您建议使用哪个用户帐户在开发环境中运行SQL Server Express 2008服务？ [英] What user account would you recommend running the SQL Server Express 2008 services in a development environment?

问题描述

SQL Server Express 2008安装程序允许您为每个服务分配不同的用户帐户。

The SQL Server Express 2008 setup allow you to assign different user account for each service.

对于开发环境，您将使用域用户，本地用户，NT Authority\NETWORK SERCVICE，NT Authority\Local System或其他帐户，为什么？

For a development environment, would you use a domain user, local user, NT Authority\NETWORK SERCVICE, NT Authority\Local System or some other account and why?

推荐答案

本地系统，不建议使用，它是管理员等效的帐户，因此可能导致问题编码利用了生产系统中不允许的管理员特权，因为注重安全的Admins / DBA确实不喜欢以admin身份运行服务。

Local System is not recommended, it is an administrator equivalent account and thus can lead to questionable coding that takes advantage of administrator privileges which would not be allowed in a production system since security conscious Admins/DBA's really don't like to run services as admin.

如果服务器实例是否需要访问其他域资源，应确定应以哪种类型的低特权帐户运行。

Depending on if the server instance will need to access other domain resources or not should determine which type of low privilege account it should run under.

如果它不需要访问任何（非匿名）域资源，那么我通常会为其创建一个唯一的本地低特权帐户以获取利益没有在同一身份上下文中运行多个服务的额外安全优势。 请注意，不支持本地服务帐户SQL Server或SQL Server代理服务。

If it does not need to access any (non-anonymous) domain resources than I normally create a unique local, low privilege account for it to run under in order to gain the additional security benefit of not having multiple services running in the same identity context. Be aware that the Local Service account is not supported for the SQL Server or SQL Server Agent services.

如果确实需要访问非匿名域资源，则有以下三种选择：

If it does need to access non-anonymous domain resources then you have three options:

1. 以 网络服务 ，它也是一个低特权帐户，但保留计算机的网络凭据。


2. 在本地服务帐户下运行


3. 在具有低本地特权的自定义域帐户下运行。在开发人员帐户下运行的一个优点是，在不损害安全性的情况下，更容易将调试器附加到您自己的身份中，因此调试更加容易（因为默认情况下，非管理员帐户没有特权将调试器附加至另一个身份进程） ）。使用另一个域帐户的一个缺点是管理这些帐户的开销，特别是因为每个开发人员的每个服务在理想情况下都应该具有唯一的凭据，因此，如果开发人员要离开，则不会有任何泄漏。

1. Run as Network Service which is also a low privilege account but one that retains the computers network credentials.
2. Run under a Local Service Account
3. Run under a custom domain account with low local privileges. One advantage to running under the developers account is that it is easier to attach debuggers to processes in your own identity without compromising security so debugging is easier (since non-Admin accounts do not have the privilege to attach a debugger to another identities process by default). A disadvantage to using another domain account is the overhead of managing those accounts, especially since each service for each developer should ideally have unique credentials so you do not have any leaks if a developer were to leave.

我倾向于做的大多数事情都不要求服务访问域资源，因此我倾向于使用我管理的唯一本地低特权帐户。我还专门以非管理员用户身份运行（并且在XP SP2，Server 2003，Vista和Server 2008下都没有出现重大问题），因此在需要服务访问域资源的情况下，我无后顾之忧使用我自己的域凭据（再加上这种方式，我不必担心网络管理员会创建/维护一堆非生产域身份）。

Most of what I tend to do does not require the service to access domain resources so I tend to use unique local low privilege accounts that I manage. I also run exclusively as a non-admin user (and have done so under XP SP2, Server 2003, Vista and Server 2008 with no major problems) so when I have cases where I need the service to access domain resources then I have no worries about using my own domain credentials (plus that way I don't have to worry the network admins about creating/maintaining a bunch of non-production domain identities).

这篇关于您建议使用哪个用户帐户在开发环境中运行SQL Server Express 2008服务？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！