From: RG on
Is there a reason why an account, having administrative privileges to the
local machine, other than localsystem, should not be used to run various sql
services?

Thanks in advance
From: Jeroen Mostert on
On 2010-08-13 19:58, RG wrote:
> Is there a reason why an account, having administrative privileges to the
> local machine, other than localsystem, should not be used to run various sql
> services?
>
The principle of least privilege. Most services don't need access to
anything except the database files. You don't need administrative
permissions for that. "Local System" is actually worse than a custom local
administrative account because it has even more permissions initially (of
course, any administrator can grant themselves the same permissions because,
well, they're *administrators*). Contrary to what people think, "Local
System" is not a safe choice because it has "local" in the name; it's the
"system" part you should focus on.

Consider the scenario where an outside user connects to a service, exploits
a buffer overrun and manages to execute arbitrary code in the context of
that service. If the service is running with administrative or system
permissions, you've just handed the attacker the keys to the kingdom. For
example, it no longer matters if you've set up your SQL Server to use
Windows authentication or encryption, because the compromised service can be
used to read the data files or system memory directly. As the machine itself
is now compromised, it's also a prime staging area for attacks on the rest
of the domain.

You're best off creating an account especially for SQL Server and giving it
exactly the permissions it needs (read/write on its directory), and no more.
Barring that, a local non-administrative account like Local Service or
Network Service will do (although these already have too much permission for
comfort, like the ability to shutdown the machine). Don't ever use Local
System or an administrative account because it's easier. Setting up
permissions only needs to happen once, so does having your server hacked
into, and it's easy to see which is the lesser of two evils.

--
J.