I am attempting to implement tighter security on my instances of SQL Server 2005. One of my tasks is to make sure that the service account for the SQL Server service has the minimum privileges necessary to run the service. I thought I had everything configured correctly, but then I realized that the "SQLServer2005MSSQLUser" Windows group was a member of the "sysadmin" fixed server role. I do not want the service account to be a sysadmin, so I removed the service account from this group.
Everything seemed to be working, until I received a call from one of our developers. He was attempting to execute a stored procedure, and he kept getting the following error: "An error occurred during decryption".
I looked up the error, and found out it is related to the service master key. I am using the same service account that I did when I installed SQL Server, so I am baffled as to why I am receiving this error. The error was resolved when I added the service account back to the "SQLServer2005MSSQLUser" Windows group and restarted the SQL Server service.
Do have any idea what might be happening here?
SQL Server has a dependancy that the service account be a member of the sysadmin fixed server role. Removing the service account from sysadmin is currently unsupported.
If you want to remove the group from the sysadmin list you could manually add the service account to sysadmin and then remove the group. This will make changing service accounts non-automated since we add/remove accounts to this group and ACL many items to the local group.
hth,
--Steven Gott
S/DET
SQL Server
|||I thought that only the SQL Server Agent security account was required to be a sysadmin. Books Online is a lot clearer about the requirement that the Agent account be a sysadmin than it is that the SQL Server service account be a sysadmin. I see now that I have to rethink the other SQL Server services, since I do not want those services to use an account with sysadmin privileges unless it is absolutely necessary.
Thanks for the information.
Ken
No comments:
Post a Comment