Embedded Files
"Always run SQL Server services by using the lowest possible user rights. Use a MSA, gMSA or virtual account when possible. When MSA, gMSA and virtual accounts aren't possible, use a specific low-privilege user account or domain account instead of a shared account for SQL Server services. Use separate accounts for different SQL Server services. Don't grant additional permissions to the SQL Server service account or the service groups. Permissions are granted through group membership or granted directly to a service SID, where a service SID is supported." (4)
"When resources external to the SQL Server computer are needed, Microsoft recommends using a managed service account (MSA), configured with the minimum privileges necessary." (2)"Resources external to the SQL Server" would be things like INSERT BULK loading from a file location on a different computer (3)
Virtual Account
Virtual Account
MSA (Managed Service Account)
MSA (Managed Service Account)
gMSA
gMSA
Low Privilege Domain Account
Low Privilege Domain Account
MSSQL Service Account
MSSQL Service Account
The MSSQL Service Account name should own the MS-SQL Service
The service account (in case of a local or AD account) and service SID should not be members of the Windows Administrators group.
SQL2008
(TODO Needs additional info)
New-ADUser -Name "SQL01_SVC" -Enabled $True -AccountPassword (ConvertTo-SecureString -AsPlainText "InitialPassword!!!" -Force)
SQL2012
(TODO Needs additional info)
New-ADServiceAccount -Name "SQL01_SVC" -DNSHostName "SQL01.mydomain.local" -Enabled $True
MSSQL Agent Service Account
MSSQL Agent Service Account
The MSSQL Agent Service Account name should own the MS-SQL Agent Service
The service account (in case of a local or AD account) and service SID should not be members of the Windows Administrators group.
SQL2008
(TODO Needs additional info)
New-ADUser -Name "SQL01_Agent_SVC" -Enabled $True -AccountPassword (ConvertTo-SecureString -AsPlainText "InitPass!!!" -Force)
SQL2012
(TODO Needs additional info)
New-ADServiceAccount -Name "SQL01_Agent_SVC" -DNSHostName "SQL01.mydomain.local" -Enabled $True
Bibliography & References
Bibliography & References
https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions(2) https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?view=sql-server-ver16#stand-alone-server-or-domain-controller(4) https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?view=sql-server-ver16#New_Accounts(3) https://dba.stackexchange.com/questions/276454/whats-the-meaning-of-resources-external-to-the-sql-server-computer-are-neededhttps://www.sqlservercentral.com/articles/configuring-service-account-privileges-for-sql-serverhttps://dba.stackexchange.com/questions/315980/sql-service-account-group-policy-permissionshttps://dba.stackexchange.com/questions/89701/sql-server-service-account-windows-privileges-and-rights
Page updated
Google Sites
Report abuse