Don’t run the SQL Server Account as Local Administrator or member of the Administrator Group?

10 pts.
Tags:
SQL Server
SQL Server administration
SQL Server security
Based on the advice "Don't run the SQL Server Account as Local Administrator or member of the Administrator Group" Will this setup prevented you from using critical features? How did you get around this? The link below makes reference as to how a critical feature "Automatic Server Restart Feature" is affected if SQL Server Account is NOT ran with sufficient priviledges. My question is, based on what you read above, are they saying: 1. To run the "Automatic Server Restart Feature" you should ensure the SQL Server Account logs on with "Log on as a service" rights on the computer in addition to having the following permissions: * Full control of the main Microsoft® SQL Server™ directory (by default, Mssql). * Full control of the SQL Server database files, regardless of storage location. * The Log on as a service right. Ensure that all logon hours are allowed in the Logon Hours dialog box. * Full control of registry keys at and below HKEY_LOCAL_MACHINESOFTWAREMicrosoftMSSQLServer. * Selection of the Password Never Expires box. * Full control of registry keys at and below HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSSQLServer. * Full control of registry keys at and below HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionPerflib. OR 2. Alternatively if the above is not done, to run the "Automatic Server Restart Feature" the SQL Server Account MUST be a Windows NT account with local administrator privileges to: * Create SQL Server Agent CmdExec and Microsoft ActiveX® Script jobs not belonging to members of the sysadmin fixed server role. * Use the automatic server restart feature of SQL Server Agent. * Create SQL Server Agent jobs to be run when the server is idle. Basically, do you think that they are laying out two alternatives to solve the issue or just the last one? If this is so, then this contradicts with another Microsoft advisory. Microsoft TechNet’s "Implementation of Server Level Security and Object Level Security" advises against running SQL Server services as Local System/Local Administrator. MSSQL Server service should be started as a user level account. This reduces the risk that it can be used by an attacker to increase their privilege on the database server and the network. However, if SQL Server, SQL Server Agent, MSDE and/or MSDE Agent service accounts should not be members of the local Administrators group or run as LocalSystem. The problem with running SQL Server as Local System is that it provides more privilege than is necessary. Your valued feedback will be appreciated.
ASKED: June 9, 2008  1:09 AM
UPDATED: October 22, 2013  2:54 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

I generally do not run my SQL Servers with the SQL Account having Admin rights to the OS, and I’ve never had a problem with features of the platform not working correctly. I know that the SQL Agent has the ability to auto-restart the database, but as far as I know I’ve never had to use that auto restart feature.

The advice I give people when setting up a SQL Server under a domain account which does not have admin rights to the Server’s OS is to be sure to enable the Log on as a batch job, and the Log on as a service rights for that account.

When ever you are using a domain account you need to check the Password never expires check box so that the account doesn’t lock it self when the password expires.

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following