question

hermanthehermit avatar image
hermanthehermit asked

Does SQL service account be in SQL Login

NT SERVICE\MSSQLSERVER and NT SERVICE\SQLSERVERAGENT are both showing in server Security Logins. Do they need to be there when the local services SQL Server and SQL ServerAgent are under different service accounts?
sql-server-2012service-account
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

2 Answers

·
JohnM avatar image
JohnM answered
In theory, you should be able to remove it without things breaking as long as the services are running under a different account. That would help to reduce the attack surface of the instance. Note: I've actually never tried this so if you do, reply back here with the results. Hope that helps!
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

hermanthehermit avatar image
hermanthehermit answered
At first, I was hesitant to try but thanks for the encouragement. Both service accounts were deleted from logins. But the domain service accounts have to be configured as follows for it to work: - server role = sysadmin - in msdb, database roles=SQLAgentOperatorRule; SQLAgentReaderRule,SQLAgentUserRule If you're not comfortable assigning sysadmin, try setting up proxy. This I haven't tried yet. Thanks, John,
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.