SharePoint Security – Managed Accounts

In the SharePoint 2007 farms I’ve often heard complaints about the requirement to setup “Password Never Expires” on the SharePoint service accounts which breaches many corporate security plans. That’s why I felt a great relief when SharePoint 2010 introduced  Managed Accounts. Simply put, Managed Accounts allow you to setup SharePoint service accounts and automatically change the service account passwords corresponding to the schedule that may be synchronized with Active Directory Group Policies (password expiration date etc). Let’s take a look at the Managed Accounts screen and discuss the possibilities. Go to Central Administration, then select Security Tab and in General Security section select Configure Managed Accounts:
SharePoint Managed Accounts

Example Managed Accounts configuration

On the screen above you can see the accounts I’ve created for my SharePoint test farm. Even though this is just a local SharePoint farm used only for my own purposes and training, you can see that I’ve done pretty adhered the least-security privilege. Why? It is best to have a security habit deep in your blood – and using the security rules everywhere including your test environment is just good practice.

Now let’s click on one of the Edit icons – I’ve chosen the adsp_setup account as an example.

In the Credential Management section you can see the option to change the password immediately this is useful if you want to access the services or reconfigure something and you need to know the current password (since SharePoint managed accounts will generate random passwords at a schedule you’ll set).

SharePoint Managed Accounts

Managed Accounts Credential Management section

The next section is Automatic Password Change. We can enable automatic password change here and setup the schedule directly. You can setup the schedule corresponding to the password expiry policy in Active Directory, so for example SharePoint will change the managed account password 2 days before the password will expire. You can also setup the e-mail notifications just before password of one of your managed account expires – in our example it is set to 5 days before password expiration.

SharePoint Managed Accounts

Managed Account configuration – Automatic Password Change section

In the last section of Managed Account editor you can see specific Account information – which is primarily what is used by the account we are currently setting up.

SharePoint Managed Accounts

Managed Account configuration – Account Information section


No comments yet... Be the first to leave a reply!