“The SQL Guy” Post #15: Best Practices For Using SQL Server Service Accounts

If your SQL Server interacts with other servers, services or resources on the network (ex: Files Shares, etc.) or if your SQL Server services uses linked servers to connect to other SQL Servers on the network, then you may use a low privileged domain user account for running SQL Server services. Domain user account is the most recommended account for setting up SQL Server services that interact with other servers on the network. One of the plus points of using a Domain User Account is that the account is controlled by Windows active directory therefore, domain level policy on accounts apply to SQL Server service account as well.

NEVER should you use Network Service Account for running SQL Server services. Network Service accounts are shared with other services running on the local computer. Network Service Account is a built-in account that has more access to server resources and objects than users accounts of local user groups.

Any SQL Server services that runs on Network Service Account, can access network resources by using the credentials of the computer account. This account shows up as “NET AUTHORITY\NETWORK SERVICE” when configuring SQL Server Services.

If your SQL Server DOES NOT interact with other servers, services or resources on the network (ex: Files, Shares, Linked Servers, Etc.) then you may use a low privileged local user account for running SQL Server Services.

NOTE: You are not required to use the local user account with administrative privileges to run SQL Server services.

NEVER should you use local system account for running SQL Server services. Local System Account has more permissions than you would think. It is a very high-privileged built-in account created by Windows O/S.

Local System Account has extensive privileges on the entire local system and acts as a computer on your company’s network. This account shows up as “NT AUTHORITY\SYSTEM” when configuring SQL Server services.