Network Service Account

Administration and Active Directory Integration

In Designing SQL Server 2000 Databases, 2001

Summary

Active Directory provides a directory service that stores information almost users, computers, groups, applications and other network services, accounts, and resources. SQL Server 2000 integrates with Active Directory, not only using it for Windows NT authentication but besides existence able to annals its own information within Active Directory for use by terminate users and applications that are Active Directory-aware.

Earlier list any other objects in Active Directory, the administrator must begin by registering the SQL Server inside it. This creates in Active Directory a new object describing the SQL Server. Next, the administrator tin can register SQL Server databases, SQL Server publications, and SQL Server Assay Services in Active Directory. A user or an application can then conduct a search for a SQL Server component using data about the component. The user or the awarding is not required to know the SQL Server instance on which the component resides. This means that an administrator can register SQL Server components, so motility them physically around the network without having to change the information in multiple client applications.

There are many means to administrate various SQL Server elements. Because SQL Server tin utilize Windows NT hallmark, a SQL Server administrator might be required to create users within Active Directory. This is washed using the Agile Directory Users and Computers console. In improver, the ambassador might want to manage the data listed in Agile Directory. This tin be done using the ADSI Edit or LDP tools, both of which are available in the Support\Tools directory on the Windows 2000 Server CD-ROM.

Much of the administration for SQL Server is handled in the Enterprise Managing director awarding; however, Assay Services are administered in the Analysis Manager application. Both of these consoles and all the Agile Directory consoles are Microsoft Management Panel (MMC) utilities. The MMC is a mutual framework from which to run snap-in utilities; it provides a consistent interface for an ambassador.

Moving and copying databases tin be accomplished in many means. Traditionally, DBAs use a backup and restore method between servers. Withal, within Enterprise Managing director is besides a Re-create Database Sorcerer that can simplify this process also as execute while the database is online. Moves are easily managed through the process of detaching a database from ane server, conducting a file movement procedure, and and then attaching the database to the destination server.

One of the strengths of SQL Server is the ability to use Object Linking and Embedding (OLE) to query information existing in not-SQL Server data repositories. When OLE is used, a linked server is created. Then distributed queries are executed confronting the linked server. The information within the linked server is considered a rowset and provided in tabular format.

Maintenance and administration of the SQL Server can exist conducted using automated methods. An administrator tin execute the Database Maintenance Plan Sorcerer to select the types of maintenance to be executed and the schedule on which to execute them. The administrator can also configure SQL Server Amanuensis alerts, jobs, and operators. Once configured, a SQL Server tin encounter an mistake that triggers an alarm. The alert will trigger a job and ship a notification through SQL Mail service to an operator.

Read full affiliate

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9781928994190500099

Authentication and Granular Access

In The Best Damn Commutation, SQL and IIS Book Menstruum, 2007

SQL Server Service Account

The first thing to decide is the service account nether which SQL Server is running. In order for Kerberos to exist supported, SQL Server must either exist running under a domain user business relationship or the Local System or Network Service account. If a domain user account is being used, the SPNs must be configured under it. Otherwise, the SPNs must exist configured nether the computer account in the Agile Directory domain. The easiest manner to make up one's mind this is via SQL Server Configuration Manager:

1.

In the left pane, expand SQL Server Configuration Director (Local).

two.

In the left pane, click SQL Server 2005 Services.

3.

In the right pane, note the value for the Log On As column for the SQL Server example.

Best Practices According to Microsoft

Microsoft recommends confronting the utilize of either the local Arrangement account or the Network Service account. In the instance of the local System business relationship, this account has more than rights than SQL Server needs. Equally to the Network Service business relationship, Microsoft doesn't give a specific recommendation as to why to avoid it, citing that local or domain user accounts are preferred. The most secure connectedness is to use a local user account that does not have authoritative rights. However, doing so volition forbid Kerberos authentication from working. In society for Kerberos hallmark to role, SQL Server must be running under a domain business relationship. That domain account tin can be the computer account (which is why the local System account would work).

