Chapter 1 Securing Your Server and Network (4): Use the virtual service account, chaptersecuring
Source: Workshop
Without the consent of the author, no one shall be published in the form of "original" or used for commercial purposes. I am not responsible for any legal liability.
Previous Article: http://blog.csdn.net/dba_huangzj/article/details/38017703
Preface:
Like a hosted account, a Virtual service account is a new feature introduced by Windows Server 2008 R2. It is a local account that does not require password management, in addition, the network can be accessed by using the computer Id like the NetworkService account. Compared with NetworkService, because it is a built-in account that is shared across services, it is better to manage than a virtual service account (see the http://blog.csdn.net/dba_huangzj/article/details/37924127 for details.
A virtual account can configure security for each service, but cannot be created or deleted manually. It is an account created when the service is installed on Windows Server 2008 R2 and has the same name as the service. For example, in nt service \ MSSQL $ SQL2012, SQL2012 is the Instance name. A virtual account can configure the ACL locally as a normal account and act as a member of the local group.
Implementation:
To run SQL Server under a virtual account, follow these steps:
1. Open the SQL Server Configuration Manager and open the "properties page" of the SQL Server service ]:
2. In the logon tab, enter NT Service \ MSSQL $ <name of the instance> or NT Service \ MSSQLSERVER (default instance), and leave the password blank:
3. Click application and restart the service.
Principle:
Virtual accounts can be considered as local hosted accounts. They do not need to be managed (so they are called managed), cannot be created, and do not need to provide a password. However, you must note that a virtual account cannot be used in an SQL Server cluster because it does not have the same SID on each node. If you want to use it in a cluster, you can use a domain hosting account.
In addition, virtual accounts can be used as computer accounts in the network to access network resources. Therefore, if you want to allow the network to access your services, you should first use such managed accounts.