The installation documentation says best practice is to create a minimum-privilege account for the SQL Engine service to run as.
What is the recommended practice on Windows to create such an account... what groups should the account be a member of (and not a member of)? What other account privileges should be dropped?
Create a new account with no special rights. Use either the SQL Server installer to assign the account to a new instance, or use the SQL Server Configuration Manager to change the account that the service uses. The config manager will set the rights for the account correctly by it self.
I don't know if this is best practices or not, but I just created a new group called
SQL Servers, made sure that my SQL accounts only belonged to that group (not evenDomain Users), and then just never gave that group any rights or permissions anywhere except to network shares that the SQL accounts need to access (log shipping, backups, etc).Seems to have been quite successful to date, I haven't had any issues with it.
There is a Microsoft SQL article listing all necessary privileges.
http://msdn.microsoft.com/en-us/library/ms143504.aspx