What user account would you recommend running the SQL Server Express 2008 services in a development environment?

sql-server installation development-environment account
Magnus Lindhe picture Magnus Lindhe · Sep 15, 2008 · Viewed 61.3k times · Source

The SQL Server Express 2008 setup allow you to assign different user account for each service.

For a development environment, would you use a domain user, local user, NT Authority\NETWORK SERCVICE, NT Authority\Local System or some other account and why?

Answer

Joe Kuemerle picture Joe Kuemerle · Sep 15, 2008

Local System is not recommended, it is an administrator equivalent account and thus can lead to questionable coding that takes advantage of administrator privileges which would not be allowed in a production system since security conscious Admins/DBA's really don't like to run services as admin.

Depending on if the server instance will need to access other domain resources or not should determine which type of low privilege account it should run under.

If it does not need to access any (non-anonymous) domain resources than I normally create a unique local, low privilege account for it to run under in order to gain the additional security benefit of not having multiple services running in the same identity context. Be aware that the Local Service account is not supported for the SQL Server or SQL Server Agent services.

If it does need to access non-anonymous domain resources then you have three options:

  1. Run as Network Service which is also a low privilege account but one that retains the computers network credentials.
  2. Run under a Local Service Account
  3. Run under a custom domain account with low local privileges. One advantage to running under the developers account is that it is easier to attach debuggers to processes in your own identity without compromising security so debugging is easier (since non-Admin accounts do not have the privilege to attach a debugger to another identities process by default). A disadvantage to using another domain account is the overhead of managing those accounts, especially since each service for each developer should ideally have unique credentials so you do not have any leaks if a developer were to leave.

Most of what I tend to do does not require the service to access domain resources so I tend to use unique local low privilege accounts that I manage. I also run exclusively as a non-admin user (and have done so under XP SP2, Server 2003, Vista and Server 2008 with no major problems) so when I have cases where I need the service to access domain resources then I have no worries about using my own domain credentials (plus that way I don't have to worry the network admins about creating/maintaining a bunch of non-production domain identities).

Related questions

What accounts to use when installing SQL Server 2008 Developer

I am installing SQL Server 2008 Developer here, and on the Server Configuration step of the installation it asks me about Service Accounts. What do I choose here? I can see the available ones in the screen shot, although on most …

Read More
How to install SQL Server Management Studio 2012 (SSMS) Express?

I just installed SQL Server 2012 Express, I can connect with database from VS2012RC. Database is working :) I use Win7 SP1 64bit. I download program from page I choose ENU\x64\SQLManagementStudio_x64_ENU.exe I want to install Management …

Read More
How do I fix a "Performance counter registry hive consistency" when installing SQL Server R2 Express?

I'm trying to install SQL Server 2008 R2 Express from this site: http://www.microsoft.com/express/database/ I have a 64-bit, Windows 7 machine. I have tried both the 32-bit and 64-bit versions but each fail on "Performance counter registry hive …

Read More