Although enhancements have changed Windows installations for applications to run with a unique user, I created a mssql OS user even back on SQL Server 2000 on Windows as I had a tendency to use similar security practices for all database platforms as a multi-platform DBA. With that being said- yes, it introduced complexity, but it was for a reason: users should be restricted to the least amount of privileges required. To grant any application or database “God” powers on a host is akin to granting DBA to every user in the database, but at the host level. As important as security is to DBAs INSIDE the database, it should be just as important to us OUTSIDE of it on the host it resides on.
Security is important and has become more complex with the increase of security breaches and introduction of the cloud. One of the most simple ways to do this is to ensure that all application owners on a host are granted only the privileges they require. The application user should only utilize SUDO, stick bit, iptables, SUID, SGID and proper group creation/allocation if and when required.
It’s the same reason we don’t recommend giving everyone sa rights to databases. Read on for more.