The NT AUTHORITY\SYSTEM account (also known as LocalSystem) is the most privileged built-in account in Windows, with unrestricted access to local resources. In contrast, NT AUTHORITY\NETWORK SERVICE is a limited service account that has network credentials but reduced local privileges.
When configuring SQL Server services:
-- Example of service account configuration in T-SQL
-- For SYSTEM account (not recommended for production):
CREATE LOGIN [NT AUTHORITY\SYSTEM] FROM WINDOWS;
GRANT CONTROL SERVER TO [NT AUTHORITY\SYSTEM];
-- For NETWORK SERVICE:
CREATE LOGIN [NT AUTHORITY\NETWORK SERVICE] FROM WINDOWS;
GRANT LIMITED PERMISSIONS TO [NT AUTHORITY\NETWORK SERVICE];
NETWORK SERVICE authenticates remote connections as the computer account (DOMAIN\COMPUTERNAME$), while SYSTEM always authenticates with local machine credentials. This becomes critical when:
- Accessing network resources
- Configuring linked servers
- Implementing Kerberos delegation
For SQL Server deployments:
# PowerShell snippet to verify service account permissions
Get-WmiObject Win32_Service |
Where-Object {$_.Name -like "*SQL*"} |
Select-Object Name, StartName
Microsoft recommends using domain service accounts instead of these built-in accounts for production environments, especially when:
- Clustering is involved
- Cross-server operations are required
- Auditing requirements exist
Consider a scenario requiring file access on a network share:
-- SYSTEM account will fail to access domain resources
-- NETWORK SERVICE can access, but permissions must be granted to computer account
EXEC xp_cmdshell 'dir \\fileserver\share\';
When configuring SQL Server service accounts, two built-in Windows accounts frequently appear as options:
NT AUTHORITY\SYSTEM
NT AUTHORITY\NETWORK SERVICEThe SYSTEM account is the most privileged local account in Windows, equivalent to the root account in Unix systems. It has:
- Full access to local resources
- No network authentication capabilities
- Higher privileges than administrators
NETWORK SERVICE is a restricted service account that:
- Has fewer privileges than SYSTEM
- Can authenticate to other machines using the computer account
- Appears as DOMAIN\COMPUTERNAME$ when accessing network resources
For SQL Server 2008 R2 installation:
-- Example of permission differences
-- SYSTEM account can:
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
-- While NETWORK SERVICE might require:
GRANT ALTER SETTINGS TO [NT AUTHORITY\NETWORK SERVICE];Microsoft recommends:
- Use NETWORK SERVICE for SQL Server services when possible
- SYSTEM should only be used when absolutely necessary
- For production environments, consider domain accounts instead
The difference becomes clear when accessing registry:
// SYSTEM can access all registry keys
Registry.LocalMachine.OpenSubKey("SECURITY");
// NETWORK SERVICE gets Access Denied on protected keys
try {
Registry.LocalMachine.OpenSubKey("SAM");
} catch (SecurityException) {
// Expected behavior
}When SQL Server needs to:
- Access network resources: NETWORK SERVICE
- Manage high-privilege operations: SYSTEM
- Run under least privilege: NETWORK SERVICE