Read total chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597492195000224

Installation of the Citrix Provisioning Server

Gareth R. James , in Citrix XenDesktop Implementation, 2010

Prerequisites

Important considerations:

1.

The user account performing the installation must be a local administrator on the provisioning server.

2.

An Active Directory Service Account for Citrix Provisioning Server. For proof of concept/pilot type implementations, the local Network Service Account can be used rather than an Active Directory user account.

iii.

Windows Server 2003 SP2 and Windows Server 2008 and Windows Server 2008 R2 (32 or 64 flake) – all editions are supported for the provisioning server.

The Installation Guide states "all versions." For a production environment, Windows Server 2008 (64 scrap) would be the all-time pick in terms of performance and scalability. Windows Server 2008 R2 is currently supported in version v.6.

SQL Express database is sufficient for a proof of concept. A pilot or production surroundings should brand use of an Enterprise database, which tin be easily backed up and restored as required.

four.

Requires Microsoft SQL 2005 or Microsoft SQL 2008. Express editions included. Please run across Appendix.

Tip

As with the Desktop Delivery Controller, ask the database administrator in your organisation to create a database for you.

5.

Have a split up logical or concrete bulldoze location bachelor for virtual disks. SAN (Storage Area Network) storage is recommended if available.

6.

The .NET Framework 3.v.1 is required. This is installed on Windows Server 2003, merely on Windows Server 2008 R2, you add it as a "Feature" under Server Manager.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9781597495820000063

Server Rights

Denny Cherry , in Securing SQL Server (Tertiary Edition), 2015

Using Local Service Accounts for Running SQL Server Services

Some other option which is used much more than oftentimes than it should be is to use the local system accounts to run the SQL Server services. While on newer versions of Windows such equally Windows 2008 and higher this is less of a problem, on older versions of Windows this is an unacceptable security risk. There are two local system accounts which the SQL Server installer volition let you pick during the installation process. Ane of the Local Service account and the other is the Network Service account. On older versions of Windows Server (Windows Server 2003 and earlier) these accounts were effectively members of the local administrators group on the server which gave the SQL Service more rights than it needed.

Note

Give a Guy a Break Already

Yes, yeah. I am aware that the really old versions of SQL Server similar SQL Server half dozen.5 and SQL Server 7 required that the account that was running the SQL instance be a member of the local administrators group. Just this is not the 1990s then nosotros should not be setting up our servers like that anymore unless we really need to. And by actually need to I hateful because some third party application vendor does not know how to properly write an application causing massively elevated permissions to exist required.

This becomes less of an outcome on the newer versions of the Microsoft Windows operating organisation, specifically Windows 2008 and newer, because when services are run under these accounts they are not actually run under these accounts. New pseudo account are created chosen "NT SERVICE\MSSQLSERVER" or "NT SERVICE\SQLSERVERAGENT," basically the domain name is "NT SERVICE" followed past the proper noun of the service for the account name. This allows each service to function inside its own security context and not accept access to the resource of another service. It besides allows for the granting of Windows security rights at a much more granular level such every bit the logon as a service right shown in Figure thirteen.1.

Figure 13.1. Showing various "NT SERVICE" beingness granted individual rights nether Windows 2008 R2.

Granting boosted rights to these service specific "NT SERVICE" accounts requires knowning the specific account which you lot desire to grant rights to. This is due to the fact that these are special system accounts, which practise not technically exist then you cannot search for them in the normal account search dialog boxes in Windows Local Security Policy editor or SQL Server Direction Studio. As you cannot search for these accounts you lot must type the names in manually when granting them rights.

