Monday, 13 January 2014

SQL Server 2012 and Virtual Service Accounts

This post is written by David Postlethwaite
If you are using SQL Server 2012 you will probably have noticed that the default account for the SQL services has changed from that used in previous versions. With SQL 2005 and 2008 the default account for SQL service and SQL Agent service was “NT Authority\System”. This is one the built in accounts on a Windows machine, managed by the machine and selectable from a dedicated dropdown list
image
The Network Service account was introduced in Windows 2003 as an alternative to using the LocalSystem account, which has full local system privileges on the local machine, a major security concern.
The Network Service has limited local privileges easing these security concerns but when many services on a machine use the Network Service account it becomes harder to track which service is actually accessing resources and performing actions, because all the services are using the one Network Service account.
Also, this account, by default, has sysadmin permissions on your instance.
Most people change their service accounts to a local or domain account with limited permissions. This introduces another security problem in that this account has a password that could be hacked and used to launch some sort of attack. Changing the password of a service account regularly can be problematic though programs like Secret Server can alleviate this (www.thycotic.com)
To try and resolve some of these problems Windows 2008 R2 and above introduced a new type of account called a virtual account
Virtual accounts emulate creating many unique instances of the Network Service account, so each service runs with its own instance of the Network Service account. These unique instances of Network Service make auditing and tracking much easier.
You won’t find these virtual accounts listed in Local Users and Groups or Active Directory Users, they cannot be created, deleted, or edited and you can’t change their password. They are not in the built in account list and you won’t find them if you browse for an account.
When you install SQL 2012 on Windows Server 2008 R2 or Windows 7 and later you’ll see the services run with virtual service accounts named like:
NT Service\MSSQLSERVER or NT Service\MSSQL$<Instance Name>
NT Service\SQLSERVERAGENT or NT Service\SQLAGENT$<Instance Name>
If you change your service account and later want to switch back to using the virtual account you have to type the name in yourself since, because it doesn’t really exist anywhere, you can’t use the browse option to find it.
You also don’t know the password so you can’t type that into the appropriate box. If you do it will tell you it’s wrong. But if you leave the password fields blank and click Apply then Windows will apply the correct password for you and give the virtual account “login as a service” permissions.
One drawback of a virtual account is that it only has permissions to the local machine. If your SQL Server requires access to a network share or something on another machine then you will have to revert to a domain account.
But overall, virtual service accounts are a step in the right direction in securing our databases from attack.
More information can be found at http://msdn.microsoft.com/en-us/library/ms143504(v=sql.110).aspx