A few changes have taken place in SQL Server 2008
starting with the Windows local groups that have been a component of
SQL Server installs prior to SQL Server 2008. The groups are still
created but rights are no longer granted in SQL Server for them.
Accounts selected during the SQL Server install process for service
startup are the only accounts that are granted rights in SQL Server.
To
maintain a secure environment you should always run SQL Server services
using the minimum amount of user rights. Additional permissions should
not be granted to these accounts. It is recommended that a specific
user account or domain account should be used for SQL Server services.
Shared accounts should not be used. A Domain User account that does not
have permissions as a Windows administrator is more appropriate for use
with SQL Server services. Using the Network Service account for SQL
Server services is not recommended since it is shareable. A Network
Service account should only be considered if it can be ensured that no
other services that use the account are installed on the computer.
Warning
Make sure that you are aware of which types of accounts are recommended for use with SQL Server services.
Figure 1 shows the SQL Server Services in the SQL Server Configuration Manager.
Exercise . Get Familiar with the Sql Server Configuration Manager
We
do not want to modify anything at this point but it is a good time to
get familiar with the SQL Server Configuration Manager. Let’s take a
look around:
Open up the SQL Server Configuration Manager. Right-click on SQL Server Agent and click Properties. In the properties window on the Log-on tab click on the drop-down menu for Built-in account: and take a look at the available accounts. Now
take a look on the Service tab and locate the Start Mode. Remember that
at the time of install this service is disabled. This is where you
would change the Start Mode in order to enable SQL Server Agent. Select the Cancel button to exit Properties. Exit the SQL Server Configuration Manager.
|
Domain Service Accounts versus Local Service Accounts
There
are a few restrictions to which account types can be used by SQL Server
services. There are a couple things to consider when selecting an
account type to use with a SQL Server service.
If
the service must access file shares or use link server connections to
other SQL servers, using a minimally privileged Domain user account is
the best option.
The
Local service account is a built-in account with the same level of
access to resources and objects as members of the Users group. The
limited access of the local service account can help safeguard the
system if individual services or processes are compromised.
You cannot use a Local Service account for SQL Server or SQL Server Agent.