Story time

So This One Time While Writing This Book

So when I was writing this book, specifically Chapter 7 titled "Analysis Services," I ran across some of the problems which I accept talked about in this section of this affiliate (judge where I got the thought for this section for). While working with SQL Server Analysis Services I was trying to get the screenshots for all the objects similar those shown in Figure six.viii and I keep getting errors while processing the cube. This is because in my haste to become the SQL Server services installed on my car I had prepare the services to start up nether the local service business relationship instead of under a single domain business relationship similar my SQL Server did. Because of this when the SQL Server Analysis Services service attempted to log into the locally installed SQL Server database information technology could not considering I needed to specifically grant the "NT SERVICE\MSOLAP$SSAS" service rights to the SQL Server instance (every bit I noted in Affiliate 6 the SQL Server Analysis Service and Reporting Service services were installed as a named instance called SSAS giving us the stranger than normal account proper name).

And aye I did about proper name this side bar "And then this one time at band army camp…" but that just led to images of a trumpet going somewhere that trumpets should but never go, and I did not really need that while sitting on an airplane. If you do not grab that reference go check out the American Pie movies and get back to me. You are welcome for that mental prototype. I at present return you lot to your regularly scheduled volume reading.

The upside to using these service specific accounts is that there are no passwords to change as you do not accept access to these passwords. Another upside to these services is that if the service which the account is running becomes compromised the assailant would non take access outside of that service, unless that service account has been granted specific rights.

Similar annihilation that has an upside there is a downside or ii every bit well. These downsides include not existence able to change the password of the account if it was to become compromised, and the inability to hands grant rights beyond servers. When running the SQL Server services under the network service business relationship, the SQL Server can access rights exterior of itself. And this works nifty, until you lot empathize how the domain authentication process works when accessing these remote resources.

For an example lets say that nosotros have a SQL Server called SQL1.contoso.local and a file server chosen files.contoso.local. The SQL Server service and the SQL Server Amanuensis service are both configured to run under the local network service on their machine. At that place is a job which runs a T-SQL batch which includes the BULK INSERT statement which is used to load up a text file from the file server. In society to grant the SQL Server the right to access the network share and read the file on the file server we have to grant the figurer account for SQL1.contoso.local rights to the network share. This is washed past granting the Active Directory account CONTOSO\SQL1$ rights to the network share. Then far so practiced. Merely we at present find out that any process which is running under the network service account on SQL1.contoso.local now has rights to the network share and tin read the file (or write to the file depending on how the rights to the network share are configured). This suddenly becomes a trouble as whatsoever user who is logged into SQL1.contoso.local at present also has the same rights to that network share that the SQL Service has. From a security perspective this is a pretty bad idea.

Note

Selecting The Right Approach

Hopefully past the fourth dimension y'all have gotten to this part of this affiliate you lot take been thinking virtually your ain company and which of these approaches will fit all-time into your shop. Obviously irresolute from i of these approaches to some other requires a LOT of work and is not a project that should exist taken lightly. In larger shops a project like this could accept months or years.

While I would love to be able to tell y'all which of these approaches would work best in your specific shop, that just is not possible to do in the abstract like this. There are several factors to consider before selecting which of these approaches should be used including the size of your shop, the number of database adminstrators in the shop (in this context anyone who has the passwords that the SQL Server runs under is counted every bit a database adminsitrator), and how complex the awarding blueprint is, and how often y'all program on changing service business relationship passwords. If afterward thinking through all these items and thinking near your specific visitor, if you do determine to change the approach that you are going to use to run your SQL Server databases do not rush the project. For about applications and servers there will be a LOT of discovery which needs to be done to ensure that the account changes do not adversly impact the stability of the enviroment and the uptime of the applications.

After all, while we may non like it, the best security practices have to be tempered against system managability. If they did not we would still be in the stone ages as the merely truly secure server is one that is powered off and stored in a concrete room with no doors or windows.

In improver to the NT Service accounts which accept been discussed there are also Network Service accounts which are displayed as Network Service\MSSQLSERVER. These Network Service accounts piece of work much the NT Service accounts except with the exception that the Network Service accounts have the ability to admission network resources while the NT Service accounts only have the ability to access resource on the local server.

