Least Security Privilege Strategy for SharePoint

The easiest way to install SharePoint is to use one account which  will be the domain admin, SQL admin and all other security levels admin. However the easiest method is very often not the best from a security standpoint. From a security perspective it is best to use as little permissions as possible even if it means much more admin work during deployment.

The perfect setup of a SharePoint farm should involve using as many accounts as possible. Let me show you my typical account plan for a small-sized SharePoint 2010 Enterprise farm. Keep a note that this list isn’t the same as the one proposed by Microsoft, I have modified it using my own experiences and thoughts and I think you all should do the same and so take the example lists only as a reference.

Account name Description Permissions
sps_FarmAdmin Account used for setup and running all main services, like Timer Service. It is also used during the setup phase, where the SharePoint Configuration wizard needs to setup config databases and Central Administration content database. Local admin on SharePoint Server, dbcreator and securityadmin roles on SQL instance
sps_SearchService Account used for running the Search Service only. No special permissions
sps_ContentSearch Account used for crawling content for search. This account must have access to SharePoint sites that will be crawled, and all external resources that you want to include in search results. Read-permissions to all search sources you need
sps_OWAServices Account for Office Web Apps Services (Excel, Word, PowerPoint). No special permissions
sps_Services Account used for generic SharePoint services that doesn’t require special permissions. No special permissions
sps_ApplicationPool Account for the  IIS Application Pool. It is very important to use more than one application pool account if you plan to have more than one web application. You should use names for the accounts like sps_App_sitename1, sps_App_sitename2 etc. No special permissions

Remember the main purpose  of the Least Security Privilege is to  give the user or service account the minimum required permission level they need to perform the assigned tasks. As long as you plan this correctly you can consider yourself relatively secure.




Array

Trackbacks/Pingbacks

  1. SharePoint Security – Managed Accounts | SharePoint Monitor - January 17, 2011

    […] farm used only for my own purposes and training, you can see that I’ve done pretty adhered the least-security privilege. Why? It is best to have a security habit deep in your blood – and using the security rules […]