I concur with John. The reason it's a security best practice is that if someone can somehow get the SQL Server instance to run an arbitrary SQL statement - typically through SQL injection attacks on poorly written web pages - then it is possible for a person at that point, via SQL to execute commands in the OS because SQL includes the ability to run commands in the shell; i.e., directly in the OS. Now, with SQL running as the local System, the "attacker" can now do anything they want on that system including potentially harvesting passwords from the local SAM or other services that do run a domain account - they essential 0wn the system now.
The reason this is not applicable to ConfigMgr - at least not out of the box - is that there is no way to inject arbitrary SQL - there simply is no public or user accessible UI to facilitate a SQL injection attack. That doesn't mean you can't create one by standing up a web service of adding some other type of UI, but out of the box, there's nothing. The console doesn't count because that's a privileged means of access; even so, it doesn't allow arbitrary SQL anywhere. Neither does SSRS or the client UI. J From: [email protected] [mailto:[email protected]] On Behalf Of Marcum, John Sent: Friday, December 6, 2013 10:56 AM To: '[email protected]' Subject: RE: [mssms] Best practice question : SQL Logon account for SCCM, why use Domain Account over localsystem? That's not a SCCM best practice, it's a SQL best practice. It's for security. Personally I never do it. ________________________________ John Marcum Sr. Desktop Architect Bradley Arant Boult Cummings LLP ________________________________ From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Stephen Owen Sent: Friday, December 06, 2013 10:47 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] Best practice question : SQL Logon account for SCCM, why use Domain Account over localsystem? Hi all, Had a client ask a question I couldn't think of an answer to. I've heard that the best practice is to setup your SQL servers for SCCM with a domain account, particularly the logon service. Well, why is this a best practice? Whats good about it? I've not been able to find a consistent answer to this question, so maybe its a good one. Thanks ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer.