Changing the Service Account

Setting the service account can be washed during installation or it can be changed after installation by using the SQL Server Configuration Manager. To brand the modify in the SQL Server Configuration Manager open up the SQL Server Configuration Manager from the Windows Showtime Menu. Open it opens select "SQL Server Services" from the menu on the left then double click on the specific SQL Server service from the bill of fare equally shown in Figure 13.two.

Effigy xiii.2. SQL Server Configuration Director.

From the SQL Server Service properties page which opens select the "Log On" tab. To utilize the Local Organization Account, the Local Service Account or the Network Service business relationship select the "Congenital-in account" radio button and select the needed choice from the dropdown menu as shown in Effigy thirteen.3. To use a local or domain account, select the "This account" radio button and specify a Windows account and the password for this business relationship.

Figure 13.three. SQL Server service properties dialog.

When using a local system account, network service account or local service account (a description of these iii accounts tin can be found in Table 13.1) the business relationship volition exist shown in the Account Name field as shown in the disabled Account Name field in Figure 13.three. This can await incorrect when you first open the service properties, only this is normal as it displays the service specific name instead of displaying a generic option from the dropdown menus. There is no need to change the radio push to "Built In" from "This Business relationship" if a network service, local service or local system account is specified.

Table thirteen.1. Local Accounts

Account Name Description
Local system The SQL Server Service runs under the account of the computer. The SQL Server Service only has access to resource on the local server.
Network service The SQL Server Service runs nether the account of the computer. The SQL Server Service has access to network resources, but under the context of the computer account not under its own business relationship.
Local service The SQL Server Service runs under the a service specific business relationship called NT Service\MSSQLSERVER.

Later on changing the start up service account to and from any of the available options the SQL Service must be restarted in social club for the changes to accept effect. To make the changes take effect click the Use button, then "Yes" on the dialog box which appears which informs you that the SQL Service needs to be restarted equally shown in Figure xiii.iv. Clicking "No" on the dialog box shown in Figure 13.four will prevent the changes to the service configuration from being saved.

Effigy 13.4. Confirm business relationship change dialog box.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128012758000130

Server Rights

Denny Cherry , in Securing SQL Server (Second Edition), 2013

Using Local Service Accounts for Running SQL Server Services

Another selection which is used much more frequently than it should be is to employ the local organization accounts to run the SQL Server services. While on newer versions of Windows such as Windows 2008 and college this is less of a problem, on older versions of Windows this is typically an unacceptable security risk. There are two local system accounts which the SQL Server installer will allow you pick during the installation process. One is the local service business relationship and the other is the network service business relationship. On older versions of Windows Server (Windows Server 2003 and earlier) these accounts were effectively members of the local administrators group on the server which gave the SQL Service more rights than it needed.

Note

Give a Guy a Break Already

Yep, yeah. I'm aware that the actually old versions of SQL Server like SQL Server 6.5 and SQL Server 7 required that the business relationship that was running be a member of the local administrators group. But this isn't the 1990s so nosotros shouldn't be setting upwards our servers like that anymore unless we really need to. And by really demand to I mean because some 3rd-party application vendor doesn't know how to properly write an application causing massively elevated permissions to exist required.

This becomes less of an issue on the newer versions of the Microsoft Windows operating system (Bone), specifically Windows 2008 and newer, because when services are run nether these accounts they aren't actually run nether these accounts. New pseudo-account is created called "NT SERVICE⧹MSSQLSERVER" or "NT SERVICE⧹SQLSERVERAGENT," basically the account is "NT SERVICE" for the domain name followed by the name of the service. This allows each service to function within its ain security context and non have admission to the resources of some other service. It also allows for the granting of Windows security rights at a much more than granular level such every bit the logon as a service correct shown in Figure 12.i.

Effigy 12.one. Showing Various "NT SERVICE" Existence Granted Individual Rights Under Windows 2008 R2

Granting additional rights to these service-specific "NT SERVICE" accounts requires knowing the specific account which y'all want to grant rights to. This is due to the fact that these are special organisation accounts, which don't technically exist so you can't search for them in the normal business relationship search dialog boxes in Windows Local Security Policy editor or SQL Server Management Studio. As yous can't search for these accounts you must type the names in manually when granting them rights.

