September 24, 2008 at 11:30 am
I know the best practice is to give the account for SQL services the least privileges.
From MS SQL 2005 best Practices:
"... When choosing service accounts, consider the principle of least privilege. The service account should have exactly the privileges that it needs to do its job and no more privileges. ..."
But what does that really mean ??
1) If I'm setting up a brand new install, and creat a domain login called "My_Domain\SQL_Services", what actually is the least privileges that it needs. I won't put it in the domain Admin group, but where should it go ?
2) Also, I've just inherited an environment with pretty wide open security and the service account has sysadmin rights in SQL. How far can I back it down ?
September 24, 2008 at 11:44 am
1. The service account user just needs to be a normal domain user. If you assign it during install or using SQL Server Configuration Manager it gets assigned the rights it needs on the server.
2. You should have a group ServerName\SQLServer2005MSSQLUser$Servename$MSSQLSERVER which has rights to SQL Server and the Service account should be in that local group on the server. You do not need to assign rights specifically to the service account.
Jack Corbett
Consultant - Straight Path Solutions
Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
September 24, 2008 at 2:06 pm
Hello,
As far as permissions go in side of the Database Server. Try to think about what the account is going to need to do. What databases/tables/objects it's going to need to touch and whether its going to selecting, updating, deleting, etc from those objects. Once you have a list you can set specific permissions inside the database for this account.
good luck,
GP
September 24, 2008 at 2:50 pm
So, my "Domain\SQLservice" account user just needs to be a normal domain user, not an admin. And then put it in the local "SQL Server2005...$...$..." groups as needed ?
September 24, 2008 at 2:57 pm
homebrew01 (9/24/2008)
So, my "Domain\SQLservice" account user just needs to be a normal domain user, not an admin. And then put it in the local "SQL Server2005...$...$..." groups as needed ?
Yes just a normal domain user. No, you don't need to put it in the group(s) as long as you apply the account at install or use the SQL Server Configuration Manager to change the account, both of these ways will automatically give the account the permissions needed.
Jack Corbett
Consultant - Straight Path Solutions
Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
September 24, 2008 at 3:04 pm
Thanks. Currently I'm working on existing installs that I'm trying to fix.
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply