Previous Disable Windows Guest Account Setup Kerberos Authentication Next

Setup Service Permissions

It is recommended that specific permissions are set on the Windows Services associated with SQL Server.

The permissions in the following table are designed to allow proper functioning of SQL Server, and proper management of it by the DBA team.

The current version of SQL FineBuild does not apply these permissions. It is recommended that they are configured and enforced by the use of a GPO.

Service Name Read, Write, Start/Stop/Pause Read Start Mode
Event Log (local) Administrators DBA Sysadmin Group Automatic
Internal Name: Eventlog DBA Non-Admin Group
SQL Service Accounts
Remote Procedure Call (RPC) (local) Administrators DBA Sysadmin Group Automatic
Internal Name: RpcSs DBA Non-Admin Group
SQL Service Accounts
.NET Runtime Optimization Service v2.0.50727_x86 (local) Administrators DBA Non-Admin Group Manual
Internal Name: clr_optimization_v2.0.50727_32 DBA Sysadmin Group
(Windows 2003 only) SQL Service Accounts
.NET Runtime Optimization Service v2.0.50727_X64 (local) Administrators DBA Non-Admin Group Manual
Internal Name: clr_optimization_v2.0.50727_64 DBA Sysadmin Group
(Windows 2003 only) SQL Service Accounts
Distributed Transaction Coordinator (local) Administrators Network Service Automatic
Internal Name: MSDTC DBA Sysadmin Group DBA Non-Admin Group
SQL Service Accounts
Microsoft .NET Framework NGEN v2.0.50727_x86 (local) Administrators DBA Non-Admin Group Manual
Internal Name: clr_optimization_v2.0.50727_32 DBA Sysadmin Group
(Windows 2008 and above) SQL Service Accounts
Microsoft .NET Framework NGEN v2.0.50727_X64 (local) Administrators DBA Non-Admin Group Manual
Internal Name: clr_optimization_v2.0.50727_64 DBA Sysadmin Group
(Windows 2008 and above) SQL Service Accounts
SQL Active Directory Helper Service Manual
Internal name: MSSQLServerADHelper100
SQL Full-text Filter Daemon Launcher (MSSQLSERVER) (local) Administrators Network Service Manual
Internal Name: MSSQLFDLauncher DBA Sysadmin Group DBA Non-Admin Group
(SQL 2005 only) SQL Service Accounts
SQL Server (MSSQLSERVER) (local) Administrators Network Service Automatic
Internal Name: MSSQLServer DBA Sysadmin Group DBA Non-Admin Group
SQL Service Accounts
SQL Server Agent (MSSQLSERVER) (local) Administrators Network Service Automatic
Internal Name: SQLSERVERAGENT DBA Sysadmin Group DBA Non-Admin Group
SQL Service Accounts
SQL Server Analysis Services (MSSQLSERVER) (local) Administrators Network Service Automatic
Internal Name: MSSQLServerOLAPService DBA Sysadmin Group DBA Non-Admin Group
SQL Service Accounts
SQL Server Browser (local) Administrators Network Service Automatic
Internal Name: SQLBrowser DBA Sysadmin Group DBA Non-Admin Group
SQL Service Accounts
SQL Server Integration Services 10.0 (local) Administrators Network Service Automatic
Internal Name: MsDtsServer100 DBA Sysadmin Group DBA Non-Admin Group
SQL Service Accounts
SQL Server Reporting services (MSSLSERVER) (local) Administrators Network Service Automatic
Internal Name: ReportServer DBA Sysadmin Group DBA Non-Admin Group
SQL Service Accounts
SQL Server VSS Writer (local) Administrators Network Service Automatic
Internal Name: SQLWriter DBA Sysadmin Group DBA Non-Admin Group
SQL Service Accounts

Notes:
a) Ability to stop and start the clr_optimization... service is required to allow Service Pack and Hotfix installs to complete without the need to reboot the server
b) The SQL Browser service should be set to manual if custom port numbers are used and those port numbers are not included in connection strings
c) The Integration Services service has a version-specific name:
Version External Name Internal Name
SQL 2014 SQL Server Integration Services 12.0 MsDtsServer120
SQL 2012 SQL Server Integration Services 11.0 MsDtsServer110
SQL 2008 R2 SQL Server Integration Services 10.0 MsDtsServer100
SQL 2008 SQL Server Integration Services 10.0 MsDtsServer100
SQL 2005 SQL Server Integration Services 10.0 MsDtsServer100

The following permissions are also needed if a named instance of SQL Server is installed (in this example, HR).
Service Name Read, Write, Start/Stop/Pause Read Start Mode
SQL Server (HR) (local) Administrators Network Service Automatic
Internal Name: MSSQL$HR DBA Sysadmin Group DBA Non-Admin Group
SQL Service Accounts
SQL Server Agent (HR) (local) Administrators Network Service Automatic
Internal Name: SQLAgent$HR DBA Sysadmin Group DBA Non-Admin Group
SQL Service Accounts


Copyright © 2014 Edward Vassie. License and Acknowledgements
Previous Disable Windows Guest Account Top Setup Kerberos Authentication Next

Last edited Oct 23, 2014 at 10:37 AM by EdVassie, version 1