December 22, 2011 at 6:49 pm
If SQL server, Report server service account and/or agent service account must be configured with domain accounts, and the company's management allows zero exception to password expiration policy, what option do you have to deal with this kind of company policy? When the password expires, the the server will stop theoretically, but I found that once the password expires, the server service will continue to run, and only stop when you refresh the service. I could be mistaken. (Anyone know for sure about the service stoppage due to the service account password expiration?)
Also, other than marking the date of password reset on your calendar, does Microsoft any workaround to this kind of company password expiration policy?
December 23, 2011 at 4:55 am
I have the same understanding as yours that if the password expires SQL Server won’t stop functioning unless it restarts.
I don’t want to argue on Company Policy but if I would be you then I would have tried to convince Management for adding SQL Server Service Accounts in exceptions list. It doesn’t make any sense at all. Also, it’s an industry standard for Database Administration (Guys... please correct me if I am wrong).
If there is no go except accepting the policy, I would add an alert in SQL Server (not sure, if it’s doable) than calendar.
December 24, 2011 at 10:22 am
My management is very big on beefing up security so could not convince her. Unfortunately, my management does not have technology background at all so made convincing more difficult.
I heard someplace that for Sharepoint admins, this also becomes an issue, and I heard that Microsoft has something called something like Manged Service Account that addresses this issue, but not sure if this term also applies to SQL server.
December 24, 2011 at 11:02 am
Best practices for SQL Server service accounts
• Use a specific user account or domain account rather than a shared account for SQL Server services.
• Use a separate account for each service.
• Do not give any special privileges to the SQL Server service account; they will be assigned by group membership.
• Manage privileges through the SQL Server supplied group account rather than through individual service user accounts.
• Always use SQL Server Configuration Manager to change service accounts.
• Change the service account password at regular intervals.
• Use CREDENTIALs to execute job steps that require specific privileges rather than adjusting the privilege to the SQL Server Agent service account.
• If an agent user needs to execute a job that requires different Windows credentials, assign them a proxy account that has just enough permissions to get the task done.
December 24, 2011 at 9:05 pm
As far as Report server service is concerned, I think you should stay away, well, atleast don't need domain accounts. The recommendation is network service account - for reporting services.
http://www.informit.com/articles/article.aspx?p=357694&seqNum=2
Also, for Agent/SQL Server service account, I think you need to try to convey to management about the need to have non expiring password for SQL Service A/c. Do not use a shared account, because, outsiders will have access to the password/account and hence to SQL with Admin privileges.
I wouldn't suggest relying on service continuing to run after password expires. What happens when scheduled reboots take place? Even if some thing like CPU spikes, tempdb full, etc where services would have to be restarted?
You can tell management you would have to keep tab of all accounts, change passwords, which is an unnecessary task and against standard practice.
Also, if your reminder to change password is up, do you just change password and restart services and don't you need outage. I think you need to express that to mgmt and weigh the cost of extra work and risk of outages. Only thing I don't know is the sensitive nature of your data and as such requirements to change password.
One suggestion I can give is ask for talking with your security folks and then tell management/security people that you will have the service account's right to login to the server via remote desktop revoked, if that helps. You can still have the account created, where you are given the opportunity to change your password at first login.
I don't think, except in some cases that SQL service account password has to be changed, due to the risk of outages.
I request experts correct me if I am wrong, or if there are better suggestions.
December 25, 2011 at 2:48 am
salum (12/24/2011)
Best practices for SQL Server service accounts• Use a specific user account or domain account rather than a shared account for SQL Server services.
• Use a separate account for each service.
• Do not give any special privileges to the SQL Server service account; they will be assigned by group membership.
• Manage privileges through the SQL Server supplied group account rather than through individual service user accounts.
• Always use SQL Server Configuration Manager to change service accounts.
• Change the service account password at regular intervals.
• Use CREDENTIALs to execute job steps that require specific privileges rather than adjusting the privilege to the SQL Server Agent service account.
• If an agent user needs to execute a job that requires different Windows credentials, assign them a proxy account that has just enough permissions to get the task done.
Nice Work. It will certainly help OP.
Adding one clarification here. ‘Change the service account password at regular intervals’ doesn’t mean Policy Enforcement. It should be done by DBA considering Maintenance window.
Recommended Reading for Service Account Setup...
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply