mssqltips logo

Why System Account is a bad idea for SQL Server Service Account

By:   |   Updated: 2011-05-25   |   Comments   |   Related: 1 | 2 | 3 | 4 | More > Security

Problem

I'm trying to set up SQL Server and I know that I'm not supposed to use an account that's an administrator on the system, as per best practices. I see that the System account is a possibility, but I've been advised not to use it. Why not? Check out this tip to learn more.

Solution

First and foremost, the security recommendation is to use the least privileged account possible. The local System account is an administrator on the system, so if you're ruling out administrators, then on the basis of that alone, System should be out. Ruling out administrators is a good thing, because the members of the administrators group has far more rights than SQL Server typically needs. For instance, this snapshot of part of the local security policy shows just how powerful a member of the administrators group is.

In actuality, though, the System account is more powerful than a normal member of the Administrators group. One place where you can clearly see this is the registry hive HKEY_LOCAL_MACHINE\Security, which is a protected part of the registry. By default, administrators only have the following rights:

That's not very much, but it's more than any other type of user with the exception of System. System has Full Control, so it has all the rights:

This is definitely a part of the registry SQL Server shouldn't have access to. Therefore, even a regular member of the Administrators group is a better choice than the System account.

Given the permissions granted to the Administrators group plus the additional permissions granted to the System account, using System is a really bad idea when it comes to selecting a SQL Server service account.

Next Steps


Last Updated: 2011-05-25


get scripts

next tip button



About the author




Post a comment or let the author know this tip helped.

All comments are reviewed, so stay on subject or we may delete your comment. Note: your email address is not published. Required fields are marked with an asterisk (*).

*Name
*Email
Email me updates

Signup for our newsletter

I agree by submitting my data to receive communications, account updates and/or special offers about SQL Server from MSSQLTips and/or its Sponsors. I have read the privacy statement and understand I may unsubscribe at any time.






download

























get free sql tips

I agree by submitting my data to receive communications, account updates and/or special offers about SQL Server from MSSQLTips and/or its Sponsors. I have read the privacy statement and understand I may unsubscribe at any time.



Learn more about SQL Server tools