Service Accounts on SQL Server

Issue

All services log on under an account, with some services running as LocalSystem. This can be a potential security vulnerability because a bug in the service code could be exploited by a malicious user to gain system-level access, which is possible because the service runs in the context of the local computer. We recommend that you run services that do not require full system access under a lesser-privileged account, and that this account is not a member of the local Administrators group.

Solution

Ensure that the Microsoft® SQL Server™ or Microsoft Data Engine (MSDE) service accounts are not running as LocalSystem and are not running under accounts that are a member of the local Administrators or Domain Admins groups. We recommend that you run these service accounts under a domain user account. Windows® XP introduces two new service accounts: LocalService and NetworkService. Services running under the LocalService account have minimum privileges on the local computer, and they present anonymous credentials on the network. Services running under the NetworkService account have minimum privileges on the local computer, and they act as the computer on the network. For more information, see Additional Resources.

Notes

• While it is recommended that the service run as a low privileged account, the application that installed SQL Server/MSDE may require it to run with higher privileges. For example, instances of WMSDE currently are required to run as LocalSystem, and therefore need to be exempt from this check. WMSDE is a derivative of MSDE meant for use by Windows Server 2003 operating system components, such as Windows SharePoint Services. Check the documentation accompanying the application for information on the minimum level of privileges required.

Instructions

To ensure that services are not running as LocalSystem accounts in Windows 2000

1. Click Start, point to Settings, and then click Control Panel.
2. Double-click Administrative Tools, and then double-click Computer Management.
3. Under the Services and Applications node, click Services.
4. Double-click the service that was flagged in the security report.
5. In the dialog box that appears, click the Log On tab.
6. Under Log On As, select the This account option and specify a local account under which the service should run.

To ensure that services are not running as LocalSystem accounts in Windows NT® 4.0

1. Click Start, point to Settings, and then click Control Panel.
2. Click Services.
3. Double-click the service that was flagged in the security report.
4. Under Log On As in the dialog box that appears, select the This account option and specify a local account under which the service should run.

Important:

• Changing the service account for any SQL Server services outside of SQL Server Enterprise Manager could cause SQL Server to stop functioning.

To create a new domain user account under which the SQL Server services will run

1. Click Start, point to Programs, click Administrative Tools, and then click Active Directory Users and Computers.
2. Click the Users container and create a new domain user account.
3. Set the password to never expire.
4. Choose to create a mailbox if you are planning on using SQL Server mail.

To change the service account for the MSSQLServer Service for SQL Server

1. Click Start, point to Programs, point to Microsoft SQL Server, and then click Enterprise Manager.
2. In SQL Server Enterprise Manager, double-click SQL Server Group, right-click the SQL Server that you want to secure, and then click Properties.
3. Click the Security tab, and in the startup service account section, select this account and enter the logon information for the domain user created in the previous step.

To change the service account for the SQL Server Agent Service for SQL Server

1. Click Start, point to Programs, point to Microsoft SQL Server, and then click Enterprise Manager.
2. In SQL Server Enterprise Manager, double-click SQL Server Group, and then double-click the SQL Server that you want to configure.
3. Click the Management folder, right-click SQL Server Agent, and then click Properties.
4. In the startup service account section, select this account and enter the logon information for the domain user created in the previous step.

To change the service account for SQL Server or MSDE without using Enterprise Manager, refer to Knowledge Base article Q283811.

Additional Resources

LocalService Account

NetworkService Account

SQL Server 7.0 Security

Microsoft SQL Server 2000 Security

©2002-2004 Microsoft Corporation. All rights reserved.