locked
SQL Server Service Permissions for CRM 4.0 RRS feed

  • Question

  • In planning a CRM 4.0 trial I came across the following statement in the Planning Guide:

     

    ·         The service account that SQL Server uses to log on to the network must be either a local system account or a domain administrator account. Installation of Microsoft Dynamics CRM Server will fail if the SQL Server service account is the local administrator.

     

    This poses a problem for us because we use a normal domain user account for our SQL Server service due to security concerns of using a domain admin account. Even later in the planning guide it says this:

     

    ·         Use a low-privilege domain account or the LocalSystem (recommended) account for SQL Server service. This account should have minimal rights in the domain and should help contain (but will not stop) an attack on the server if there is a compromise. In other words, this account should have only local user-level permissions in the domain. If SQL Server is installed by using a Domain Administrator account to run the services, a compromise of SQL Server will lead to a compromise of the whole domain. If you have to change this setting, use SQL Server Enterprise Manager to make the change, because the access control lists (ACLs) on files, the registry, and user rights will be changed automatically.

     

    We also don't want to use the LocalSystem account for 2 reason. First, that prohibits us from using any network resources and secondly the SQL Books Online warn against using it.

     

    "Using the Local System Account

    The Local System account is a highly privileged account; use caution when assigning Local System permissions to SQL Server service accounts.
    Security Note:
    To increase the security of your SQL Server installation, run SQL Server services under a local Windows account with the lowest possible privileges."

     

    Does anyone know if this is a requirements for install only or does SQL always have to run as LocalSystem or a Domain Admin?

    Monday, March 31, 2008 8:32 PM

Answers

  •  

    Interesting question.  In fact the planning guide on page 4-41 says:

     

    The service account that SQL Server uses to log on to the network must be either the Network Service account or a domain user

     

    thus confusing the situation even further.

     

    I agree with you in that I would not use Local System or a Domain Administrator account.

     

    As far as SQL Server itself is concerned it can run as Local System, Network Service, Domain Admin or any ordinary domain user account. An administrator will have to install SQL but the SQL service accounts do not need administrative access to the computer or the domain.

     

    I personally use a domain user account created specially for SQL (e.g. sqlservice) and give it privileges as required. I usually make the account a member of the local administrators group on a server (though not strictly necessary) and never a domain admin. This works with Microsoft CRM.

     

    Hope this helps.

     

     

     

    Tuesday, April 1, 2008 7:40 AM
    Moderator

All replies

  •  

    Interesting question.  In fact the planning guide on page 4-41 says:

     

    The service account that SQL Server uses to log on to the network must be either the Network Service account or a domain user

     

    thus confusing the situation even further.

     

    I agree with you in that I would not use Local System or a Domain Administrator account.

     

    As far as SQL Server itself is concerned it can run as Local System, Network Service, Domain Admin or any ordinary domain user account. An administrator will have to install SQL but the SQL service accounts do not need administrative access to the computer or the domain.

     

    I personally use a domain user account created specially for SQL (e.g. sqlservice) and give it privileges as required. I usually make the account a member of the local administrators group on a server (though not strictly necessary) and never a domain admin. This works with Microsoft CRM.

     

    Hope this helps.

     

     

     

    Tuesday, April 1, 2008 7:40 AM
    Moderator
  •  

    Thanks for the response. It does seem odd to me that they would require that level of permissions.

     

    I'm just going to give it a shot with SQL configured as a domain user and see what happens.

    Tuesday, April 1, 2008 4:42 PM