As the SQL Server administrator for a server running inside a Windows Domain, I followed some rules:
- SQL service runs under a Domain User account (least privilege)
- "sa" has been disabled
The question is basically about "my" account as an administrator. To expand on this, I have two AD accounts, 1 to login to my workstation (call it ADU1), and 1 to login to the server itself (ADU2). Note that this somewhat following the MS best practices for their recommended security model.
The question is, do I use my Domain User (ADU1) which has the "sysadmin" role, or (ADU2) or basically a different AD account other than my regular domain account?
Hope this makes sense. Looking for some guidance… thanks!
Best Answer
What's the worst case scenario if e.g. malicious software, running as you, gets concomitant access to the database in question?
The answer to that should probably dictate what you need to do. Note that if you want to use another domain user for administration, you can run SSMS as another user by shift-right-clicking the shortcut (as opposed to a normal right-click). There's also a Windows 10 system setting, "show 'run as different user' in start" (under developer settings).