none
Computer Name as an authentication

    Question

  • Hi all,

    Just want to know what are the security concerns using computer name as a SQL Server Login?

    e.g. DomainName/ComputerName$ 

    Developer wants to use it for their IIS service. I am not an expert with IIS so please share your experience.

    Thanks 


    Dinkar Chalotra

    Friday, March 01, 2013 7:35 AM

Answers

  • That's called the "computer account", and it's a perfectly usable domain account.  When you create a login for that account you allow any service running on that server to access your SQL instance.  Which, IMO, is both simpler and more secure than provisioning a separate domain account or SQL Login and allowing anyone who knows its password to access your SQL instance.

    David


    David http://blogs.msdn.com/b/dbrowne/

    Friday, March 01, 2013 7:47 AM
  • That is the correct concern.  If there are a number of different applications running on the server and you need to differentiate between them, then logging-in using the computer account is not the right choice.  If, however, the server is dedicated to running a particular application then the using the computer account is fine.

    If an unauthorized person/virus/malware gets access to the server then it doesn't matter which account you use.  For that you provision the account (whether the machine account or a domain account) as an ordinary user in SQL Server with the least privileges necessary to run the application.

    David


    David http://blogs.msdn.com/b/dbrowne/

    Saturday, March 02, 2013 4:43 PM

All replies

  • That's called the "computer account", and it's a perfectly usable domain account.  When you create a login for that account you allow any service running on that server to access your SQL instance.  Which, IMO, is both simpler and more secure than provisioning a separate domain account or SQL Login and allowing anyone who knows its password to access your SQL instance.

    David


    David http://blogs.msdn.com/b/dbrowne/

    Friday, March 01, 2013 7:47 AM
  • Also, if you are using SQL Server 2012 on Windows Server 2008 R2, consider the new Managed Service Accounts and Virtual Accounts. See http://msdn.microsoft.com/en-us/library/ms143504.aspx

    Rick Byham, Microsoft, SQL Server Books Online, Implies no warranty

    Friday, March 01, 2013 5:48 PM
  • +1 The Virtual Accounts are the new default for StandAlone instances and they also will authenticate as the Machine Account on the network.

    David


    David http://blogs.msdn.com/b/dbrowne/

    Friday, March 01, 2013 5:54 PM
  • Rick,

    According to the documentation, MSAs can not be used with SQL Server (under the Supported Technologies section heading): http://technet.microsoft.com/en-us/library/ff641729(WS.10).aspx

    Is this documentation up to date and this is true or is there a way to use and MSA with SQL Server?

    -Sean


    Sean Gallardy | Blog | Twitter

    Friday, March 01, 2013 7:35 PM
  • Support for MSAs is new in SQL Server 2012.

            
    Service Properties and Configuration              

                

    Startup accounts used to start and run SQL Server can be domain user accounts, local user accounts, managed service accounts, virtual accounts, or built-in system accounts. To start and run, each service in SQL Server must have a startup account configured during installation.

    http://msdn.microsoft.com/en-us/library/ms143504(v=SQL.110).aspx

    David


    David http://blogs.msdn.com/b/dbrowne/

    Friday, March 01, 2013 7:39 PM
  • Yes. That topic is a bit old. I suspect it refers to SQL Server 2008 and 2008 R2. Support was added in SQL Server 2012.

    Rick Byham, Microsoft, SQL Server Books Online, Implies no warranty

    Friday, March 01, 2013 9:35 PM
  • Thanks everyone,

    But my main concern is that if there is another application running under IIS on the same computer, will have the permissions in sql server as well?

    Another one, if any unauthorised person/virus/malware get access to the computer can breach into the sql server?

    Thanks


    Dinkar Chalotra

    Saturday, March 02, 2013 9:23 AM
  • That is the correct concern.  If there are a number of different applications running on the server and you need to differentiate between them, then logging-in using the computer account is not the right choice.  If, however, the server is dedicated to running a particular application then the using the computer account is fine.

    If an unauthorized person/virus/malware gets access to the server then it doesn't matter which account you use.  For that you provision the account (whether the machine account or a domain account) as an ordinary user in SQL Server with the least privileges necessary to run the application.

    David


    David http://blogs.msdn.com/b/dbrowne/

    Saturday, March 02, 2013 4:43 PM
  • Thanks Everyone

    Dinkar Chalotra

    Monday, March 04, 2013 11:15 AM