Story Time

So This Once While Writing This Book…

So when I was writing this volume, specifically Chapter half dozen titled "Analysis Services," I ran across some of the problems which I've talked almost in this department of this chapter (guess where I got the thought for this section for). While working with SQL Server Analysis Services I was trying to get the screenshots for all the objects like those shown in Figure 6.8 and I proceed getting errors while processing the cube. This is considering in my haste to get the SQL Server services installed on my machine I had set up the services to beginning up under the local service business relationship instead of under a single domain account like my SQL Server did. Because of this when the SQL Server Assay Services service attempted to log into the locally installed SQL Server database, it couldn't because I needed to specifically grant the "NT SERVICE⧹MSOLAP$SSAS" service rights to the SQL Server instance (every bit I noted in Chapter vi the SQL Server Analysis Service and Reporting Service services were installed as a named instance chosen SSAS giving us the stranger than normal account name).

And yes I did virtually name this side bar "So this in one case at band military camp…" but that but led to images of a trumpet going somewhere that trumpets should just never go, and I didn't really need that while sitting on an aeroplane. If you don't grab that reference go check out the American Pie movies and get dorsum to me. You're welcome for that mental paradigm. I now return you to your regularly scheduled volume reading.

The upside to using these service-specific accounts is that there are no passwords to change equally you lot don't accept access to these passwords. Some other upside to these services is that if the service which the account is running becomes compromised, the assaulter won't take access outside of that service, unless that service business relationship has been granted specific rights.

Like anything that has an upside in that location is a downside or two as well. These downsides include not beingness able to change the countersign of the account if it was to go compromised, and the inability to hands grant rights across servers. When running the SQL Server services nether the network service account, the SQL Server can access rights outside of itself. And this works great, until you empathise how the domain hallmark procedure works when accessing these remote resource.

For an example let's say that we have a SQL Server called SQL1.contoso.local and a file server called files.contoso.local. The SQL Server service and the SQL Server Agent service are both configured to run under the local network service on their machine. There is a job which runs a T-SQL batch which includes the BULK INSERT statement which is used to load upwardly a text file from the file server. In order to grant the SQL Server the right to access the network share and read the file on the file server, nosotros have to grant the calculator account for SQL1.contoso.local rights to the network share. This is done by granting the Active Directory account CONTOSO⧹SQL1$ rights to the network share. So far so good. Simply we at present find out that any process which is running under the network service account on SQL1.contoso.local now has rights to the network share and can read the file (or write to the file depending on how the rights to the network share are configured). This suddenly becomes a problem as any user who is logged into SQL1.contoso.local now also has the aforementioned rights to that network share that the SQL Service has. From a security perspective this is a pretty bad idea.

Note

Selecting the Right Approach

Hopefully past the time y'all've gotten to this office of this chapter you lot've been thinking nearly your own company and which of these approaches will fit best into your shop. Obviously changing from one of these approaches to another requires a LOT of work and isn't a project that should be taken lightly. In larger shops a project like this could have months or years.

While I would dear to be able to tell you which of these approaches would work best in your specific shop, that just isn't possible to do in the abstruse like this. There are several factors to consider before selecting which of these approaches should be used including the size of your shop, the number of database administrators in the shop (in this context anyone who has the passwords that the SQL Server runs under is counted as a database administrator), and how circuitous the awarding design is, and how often you plan on changing service business relationship passwords. If after thinking through all these items and thinking nearly your specific company, if you do decide to alter the approach that you are going to use to run your SQL Server databases don't rush the project. For almost applications and servers there volition exist a LOT of discovery which needs to be done to ensure that the account changes don't adversely touch the stability of the environment and the uptime of the applications.

After all, while we may not similar it, the best security practices have to exist tempered against system manageability. If they didn't we would still exist in the stone ages as the but truly secure server is one that is powered off and stored in a concrete room with no doors or windows.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597499477000125