​DBAs - Do you run SQL Server Services under non-Administrator accounts?

Last updated by ChristianMWaite over 4 years ago.See history

You should always run all SQL Server services with the lowest possible privileges allowed in case the account is compromised. SQL Server setup makes the whole process of granting privileges a whole lot easier because it automatically creates groups with all the necessary permissions for you!

SQLDatabases RunAsAccount GroupsCreated
Figure: SQL Server now creates groups for all the SQL Server services with the bare minimum permissions for you

If you are running any SQL Server Service in a user account that has administrator privileges a user that compromises the account could do anything that administrator could do - including playing around with the registry with procedures like xp_regdeletevalue. So, if you use an Administrator account, you're in effect giving away the keys to the house. Is this something you want to do?

We open source. Powered by GitHub