SQL Server Service Account

Bobby P 221 Reputation points
2021-08-20T16:42:07.097+00:00

Just wondering if anyone has some good suggestions and maybe Standards for defining a SQL Server Service Account and its name?

Like should it include "Service" so that it stands out?

I know it is "Shop" specific...but just looking for some good suggestions.

Thanks for your review and am hopeful for a reply.

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,852 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Michael Taylor 48,981 Reputation points
    2021-08-20T17:26:48.677+00:00

    The recommendation is to not do that anymore. As of SQL 2016 (or perhaps as early as 2012) the setup is going to default to the recommended and builtin accounts for all its services. You shouldn't really be creating dedicated accounts anymore as you shouldn't need them. There are a few exceptions for advanced scenarios like failover clusters from my understanding. So my naming recommendation is "don't".

    In previous companies that either had old SQL servers that pre-date this or were stuck in their SOP-style world of mandating accounts then they would put "service" in the name somewhere but often shortened it to something like sql-svc-dev or something. The problem is, of course, that if you have more than 1 SQL server instance then you should really be creating separate accounts for each one as you don't want to accidentally give 1 service account access to another server's stuff. That means you run into the questionable naming convention of sql-svc-myserverinstance-dev or something like that. Using the recommended accounts resolves these issues.


  2. Andreas Baumgarten 98,446 Reputation points MVP
    2021-08-20T17:32:48.863+00:00

    Hi @Bobby P ,

    at all of your customers service accounts could be identified by some kind of prefix. For instance
    svc-sqlservice -> generic SQL service account
    svc-CRMsqlservice -> SQL service account from CRM application
    or if "lazy" ;-)
    svc-sql
    svc-CRMsql

    Instead of svc you will find similar prefixes depending on the naming conventions like s , sv, srv , ....
    The separator varies from - over _ to # depending on customer's naming conventions.

    ----------

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards
    Andreas Baumgarten

    0 comments No comments

  3. cthivierge 4,056 Reputation points
    2021-08-23T12:45:39.817+00:00

    I think that the name should also describe the service / environment with a incremental number

    Personally, i do prefer to add something that identify the service account for the environment. For example, development should look like... svc-sql-dev01... It will be easier to identify the service account.

    I would also look to implement Group Managed Service Account (gMSA). Compare to a standard account, you don't have to manage the password for this account. It change automatically so it's more secure. Also, you cannot use this account to login on the server and you can still apply service principal name to the account if you need Kerberos authentication

    https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview

    hth

    0 comments No comments