locked
Primary Site with remote SQL Server RRS feed

  • Question

  • I built a Primary Site with a remote SQL Server.  All went well.  Here is my question.  On this type of installation, the machine account from the Primary Site gets added to the local Administrators group on the remote SQL server.  We have security policies that are very strict around what gets placed in the local administrators group.  I can work around this policy if I can justify that there is no other possible option.  I was wondering if there are any other options besides the requirement of the Primary Site machine account being added to local admins on the SQL server?  Is there any option to have a more granular security setup so that local admin would not be required?  Also, is there an option to use a user account in the local admins group of the SQL Server instead of the machine account from the Primary Site?  For example, if I were to change the Site System Installation Account from the default of computer account to another account, does that apply to the Site Database Server role?

    Wednesday, August 8, 2012 1:48 PM

Answers

  • No, there are no other supported options.

    Why would you want to use a user account? That would decrease your security posture. Computer Accounts are verify secure for a handful of reasons:

    - No direct way to login with them interactively

    - Change passwords every 30 days (by default)

    - Passwords are 120+ characters long


    Jason | http://blog.configmgrftw.com

    Wednesday, August 8, 2012 6:09 PM
  • Same answer, only thing supported is sysadm.


    Jason | http://blog.configmgrftw.com

    Wednesday, August 8, 2012 8:02 PM

All replies

  • No, there are no other supported options.

    Why would you want to use a user account? That would decrease your security posture. Computer Accounts are verify secure for a handful of reasons:

    - No direct way to login with them interactively

    - Change passwords every 30 days (by default)

    - Passwords are 120+ characters long


    Jason | http://blog.configmgrftw.com

    Wednesday, August 8, 2012 6:09 PM
  • Thanks.  I don't really want to use a user account but was just checking because it is an internal thing here where there is a process to get a user account approved as a local admin but getting a computer account is more of a kludge eventhough it is more secure.  Just internal politics and no technical reason.  But I will stick with the computer account. One more question, does that computer account require SA privilege on SQL Server or can it be reduced to something less like DBO on the SCCM database.  SQL team gives us a hard time allowing SA.
    Wednesday, August 8, 2012 7:44 PM
  • Same answer, only thing supported is sysadm.


    Jason | http://blog.configmgrftw.com

    Wednesday, August 8, 2012 8:02 PM