Skip to main content

SQL Server 2012 and Virtual Service Accounts

This post is written by David Postlethwaite
If you are using SQL Server 2012 you will probably have noticed that the default account for the SQL services has changed from that used in previous versions. With SQL 2005 and 2008 the default account for SQL service and SQL Agent service was “NT Authority\System”. This is one the built in accounts on a Windows machine, managed by the machine and selectable from a dedicated dropdown list
image
The Network Service account was introduced in Windows 2003 as an alternative to using the LocalSystem account, which has full local system privileges on the local machine, a major security concern.
The Network Service has limited local privileges easing these security concerns but when many services on a machine use the Network Service account it becomes harder to track which service is actually accessing resources and performing actions, because all the services are using the one Network Service account.
Also, this account, by default, has sysadmin permissions on your instance.
Most people change their service accounts to a local or domain account with limited permissions. This introduces another security problem in that this account has a password that could be hacked and used to launch some sort of attack. Changing the password of a service account regularly can be problematic though programs like Secret Server can alleviate this (www.thycotic.com)
To try and resolve some of these problems Windows 2008 R2 and above introduced a new type of account called a virtual account
Virtual accounts emulate creating many unique instances of the Network Service account, so each service runs with its own instance of the Network Service account. These unique instances of Network Service make auditing and tracking much easier.
You won’t find these virtual accounts listed in Local Users and Groups or Active Directory Users, they cannot be created, deleted, or edited and you can’t change their password. They are not in the built in account list and you won’t find them if you browse for an account.
When you install SQL 2012 on Windows Server 2008 R2 or Windows 7 and later you’ll see the services run with virtual service accounts named like:
NT Service\MSSQLSERVER or NT Service\MSSQL$<Instance Name>
NT Service\SQLSERVERAGENT or NT Service\SQLAGENT$<Instance Name>
If you change your service account and later want to switch back to using the virtual account you have to type the name in yourself since, because it doesn’t really exist anywhere, you can’t use the browse option to find it.
You also don’t know the password so you can’t type that into the appropriate box. If you do it will tell you it’s wrong. But if you leave the password fields blank and click Apply then Windows will apply the correct password for you and give the virtual account “login as a service” permissions.
One drawback of a virtual account is that it only has permissions to the local machine. If your SQL Server requires access to a network share or something on another machine then you will have to revert to a domain account.
But overall, virtual service accounts are a step in the right direction in securing our databases from attack.
More information can be found at http://msdn.microsoft.com/en-us/library/ms143504(v=sql.110).aspx















Comments

  1. Greetings, this was a great post and helped get me to the right MSDN article - thanks! On your comment about "access to a network share", there's a note deeper in the MSDN article under "File System Permissions Related to Unusual Disk Locations" that explains how the SQL Server "virtual accounts use the permission of machine account." Therefore on a network share you can "Provision the machine account in the format domain_name\computer_name$.", and voila, your security-limited SQL Server can now get to a network folder, no domain service account needed.

    ReplyDelete
  2. Thanks for the comment Will I'm glad you liked the article ...That's good to know, learn something new every day...I'll be sure pass you comment on to David too he'll be very interested in it

    ReplyDelete
  3. This was a lifesaver - thanks so much!

    ReplyDelete
  4. This was a lifesaver - thanks so much!

    ReplyDelete

Post a Comment

Popular posts from this blog

Always Encrypted

By David Postlethwaite

Always Encrypted is new features in SQL Server 2016 and it is also available in Azure SQL Database. Here you can encrypt columns in a table with a master key and a certificate so that they will appear as encrypted strings to those who don’t have the required certificate installed on their pc.
Once the certificate is installed on the computer then the unencrypted data can then be seen as normal.

The data passes from database to your application as the encrypted value, only the application with the correct certificate can unencrypt the data so it is secure across the wire. This will go some way to resolving the concern of people worried about putting their sensitive data on a shared server in the cloud such as Microsoft Azure and accessing the data across the Internet.

At the time of writing Always Encrypted is only supported with ADO.NET 4.6, JDBC 6.0 and ODBC 13.1 but expect other driver to become available.

The calling application (including SSMS) must also hav…

SQL Server Express v SQL Server Developer Edition

SQL Server Express v  SQL Server Developer Edition
Over the weekend I received the following in an email from Ali Ahmad who asked me some questions about learning SQL Server. We exchanged a couple of emails so I have boiled this down to the most salient points.

Question:
Goal: I want to learn SQL Server inside out… for career progression as DBA/BI/data mining. I'm a data analyst and want to learn inside out about data warehousing.
•I understand relational database concepts...
•I have SQL Server 2014 express installed…
•I need to download the adventure works sample in order to play with it.
•So much knowledge on Microsoft website it's easy to get lost… where do I begin?

SQL Server Express v SQL Server Developer
This is interesting. If you want to learn SQL Server inside out including the Business Intelligence suite of applications I would suggest downloading the developer edition of SQL Server which since 2016 has been made available free of charge. Prior to that there was a f…