Friday, December 06, 2002

Service Accounts on SQL Server




Issue




All services log on under an account, with some services running as LocalSystem.
This can be a potential security vulnerability because a bug in the service code
could be exploited by a malicious user to gain system-level access, which is possible because the
service runs in the context of the local computer. It is recommended that you run
services that do not require full system access under a lesser-privileged account,
and that this account is not a member of the Local Administrators group.


Solution




Ensure that the SQL service accounts are not running as LocalSystem and are not
running under accounts that are a member of the Local or Domain Administrators group.
It is recommended that you run these service accounts under a domain user account.
Windows XP introduces two new service accounts: LocalService and
NetworkService. Services running under the LocalService account have minimum
privileges on the local computer, and they present anonymous credentials on the
network. Services running under the NetworkService account have minimum
privileges on the local computer, and they act as the computer on the network. For
more information, see Additional Resources.


Instructions




To ensure that services are not running as Local System Accounts in Windows 2000


  1. Click Start, point to Settings, and then click Control Panel.

  2. Double-click Administrative Tools, and then double-click Computer Management.

  3. Under the Services and Applications node,

    click Services.

  4. Double-click the service that was flagged in the security report.

  5. In the dialog box that appears, click the Log On tab.

  6. Under
    Log On As, select the This account radio button and specify a
    local account under which the service should run.




To ensure that services are not running as Local System Accounts in Windows NT 4.0


  1. Click Start, point to Settings, and
    then click Control Panel.

  2. Click Services.

  3. Double-click the service that was flagged in the security report.

  4. Under Log On As in
    the dialog box that appears, select the This account radio button and
    specify a local account under which the service should run.





Additional Resources



SQL Server 7.0 Security


href="http://www.microsoft.com/SQL/techinfo/administration/2000/securityWP.asp">
Microsoft SQL Server 2000 Security





LocalService Account



NetworkService Account

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)