, 2004 1:12 PM
UPDATED:
June 3, 2004 8:56 PM
RELATED QUESTIONS
- Active directory/ user/mailbox/permission/association
- Best practices involving admin rights for user on user system
- How do I add a local admin account via script?
- Install SQL Server 2005 without Local Admin
- Don't run the SQL Server Account as Local Administrator or member of the Administrator Group?
Answer Wiki:
You or your network admin should do the following:
1) Create a "common" SQL Service domain account (e.g., Domain1SQLService).
2) Make the account a member of the local Admin group on each server.
3) Load any SQL Server AND SQL Agent services through that account.
Such accounts can/should be allowed to log on locally.
However, you might want to remove the BUILTIN Administrators group from the sysadmin SS role (but only after first creating a login with syadmin membership for a DBA group!)
To see all answers submitted to the Answer Wiki: View Answer History.
Fair enough. Thanks for the input!
-John