I’m installing Sql Server 2005 and have come to the Service Account part of the wizard. This dialog essentially tells you the services that are going to be installed and gives you options like what services you want started when the installation finishes and what service/domain account you want to run each of the services under.
Not only is the dialog a little bit confusing the first few times you see it, but it is also difficult for someone with teach just coming through to figure out what the best option is if you want to give the services the least priviliges.
What do I want to do?
I want to figure out how best to securely setup an SQL server. I want to figure out what would be best for the situation where you are hosting a box publicly.
I’ve checked the “Customize for each service account” option and also selected the “Use the built-in System account” radio button for each of the services. The reason I checked the “Customize for each service account” was due to the fact that the same account will be assigned to all services otherwise, and this, I’ve read, is not the secures option as the account you assign might be to priviliged for some of the services. I also selected the “Use the built-in System account” because I don’t want this experiment to connect to a domain controller, but want it to stand-alone.
So… Which account do I use for which service???
If you read here you can read this under the “Using the Network Service Account” heading:
Microsoft recommends that you do not use the Network Service account for the SQL Server or SQL Server Agent services. Local User or Domain User accounts are more appropriate for these SQL services.
Oh great… well, unless I’m mistaken, that is exactly what the “SQL Server” service is set to by default… Later on in the same page there is a hint maybe that this is needed for xp_sendmail, but I’ve no knowledge of that.
So… Should I use the Built-in Accounts at all?
So I have to choose which account
We recommend that you do not use any of the built-in accounts for the SQL Server services because they may be too powerful and prone to security threats. Instead, use a local user or a domain user account with the lowest possible privileges. For more information and best practices, see “Security Considerations for a SQL Server Installation” in Books Online.
Well they think I shouldn’t!
If that is true (and it probably is) then:
- How do i create my own service account?
- How do I assign them to the services via this dialog? Or do I have to change them later?
No information yet. So the best option seems to just leave service to service account mapping that the dialog has by default… Till I can figure out a better way… At which time I’ll update this!