patternsqlMinor
What are the risks (if any) of sharing a service account on more than one server?
Viewed 0 times
thewhatareanymorethanrisksaccountoneservice
Problem
I use domain accounts for SQL Server service accounts. Sometimes, when I have multiple servers that are logically or thematically related, I'll use the same set of domain accounts for the service accounts on all of them. The user account permissions on each server may be different, but there's usually a lot of overlap.
The gist of my question is this: can a user with access to one instance, but not the other, exploit the shared service accounts to gain access to the other server?
Here's the specific situation I'm trying to address:
To date, I've never particularly questioned the security implications, since these servers have a common purpose and user base, even if the specific user permissions may differ.
Now, we're about to add a third instance, let's call it org-sql-rpt. This one is a good thematic fit with the others, but there's one key difference: we're going to allow an external partner (i.e. not an employee of our org) access to this server, like so:
Given that, should I worry about reusing the domain accounts as service accounts for this new instance? Is there any risk that this person could use their legitimate credentials on org-sql-rpt to gain access to either org-s
The gist of my question is this: can a user with access to one instance, but not the other, exploit the shared service accounts to gain access to the other server?
Here's the specific situation I'm trying to address:
- I have two servers with default SQL instances, call them org-sql-1 and org-sql-2.
- I use a domain account for each service, so I'd have mydomain\orgDBService, mydomain\orgAgentService, etc. (although I'm not sure that's strictly relevant -- I think I'd have the same question if I used a single account for all services).
- But I reuse these domain accounts on both servers, so the database service on both org-sql-1 and org-sql-2 runs under mydomain\orgDBService, for example.
To date, I've never particularly questioned the security implications, since these servers have a common purpose and user base, even if the specific user permissions may differ.
Now, we're about to add a third instance, let's call it org-sql-rpt. This one is a good thematic fit with the others, but there's one key difference: we're going to allow an external partner (i.e. not an employee of our org) access to this server, like so:
- Their credentials will own (belong to db_owner) a couple databases.
- But they won't belong to any Server Roles (other than public, of course).
- They may have admin access to the OS desktop for a limited time, prior to making this server live.
- They won't know the passwords for the service accounts.
Given that, should I worry about reusing the domain accounts as service accounts for this new instance? Is there any risk that this person could use their legitimate credentials on org-sql-rpt to gain access to either org-s
Solution
Risk mitigation would indicate creating a separate account for each service on each machine. The level of work required to create the accounts necessary is extremely minimal, but the unknown risks that accompany not doing so are quite high, according to Microsoft's own recommendations.
Microsoft Best Practices recommend using separate service accounts for all services.
See http://msdn.microsoft.com/en-us/library/ms144228.aspx#isolated_services for details.
The salient points being:
Isolate Services
Isolating services reduces the risk that one compromised service could be used to compromise others. To isolate services, consider the following guidelines:
Run separate SQL Server services under separate Windows accounts. Whenever possible, use separate, low-rights Windows or Local user accounts for each SQL Server service. For more information, see Configure Windows Service Accounts and Permissions.
There is also a KB talking about securing SQL Server that mentions how to configure service accounts properly:
http://support.microsoft.com/kb/2160720
When choosing service accounts, consider the principle of least privilege. The service account should have exactly the privileges that it needs to do its job and no more privileges. You also need to consider account isolation; the service accounts should not only be different from one another, they should not be used by any other service on the same server. Do not grant additional permissions to the SQL Server service account or the service groups. Permissions will be granted through group membership or granted directly to a service SID, where a service SID is supported. For more details please refer to Books Online Topic Setting Up Windows Service Accounts.
Technet has an article, titled Configure Windows Service Accounts and Permissions at http://technet.microsoft.com/en-us/library/ms143504.aspx that has this to say:
Security Note: Always run SQL Server services by using the lowest possible user rights. Use a MSA or virtual account when possible. When MSA and virtual accounts are not possible, use a specific low-privilege user account or domain account instead of a shared account for SQL Server services. Use separate accounts for different SQL Server services. Do not grant additional permissions to the SQL Server service account or the service groups. Permissions will be granted through group membership or granted directly to a service SID, where a service SID is supported.
"MSA" in the above paragraph refers to "Managed Service Accounts" which is the default for installations on Windows 7 or Windows Server 2008 R2 and above. Managed Service Accounts are defacto unique to each machine.
As an aside, one issue I think about when configuring multiple servers to run under the same service account is account lockouts. If you use a single service account for all SQL Servers, and the service account gets locked out, all your servers might be affected. If you have one account per service, at most one server can be affected by a lockout.
Microsoft Best Practices recommend using separate service accounts for all services.
See http://msdn.microsoft.com/en-us/library/ms144228.aspx#isolated_services for details.
The salient points being:
Isolate Services
Isolating services reduces the risk that one compromised service could be used to compromise others. To isolate services, consider the following guidelines:
Run separate SQL Server services under separate Windows accounts. Whenever possible, use separate, low-rights Windows or Local user accounts for each SQL Server service. For more information, see Configure Windows Service Accounts and Permissions.
There is also a KB talking about securing SQL Server that mentions how to configure service accounts properly:
http://support.microsoft.com/kb/2160720
When choosing service accounts, consider the principle of least privilege. The service account should have exactly the privileges that it needs to do its job and no more privileges. You also need to consider account isolation; the service accounts should not only be different from one another, they should not be used by any other service on the same server. Do not grant additional permissions to the SQL Server service account or the service groups. Permissions will be granted through group membership or granted directly to a service SID, where a service SID is supported. For more details please refer to Books Online Topic Setting Up Windows Service Accounts.
Technet has an article, titled Configure Windows Service Accounts and Permissions at http://technet.microsoft.com/en-us/library/ms143504.aspx that has this to say:
Security Note: Always run SQL Server services by using the lowest possible user rights. Use a MSA or virtual account when possible. When MSA and virtual accounts are not possible, use a specific low-privilege user account or domain account instead of a shared account for SQL Server services. Use separate accounts for different SQL Server services. Do not grant additional permissions to the SQL Server service account or the service groups. Permissions will be granted through group membership or granted directly to a service SID, where a service SID is supported.
"MSA" in the above paragraph refers to "Managed Service Accounts" which is the default for installations on Windows 7 or Windows Server 2008 R2 and above. Managed Service Accounts are defacto unique to each machine.
As an aside, one issue I think about when configuring multiple servers to run under the same service account is account lockouts. If you use a single service account for all SQL Servers, and the service account gets locked out, all your servers might be affected. If you have one account per service, at most one server can be affected by a lockout.
Context
StackExchange Database Administrators Q#72858, answer score: 7
Revisions (0)
No revisions yet.