what Windows account should a service run under to access network sql servers

views:

answers:

what Windows account should a service run under to access network sql servers

Hello,

I am considering creating a windows service that would run periodically and query networked databases and store the information on the local machine (please don’t ask why!). I would like this service to run when there is no one logged on to the computer locally. What account should the service run under Localservice, Localsystem or Network. A username and password would be provided to all networked databases including the local.

+2 A:

To guarantee that you can actually connect to the databases, I would suggest that you create a services account (something like /User - and apply a password that doesn't expire).

This way you can set up the user in SQL Server and use integrated security while connecting.

For example:

Domain: stackoverflow Service: SearchDB

I would create a user stackoverflow\SearchDBUser

Basically you don't have to stick to the pre-defined users when setting up the windows service.

I hope this helps.

Wagner.

Wagner Silveira 2010-07-26 20:40:54

Integrated security = bad. Much better to have separate credentials in a .config somewhere. Just one more obsticle to the bad guys if/when they do manage to get onto your server.

AllenG 2010-07-26 20:44:37

@AllenG -- I assume that he's talking about using integrated authentication for a service account that's never actually used to access the system, only to run the service. You'd actually have to crack the credentials of the account (and they usually have much longer than normal passwords) for it to actually do you any good.

tvanfosson 2010-07-26 20:46:58

@Allen: I believe tvanfosson is correct here.

Steven Sudit 2010-07-26 20:51:07

You also generally disallow login and most other privileges to _service_ accounts which makes the password less useful even if one succeeds in getting it.

D.Shawley 2010-07-26 21:04:59

"This way you can set up the user in SQL Server and use integrated security while connecting": from the answer. To me, at least, this read like he's saying you can set up a special user account on the machine and on the DB so that the service on the machine can use integrated security to connect to the DB.

AllenG 2010-07-26 21:09:59

@AllenG: You set up the account on the domain, not the two machines. And then you configure SQL Server to grant the minimum necessary rights to that account.

Steven Sudit 2010-07-27 01:47:17

@AllenG: Steven got it right. You create the user on the domain, but you still have to associate the login to a SQL Server account (this is not on SQL machine, but on the SQL Server). Then from your connection string within the application you use integrated security in order to minimize the risk of presenting the credentials.

Wagner Silveira 2010-07-27 21:49:17

+3 A:

I'd probably create a specific domain account and grant that rights to both SQL server and whatever local store you are going to use. If you want to use SQL credentials to connect to the DB, then it could be a local account (with access to the local resources) or a higher privileged user (like LocalSystem).

tvanfosson 2010-07-26 20:43:48

I agree about a specific domain account.

Steven Sudit 2010-07-26 20:50:00

+2 A:

This might actually be better asked on ServerFault, but I've always seen it as 'Network' or 'Local System' depending on specific usage.

AllenG 2010-07-26 20:45:40

ansaurus

tags:

views:

answers:

what Windows account should a service run under to access network sql servers

related questions