currently we are using a domain user account as a service start up account
for sql server and sql agent services. in order to tighten the security and
to curb spread of viruses, in case a server is infected by a worm in future,
we are considering to use Local System account to start sql server service.
but we do receive many FTP download files to feed some of our reporting
databases, there are DTS packages that imports these text files (stored on a
network drive) into sql tables.

we think we have to use a domain account for the sql agent service that has
access to the network drive. is it a proper configuration to use Local
System account for sql server service and a domain account for sql agent
service? what other options we have?

Report this post to a moderator

Hi Jay.

Running any service under the LocalSystem account is a significant security
risk.

The LocalSystem is a member of the administrators group and has even more
access to the local computer than the Administrator account. If you happen
to experience an unauthorised access by someone who knows how to use the
LocalSystem, they will be able to do literally anything on the local PC - eg
taking ownership of resources, creating security tokens etc. If that hacker
finds a null share out to the AD / domain controller, you'll end up fair and
square in the pooh...

You are certainly better off running the SQL Service under ANY account other
than the LocalSystem. At the very least, create a local account and give it
the permissions it needs on the local machine.

HTH

Cheers,
Greg Linwood

"Jay" <jay4050@hotmail.com> wrote in message
news:emXyixjQCHA.3216@tkmsftngp12...
> currently we are using a domain user account as a service start up account
> for sql server and sql agent services. in order to tighten the security
and
> to curb spread of viruses, in case a server is infected by a worm in
future,
> we are considering to use Local System account to start sql server
service.
> but we do receive many FTP download files to feed some of our reporting
> databases, there are DTS packages that imports these text files (stored on
a
> network drive) into sql tables.
>
> we think we have to use a domain account for the sql agent service that
has
> access to the network drive. is it a proper configuration to use Local
> System account for sql server service and a domain account for sql agent
> service? what other options we have?
>
>
>
>

Report this post to a moderator

BUt then what about network access which domain account has
The reason i use domain account is bcoz that account can
see the network

then i have to give all network access to that local
account which i create


>-----Original Message-----
>Hi Jay.
>
>Running any service under the LocalSystem account is a
significant security
>risk.
>
>The LocalSystem is a member of the administrators group
and has even more
>access to the local computer than the Administrator
account. If you happen
>to experience an unauthorised access by someone who knows
how to use the
>LocalSystem, they will be able to do literally anything
on the local PC - eg
>taking ownership of resources, creating security tokens
etc. If that hacker
>finds a null share out to the AD / domain controller,
you'll end up fair and
>square in the pooh...
>
>You are certainly better off running the SQL Service
under ANY account other
>than the LocalSystem. At the very least, create a local
account and give it
>the permissions it needs on the local machine.
>
>HTH
>
>Cheers,
>Greg Linwood
>
>"Jay" <jay4050@hotmail.com> wrote in message
>news:emXyixjQCHA.3216@tkmsftngp12...
>> currently we are using a domain user account as a
service start up account
>> for sql server and sql agent services. in order to
tighten the security
>and
>> to curb spread of viruses, in case a server is infected
by a worm in
>future,
>> we are considering to use Local System account to start
sql server
>service.
>> but we do receive many FTP download files to feed some
of our reporting
>> databases, there are DTS packages that imports these
text files (stored on
>a
>> network drive) into sql tables.
>>
>> we think we have to use a domain account for the sql
agent service that
>has
>> access to the network drive. is it a proper
configuration to use Local

>> System account for sql server service and a domain
account for sql agent

>> service? what other options we have?
>>
>>
>>
>>
>
>
>.
>

Report this post to a moderator

Hi Jay.

You said that the SQLAgent service needs access to network resources, but
you didn't say that the main SQLServer service does. If the SQLServer
service needs network access, configure it as a domain user account. If not,
configure it as a Local User account.

It sounds like the SQLAgent service definitely needs to be configured to run
as a domain account though because it need to access the ftp files. This
definitely makes sense.

All I'm really saying is don't use the LocalSystem account for either
service.

Cheers,
Greg Linwood

"Jay" <sanjayg@hotmail.com> wrote in message
news:188701c2427a$3b1e9ae0$a5e
62ecf@tkmsftngxa07...
> BUt then what about network access which domain account has
> The reason i use domain account is bcoz that account can
> see the network
>
> then i have to give all network access to that local
> account which i create
>
>
> >-----Original Message-----
> >Hi Jay.
> >
> >Running any service under the LocalSystem account is a
> significant security
> >risk.
> >
> >The LocalSystem is a member of the administrators group
> and has even more
> >access to the local computer than the Administrator
> account. If you happen
> >to experience an unauthorised access by someone who knows
> how to use the
> >LocalSystem, they will be able to do literally anything
> on the local PC - eg
> >taking ownership of resources, creating security tokens
> etc. If that hacker
> >finds a null share out to the AD / domain controller,
> you'll end up fair and
> >square in the pooh...
> >
> >You are certainly better off running the SQL Service
> under ANY account other
> >than the LocalSystem. At the very least, create a local
> account and give it
> >the permissions it needs on the local machine.
> >
> >HTH
> >
> >Cheers,
> >Greg Linwood
> >
> >"Jay" <jay4050@hotmail.com> wrote in message
> >news:emXyixjQCHA.3216@tkmsftngp12...
> >> currently we are using a domain user account as a
> service start up account
> >> for sql server and sql agent services. in order to
> tighten the security
> >and
> >> to curb spread of viruses, in case a server is infected
> by a worm in
> >future,
> >> we are considering to use Local System account to start
> sql server
> >service.
> >> but we do receive many FTP download files to feed some
> of our reporting
> >> databases, there are DTS packages that imports these
> text files (stored on
> >a
> >> network drive) into sql tables.
> >>
> >> we think we have to use a domain account for the sql
> agent service that
> >has
> >> access to the network drive. is it a proper
> configuration to use Local
> >> System account for sql server service and a domain
> account for sql agent
> >> service? what other options we have?
> >>
> >>
> >>
> >>
> >
> >
> >.
> >

Report this post to a moderator