You are currently offline, waiting for your internet to reconnect

Guidelines on choosing Service Accounts for SQL Server Services.

Summary

Each service in SQL Server represents a process or a set of processes to manage authentication of SQL Server operations with Windows.Each service can be configured to use its own service account. This facility is exposed at installation. SQL Server provides a special tool, SQL Server Configuration Manager, to manage the services configuration.

When choosing service accounts, consider the principle of least privilege. The service account should have exactly the privileges that it needs to do its job and no more privileges. You also need to consider account isolation; the service accounts should not only be different from one another, they should not be used by any other service on the same server. Do not grant additional permissions to the SQL Server service account or the service groups. Permissions will be granted through group membership or granted directly to a service SID, where a service SID is supported. For more details please refer to Books Online Topic Setting Up Windows Service Accounts

More Information

During a new installation, SQL Server setup does not default SQL Server engine Service and SQL Server Agent service to any account. The account specification is required step for these services. For details on recommended secure accounts, refer to Books Online Topic Setting Up Windows Service Accounts

For changing the SQL Server service configuration like service account or service account password, always use SQL Server tools such as SQL Server Configuration Manager. For more information on using SQL Server Configuration Manager please refer to Books Online Topic SQL Server Configuration Manager

For more information, refer to the Security Whitepaper at http://www.microsoft.com/technet/prodtechnol/sql/2005/sql2005secbestpract.mspx

For more information about the products or tools that automatically check for this condition on your instance of SQL Server and on the versions of the SQL Server product, see the following table:

   

 Rule software

Rule title

Rule description

Product versions against which the rule is evaluated 

SQL Server 2008 R2 Best Practice Analyzer (SQL Server 2008 R2 BPA)

Unrecommended SQL Server Engine service account detected.

Unrecommended SQL Server Agent service account

FDHOST Launcher service is not configured properly

The SQL Server 2008 R2 Best Practice Analyzer (SQL Server 2008 R2 BPA) provides a rule to detect if the SQL Server service or the SQL Server Agent service or SQL Server FDHost is running under an account that belongs to the Administrators group on the machine. If you run the BPA tool and encounter a warning with the title of Engine- Unrecommended SQL Server Engine Service Account detected or Engine - Unrecommended SQL Server Agent service account or Engine - Unrecommended SQL Server FDHOST Lancher service account, then your SQL Server 2008 or SQL Server 2008 R2 installation is using unrecommended service account for its services. The rule also points users to the unrecommended service account.

SQL Server 2008
SQL Server 2008 R2

SQL Server 2012 Best Practice Analyzer (SQL Server 2012 BPA)

Unrecommended SQL Server Engine service account detected.

Unrecommended SQL Server Agent service account

FDHOST Launcher service is not configured properly

The SQL Server 2012 Best Practice Analyzer (SQL Server 2012 BPA) provides a rule to detect if the SQL Server service or the SQL Server Agent service or SQL Server FDHost is running under an account that belongs to the Administrators group on the machine. If you run the BPA tool and encounter a warning with the title of Engine- Unrecommended SQL Server Engine Service Account detected or Engine - Unrecommended SQL Server Agent service account or Engine - Unrecommended SQL Server FDHOST Lancher service account, then your SQL Server 2012 installation is using unrecommended service account for its services. The rule also points users to the unrecommended service account.

 SQL Server 2012 

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.
Properties

Article ID: 2160720 - Last Review: 04/03/2012 00:39:00 - Revision: 2.0

Microsoft SQL Server 2008 Developer, Microsoft SQL Server 2008 Enterprise, Microsoft SQL Server 2008 R2 Datacenter, Microsoft SQL Server 2008 R2 Developer, Microsoft SQL Server 2008 R2 Enterprise, Microsoft SQL Server 2008 R2 Standard, Microsoft SQL Server 2008 Standard

  • KB2160720
Feedback