Risks of single MSSQL domain account for mult servers?

D Barry

Greetings:

I am trying to conceive what risks might be created by running
multiple SQL servers within a domain under a single domain account, as
opposed to 1) running under the local service account or 2) multiple
domain service accounts.

In this case, all the SQL servers are SQL2000 running on Win2003. The
service account is assigned only to the "Domain Users" group.

We do use linked server calls, and I have played and suceeded getting
Kereberos up to avoid double hop issues when using Windows Auth. In
fact, this is one of the reasons that sparked the question in my mind
-- in all the MS Kerebos SQL<->SQL examples, the SQL servers run under
a unique service account.
As an aside, most of the servers are "line of business" servers, but
HR runs under a unique server with more sensitive information. I don't
really think that merits a seperate service account, but again, I
could well be missing something.
I mostly looking for food for thought, but concrete examples of
gotchas would be appreciated.

Thanks all.

d.

Jul 20 '05 #1

Follow Post Reply

2779

Russell Fields

D (or should I call you d?),

One drawback of using a single service account is that a breach of security
on that account means a breach on all of your SQL Servers.

(Yes, it is easier to only have one account to manage. Also, once upon a
time (a long time ago) it made replication easier.)

Russell Fields
"D Barry" <go****@dcbarry.com> wrote in message
news:6d**************************@posting.google.c om...

Greetings:

I am trying to conceive what risks might be created by running
multiple SQL servers within a domain under a single domain account, as
opposed to 1) running under the local service account or 2) multiple
domain service accounts.

In this case, all the SQL servers are SQL2000 running on Win2003. The
service account is assigned only to the "Domain Users" group.

We do use linked server calls, and I have played and suceeded getting
Kereberos up to avoid double hop issues when using Windows Auth. In
fact, this is one of the reasons that sparked the question in my mind
-- in all the MS Kerebos SQL<->SQL examples, the SQL servers run under
a unique service account.
As an aside, most of the servers are "line of business" servers, but
HR runs under a unique server with more sensitive information. I don't
really think that merits a seperate service account, but again, I
could well be missing something.
I mostly looking for food for thought, but concrete examples of
gotchas would be appreciated.

Thanks all.

d.

Jul 20 '05 #2

D Barry

Russell:

It's "d.". "D." is just too pompous... ;-)

I should have stated the breach against one is a breach of all
arugument. (We do use nice long complex passwords.) I'm looking for
other

"Russell Fields" <Ru***********@NoMailPlease.Com> wrote in message news:<ub**************@TK2MSFTNGP10.phx.gbl>...

D (or should I call you d?),

One drawback of using a single service account is that a breach of security
on that account means a breach on all of your SQL Servers.

(Yes, it is easier to only have one account to manage. Also, once upon a
time (a long time ago) it made replication easier.)

Russell Fields
"D Barry" <go****@dcbarry.com> wrote in message
news:6d**************************@posting.google.c om...
Greetings:

I am trying to conceive what risks might be created by running
multiple SQL servers within a domain under a single domain account, as
opposed to 1) running under the local service account or 2) multiple
domain service accounts.
<snip>
Thanks all.

d.

Jul 20 '05 #3

Risks of single MSSQL domain account for mult servers?

This discussion thread is closed

Similar topics