Using the proper login account for the correct SQL Service
Article
I was often asked this question:
I'm installing my SQL Server. What should I use as the service account?
There are a few options (Local Account, Service Network, domain User)
What is the best and suitable account for the service?
I will try to answer that on this blog post.
It is very important for System Admins (SA) to make sure that SQL Server is highly secured and is not exposed to users or/and application that don’t need access to the SQL Server.
Configuring the permissions and security settings for SQL Server users and logins is one way to do it, but it is also very important to select the correct service account to run SQL Server services.
Domain Account
If the SQL Service operates along with other servers or resources on the network, or the SQL services/application uses linked servers to connect to other SQL Servers or your SQL server uses Cluster architecture, then you may use a domain user account for the SQL service account.
Domain user account is the recommended account for SQL Server services that interact with other servers on the network. Another reason to use a Domain User Account is that the account is controlled by Windows active directory therefore, domain level policy on accounts are applied to the service account.
Applying permission to the Domain user account that is running an SQL service are detailed in this link. it is highly recommended to read and know all the needed permissions.
The network service account is a built in service that has access to server resources and objects on the local user groups. Any SQL that is running under network service can access network resources with the credential of a computer account, the account is the
NET AUTHORITY\NETWORK SERVICE
Local User Account
When your SQL server is not interacting with other server\application\resources on the network then we can use a local user account for running SQL Services.
Local System Account
Local System account has more permissions than you think, it is a very high-privileged built in account that is created by the OS, the Local sys account can act has a computer in the organizational network. Try and minimize the use of the Local System account on the servers by not running services under the Local System account. This ensures that other processes cannot take advantage of the enhanced privileges of the system’s computer account.
Try to use the Domain user account wherever is possible for the SQL services (SQL DB Engine, SQL Agent, SSIS, SSRS, SSAS). Use the link above to configure the correct user privileges for the SQL Service.
