Service Accounts on SQL Server

Issue

All services log on under an account, with some services running as LocalSystem. This can be a potential security vulnerability because a bug in the service code could be exploited by a malicious user to gain system-level access, which is possible because the service runs in the context of the local computer. It is recommended that you run services that do not require full system access under a lesser-privileged account, and that this account is not a member of the Local Administrators group.

Solution

Ensure that the SQL service accounts are not running as LocalSystem and are not running under accounts that are a member of the Local or Domain Administrators group. It is recommended that you run these service accounts under a domain user account. Windows XP introduces two new service accounts: LocalService and NetworkService. Services running under the LocalService account have minimum privileges on the local computer, and they present anonymous credentials on the network. Services running under the NetworkService account have minimum privileges on the local computer, and they act as the computer on the network. For more information, see Additional Resources.

Instructions

To ensure that services are not running as Local System Accounts in Windows 2000

  1. Click Start, point to Settings, and then click Control Panel.
  2. Double-click Administrative Tools, and then double-click Computer Management.
  3. Under the Services and Applications node, double-click Services.
  4. Double-click the service that was flagged in the security report.
  5. In the dialog box that appears, click the Log On folder.
  6. Under Log On As, clear the Local System Account check box.

To ensure that services are not running as Local System Accounts in Windows NT 4.0

  1. Click Start, point to Settings, and then click Control Panel.
  2. Double-click Services.
  3. Double-click the service that was flagged in the security report.
  4. Under Log On As in the dialog box that appears, clear the Local System Account check box.

Additional Resources

SQL Server 7.0 Security

Microsoft SQL Server 2000 Security

LocalService Account

NetworkService Account

⌐ 2002 Microsoft Corporation. All rights reserved.