1

I have a service which runs as localsystem and should get access to a sql server. But i'am not sure which authentication method would be the best.

For normal user access microsoft recommends window authentication. Since the service runs with extended privileges would it be more secure to switch to the sql authentication?

On the other hand for sql authentication, i would have to save the sql credential at the service and i also could not use kerberos.

Or are there not even any downside of running as localsystem?

Source Microsoft

ean
  • 11
  • 2
  • Why not run your service under a Windows user account such as MYDOMAIN\MyServiceAccount and then have that user setup with appropriate permissions in SQL Server. This way you can use Windows Authentication in the connection string and you don't need to store SQL credentials – Jon Sep 09 '19 at 18:00
  • If iam correct, according to Microsoft, there is no problem to use localsystem for windows authentication? "When a service connects with the computer identity, signing and encryption are supported to provide data protection. When a service connects with a NULL session, a system-generated session key is created, which provides no protection, but it allows applications to sign and encrypt data without errors. " [Source Microsoft](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/jj852275(v=ws.10)#vulnerability) – ean Sep 10 '19 at 08:30
  • Because the service should be independend from any user context and also the networkservice account has insufficient privileges. i sadly cant change anything in this aspect – ean Sep 10 '19 at 08:36
  • then you have no choice but to use SQL Authentication and use a config file with the connection string – Jon Sep 10 '19 at 14:32
  • Would it be safer with SQL Authentication? As far as i know both methods should work ([Source localsystem+winAuth](https://blogs.msdn.microsoft.com/dataaccesstechnologies/2010/01/29/testing-connection-to-sql-server-from-a-service-running-under-local-system-account/)) – ean Sep 10 '19 at 19:45

0 Answers0