I'm trying to finalize my service account standards for SQL Server 2000 and
2005.   Here is what I have.  Does anyone have comments on these standards:



Standards for setting up SQL Server service accounts:

·        Set up a different domain account for each service if network
resources are needed.  If no network resources are needed then a local
account should be set up for those services that no not need network
resource.  Justification: This allows rights to be assigned differently
depending on the service.  Also allows for better audit trail of determine
where commands are coming from.  Also minimizes security risks by only
allowing network resources to those services that need them.

·        Give each domain account only the network permissions they require.
Justification: Minimize security risks.  Service accounts only need the
necessary permissions to perform the actions required for the service.  Any
additional permission opens the door for a service to gain access to
resources they should have.

·        Each domain account should be set up with a password that never
expires, although DBA’s should develop procedures that periodically change
the passwords for these service accounts.  Justification:  You don’t want
service accounts to stop working because a password expired.  But you do want
to periodically change the password to minimize security risks associated
with never changing passwords.

·        Do not place the domain account of a service into the local
Administrators group.  Justification: Minimizes security risks.  Giving a
service account local Admin rights increase the risk of someone exploiting
the service account to gain access and/or grant permissions to machine
resources without authorization.

·        Do not place a service account into a local group, or domain group.
Justification: Minimizes security risks.  Placing a service account into a
group implies that two services would have the same rights.  The idea of
having separate accounts for each service is so rights can be assigned
specifically to what a service needs.  Placing a service account into a group
would defeat the goal of having specific right for a given service.

·        Revoke ”interactive login” permission for each services account.
Justification:  This will keep people from using this account to login into
server.  If you need to login with the service account for setup purposes
(such as to set up the Outlook Client) then these right should only be grant
temporarily while you are doing the setup.