Monday, 13 January 2014

SQL Server 2012 and Virtual Service Accounts

This post is written by David Postlethwaite
If you are using SQL Server 2012 you will probably have noticed that the default account for the SQL services has changed from that used in previous versions. With SQL 2005 and 2008 the default account for SQL service and SQL Agent service was “NT Authority\System”. This is one the built in accounts on a Windows machine, managed by the machine and selectable from a dedicated dropdown list
The Network Service account was introduced in Windows 2003 as an alternative to using the LocalSystem account, which has full local system privileges on the local machine, a major security concern.
The Network Service has limited local privileges easing these security concerns but when many services on a machine use the Network Service account it becomes harder to track which service is actually accessing resources and performing actions, because all the services are using the one Network Service account.
Also, this account, by default, has sysadmin permissions on your instance.
Most people change their service accounts to a local or domain account with limited permissions. This introduces another security problem in that this account has a password that could be hacked and used to launch some sort of attack. Changing the password of a service account regularly can be problematic though programs like Secret Server can alleviate this (
To try and resolve some of these problems Windows 2008 R2 and above introduced a new type of account called a virtual account
Virtual accounts emulate creating many unique instances of the Network Service account, so each service runs with its own instance of the Network Service account. These unique instances of Network Service make auditing and tracking much easier.
You won’t find these virtual accounts listed in Local Users and Groups or Active Directory Users, they cannot be created, deleted, or edited and you can’t change their password. They are not in the built in account list and you won’t find them if you browse for an account.
When you install SQL 2012 on Windows Server 2008 R2 or Windows 7 and later you’ll see the services run with virtual service accounts named like:
NT Service\MSSQLSERVER or NT Service\MSSQL$<Instance Name>
NT Service\SQLSERVERAGENT or NT Service\SQLAGENT$<Instance Name>
If you change your service account and later want to switch back to using the virtual account you have to type the name in yourself since, because it doesn’t really exist anywhere, you can’t use the browse option to find it.
You also don’t know the password so you can’t type that into the appropriate box. If you do it will tell you it’s wrong. But if you leave the password fields blank and click Apply then Windows will apply the correct password for you and give the virtual account “login as a service” permissions.
One drawback of a virtual account is that it only has permissions to the local machine. If your SQL Server requires access to a network share or something on another machine then you will have to revert to a domain account.
But overall, virtual service accounts are a step in the right direction in securing our databases from attack.
More information can be found at


  1. Greetings, this was a great post and helped get me to the right MSDN article - thanks! On your comment about "access to a network share", there's a note deeper in the MSDN article under "File System Permissions Related to Unusual Disk Locations" that explains how the SQL Server "virtual accounts use the permission of machine account." Therefore on a network share you can "Provision the machine account in the format domain_name\computer_name$.", and voila, your security-limited SQL Server can now get to a network folder, no domain service account needed.

  2. Thanks for the comment Will I'm glad you liked the article ...That's good to know, learn something new every day...I'll be sure pass you comment on to David too he'll be very interested in it

  3. This was a lifesaver - thanks so much!

  4. This was a lifesaver - thanks so much!


Featured post

OUT OF SUPPORT: SQL Server 2008 and SQL Server 2008 R2

Welcome to this post, on SQL Server 2008 and 2008 R2, both of these versions of SQL server will go out of  extended support with Microsoft t...