Information Systems Design and Development

Change SQL Server 2005 Service Accounts to use local Windows accounts

I vastly prefer to use active directory domain accounts for the SQL Server services.  It allows access to domain resources like network drives and other SQL instances.  Still, some situations may not allow it.  In those cases it's vastly more secure to use local Windows accounts over the default local system account.  This effectively limits your SQL injection attack exposure to actual database resources - rather than the entire server. 

I just document the changes for SQL Server and SQL Agent, but the other SQL services are the same.  Here's the process:

Create local Windows accounts for SQLServer and SQLAgent.  For both accounts uncheck “User must change password at next logon” and check “User cannot change password” and “Password never expires”.

Open the Local Security Settings applet and go to Security Settings -> Local Policies -> User Rights Assignment and add SQLServer and SQLAgent to the setting “Deny log on locally”.

In SQL Server Management Studio add the SQLServer SQLAgent as  sysadmins by executing:

USE [master]
GO
DECLARE @NewLoginName nvarchar(255)
DECLARE @cmd nvarchar(1024)
SET @NewLoginName = @@SERVERNAME + '\SQLAgent'
SET @cmd = 'CREATE LOGIN [' + @NewLoginName
SET @cmd = @cmd + '] FROM WINDOWS WITH DEFAULT_DATABASE=[master]'
EXEC sp_executesql @cmd
EXEC master..sp_addsrvrolemember @loginame = @NewLoginName, @rolename = N'sysadmin'
SET @NewLoginName = @@SERVERNAME + '\SQLServer'
SET @cmd = 'CREATE LOGIN [' + @NewLoginName
SET @cmd = @cmd + '] FROM WINDOWS WITH DEFAULT_DATABASE=[master]'
EXEC sp_executesql @cmd
EXEC master..sp_addsrvrolemember @loginame = @NewLoginName, @rolename = N'sysadmin'
GO

In SQL Server Configuration Manager change the service accounts by right clicking on SQL Server and SQL Server Agent.

Start SQL Server Enterprise Manager and change the service accounts by right clicking on the SQL Instance and SQL Server Agent.

In SQL Server Management Studio remove the system account by executing:

DROPLOGIN [NT Authority\System]
GO

The most likely things to break are SSIS packages and backup/maintenance jobs so they should be tested if possible to verify if additional file system permissions are required for SQLAgent.