Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NT Authority Accounts question 2

Status
Not open for further replies.
Catadmin

Catadmin

Programmer
Oct 26, 2001
3,097
US
Okay,

Someone asked (on another forum) if they could get rid of the NT Authority\System and NT Authority\Network Service accounts. My reaction was "No, you shouldn't because they're default SQL Server accounts". Then I got to thinking.

Microsoft recommends removing the Builtin\Administrators account in certain security situations. So why couldn't someone remove the NT accounts? What are they used for? Why are they there?

So I googled "SQL Server 2005 NT Authority logins" and came up with NOTHING but "My connections won't work and here's the error"... Nothing useful it seems. Now I'm asking here. Does anyone know the answers to my above questions? Clarification (or a better googling string) would be greatly appreciated.

Thanks in advance.


Catadmin - MCDBA, MCSA
"No, no. Yes. No, I tried that. Yes, both ways. No, I don't know. No again. Are there any more questions?"
-- Xena, "Been There, Done That"
 
Sort by date Sort by votes
Cat,
This is what I got out of my study book for MCTS, SQL 2005 Implementation and Maintance.
The Network Service Account is special built-in system account that is similar to authenticated user accounts. This account has the same level of access to the system resources and objects as members of the Users group. Services that run under this account will use the credentials of the computer account to access network resources. It is not recommended that you use this account for either the SQL Server service or the SQL Server Agent service account.
Click to expand...

I also found this.
Domain user account
•Additional permissions are automatically granted for this account when Windows SharePoint Services 3.0 is installed and when additional computers are added to the farm, including additional permissions on front-end Web servers and application servers.
•This account is automatically added to the following SQL Server security roles:
• Logins
• Dbcreator
• Securityadmin
• Database owner (db_owner) for all databases
Click to expand...

I think as long your are not using any .NET apps or sharepoint and you are not using them for any services then it would be ok to delete them. I guess it all depends on your authentication mode.

- Paul
- Database performance looks fine, it must be the Network!
 
Upvote 0 Downvote
Paul,

What study book are you using? I'm always on the look out for new info on SQL Server 2005 and there seems to be a dearth of it right now.



Catadmin - MCDBA, MCSA
"No, no. Yes. No, I tried that. Yes, both ways. No, I don't know. No again. Are there any more questions?"
-- Xena, "Been There, Done That"
 
Upvote 0 Downvote
I'm using the SQL Server 2005 Implementation and Maintenance self paced training kit. MCTS Exam 70-431. It's one of those blue microsoft books that comes with practice tests. It's actually a really good study and reference book.

- Paul
- Database performance looks fine, it must be the Network!
 
Upvote 0 Downvote
You can't really remove the NT AUTHORITY accounts from the machine. By default they should not be granted access to the SQL Server unless you need them for a specific reason (full text indexing comes to mind).

As many services can run under these accounts (especially in Windows Vista) they should not be granted access to the SQL Server unless absolutily needed as that would give many services access to the SQL Server.

Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)
[noevil]
 
Upvote 0 Downvote
Denny,
Would say then if you are not using them they should be deleted from the SQL instance?


- Paul
- Database performance looks fine, it must be the Network!
 
Upvote 0 Downvote
Yes. The question is how did they get there? Someone would have to have put them there on purpose as they aren't listed by default when you install SQL server.

Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)
[noevil]
 
Upvote 0 Downvote
Let me clarify, I'd remove them from SQL not from the server's OS.

Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)
[noevil]
 
Upvote 0 Downvote
So, they aren't default in a SQL Server install? I thought they were because I was also seeing them on all my servers.

That's odd. I'm going to have to research this and find out why they were added then.

Thanks to both of you. I appreciate the information.



Catadmin - MCDBA, MCSA
"No, no. Yes. No, I tried that. Yes, both ways. No, I don't know. No again. Are there any more questions?"
-- Xena, "Been There, Done That"
 
Upvote 0 Downvote
If you have removed BUILTIN\Administrators (which I think you probably have) and you are using full text search, you need to have the LOCAL SYSTEM account in there as that's how full text logs into the server.

Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)
[noevil]
 
Upvote 0 Downvote
Aha! So at least one of them is used for a SQL purpose, then. What about the Network Service one? Is that used for any purpose in SQL?



Catadmin - MCDBA, MCSA
"No, no. Yes. No, I tried that. Yes, both ways. No, I don't know. No again. Are there any more questions?"
-- Xena, "Been There, Done That"
 
Upvote 0 Downvote
Not that I'm aware of. However check the server and see what services are running under that account. Something may be running under the NETWORK SERVICE account which requires database access via NTLM.

Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)
[noevil]
 
Upvote 0 Downvote
Danke, Danke, Danke.

You have been much helpful. @=)



Catadmin - MCDBA, MCSA
"No, no. Yes. No, I tried that. Yes, both ways. No, I don't know. No again. Are there any more questions?"
-- Xena, "Been There, Done That"
 
Upvote 0 Downvote
no problem.

Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)
[noevil]
 
Upvote 0 Downvote
I just verified that the Network Service account is the default account used during setup if you choose to install SQL Server 2005 with the Built In account.

So, for anyone else who reads this thread, be careful if you delete it. It may be used to run your various 2k5 services and if you delete it, stuff will stop running.



Catadmin - MCDBA, MCSA
"No, no. Yes. No, I tried that. Yes, both ways. No, I don't know. No again. Are there any more questions?"
-- Xena, "Been There, Done That"
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

dgillz
  • Locked
  • Question
SQL 2016 and SQL 2008 R2 Compatibility Question
Replies
1
Views
388
simian336
simian336
TheBugSlayer
  • Locked
  • Question
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
Replies
6
Views
594
TheBugSlayer
TheBugSlayer
dvannoy
  • Locked
  • Question
DateDiff Question 1
Replies
2
Views
326
dvannoy
dvannoy
AndrewWiggins99
  • Locked
  • Question
SQL - Display Question
Replies
1
Views
299
djj55
djj55
djj55
  • Locked
  • Question
Log Shipping question
Replies
1
Views
222
djj55
djj55

Part and Inventory Search

Sponsor

Back
Top