1

Planning to re-create new service accounts for our Sql-Servers, I wondered if - from a security perspective - it maybe better to have one domain account per Service and per Server or to create one domain-account per service only and re-use those on the different servers? 

DOMAIN\Service-SSRS
DOMAIN\Service-SSAS
DOMAIN\Service-SSIS

vs.

DOMAIN\Service-SQL01-SSRS
DOMAIN\Service-SQL01-SSAS
DOMAIN\Service-SQL01-SSIS
DOMAIN\Service-SQL02-SSRS
DOMAIN\Service-SQL02-SSAS
DOMAIN\Service-SQL02-SSIS
etc.

We are doing this because we want to have a uniform and consistent configuration on all servers, something that is not yet in place today. I feel like having single accounts for every server might allow more flexibility and so is counterproductive...

Are there specific pros / cons? Is there a lot of usage of having separated service accounts for every server?

Magier
  • 4,827
  • 8
  • 48
  • 91

2 Answers2

5

Separate service accounts for each server and for each service will restrict any issues to just one server and just one service in the following cases:

  1. Service account getting compromised
  2. Service account getting locked out
  3. Service account password changed
  4. Service account getting disabled/deleted/renamed by mistake

Imagine what would happen with a single service account if you entered the service credentials wrong a handful of times (scripts are great for this): you would lock out the account and tear down the whole SQL Server farm. Not good.

spaghettidba
  • 11,376
  • 31
  • 42
2

I would suggest that hackers love "uniform and consistent configuration on all servers", especially when it comes to security because if they can crack open one server, they possibly have access to other servers. Best practices (https://support.microsoft.com/en-us/kb/2160720) generally suggest a different service account for EACH Sql Service on a given server and using the SAME service account across multiple servers is highly discouraged.

Scott Hodgin - Retired
  • 24,062
  • 2
  • 29
  • 52