This article aims to describe guidelines for the creation of service accounts that should be correctly configured to allow a SharePoint 2013 Farm to run using least-privilege administration.
The goal is to provide a per-Farm set of credentials, this approach will offer a good security isolation level. In most cases a service account failure will not make the complete Farm to go down but should make a single service to be unavailable. The worse a unique Farm can go down but certainly not other ones.
A suggestion is also to create Farms depending on their SLA level, indeed maintenance windows, support action or release management might need to be managed differently based on their criticality.
Click on following link to have a per-service account description of minimum required security.
Setup user administrator account
|
Naming convention |
SP15_SET |
|
Comment |
This account is used to set up each server in your farm by running the SharePoint Configuration Wizard, the initial Farm Creation Wizard, and Windows PowerShell. For the examples in this article, the setup user administrator account is used for farm administration |
|
NT rights |
Domain accountLocal administrator on all SharePoint servers |
|
DB rights |
member of the db_owner rolesecurityadmin and dbcreator SQL Server security roles |
Note:
After you run the configuration wizards, machine-level permissions for the setup user administrator account include:
•Membership in the WSS_ADMIN_WPG Windows security group.
•Membership in the IIS_WPG role.
After you run the configuration wizards, database permissions include:
•db_owner on the SharePoint server farm configuration database.
•db_owner on the SharePoint Central Administration content database.
SharePoint farm service account
|
Naming convention |
SP15_FARM |
|
Comment |
The server farm account, which is also referred to as the database access account, is used as the application pool identity for Central Administration and as the process account for the SharePoint Foundation 2013 Timer service. |
|
NT rights |
Domain account |
|
DB rights |
member of the db_owner role for all SharePoint databases in the server farmsecurityadmin and dbcreator SQL Server security roles |
Note:
Additional permissions are automatically granted to the server farm account on web servers and application servers that are joined to a server farm
After you run the configuration wizards, machine-level permissions include:
• Membership in the WSS_ADMIN_WPG
•Membership in WSS_RESTRICTED_WPG
•Membership in WSS_WPG
After you run the configuration wizards, database permissions include:
•Dbcreator fixed server role.
•Securityadmin fixed server role.
•db_owner for all SharePoint databases.
•Membership in the WSS_CONTENT_APPLICATION_POOLS role for the SharePoint server farm configuration database.
•Membership in the WSS_CONTENT_APPLICATION_POOLS role for the SharePoint_Admin content database.
Application pool account
|
Naming convention |
SP15_APP |
|
Comment |
Application pool accountThe application pool account is used for application pool identity. |
|
NT rights |
Domain account |
|
DB rights |
/ |
Note: Granted automatically after configuration wizard
machine-level permissions include:
•Membership in WSS_WPG
database permissions include:
• SP_DATA_ACCESS role for the content databases
•Membership in the WSS_CONTENT_APPLICATION_POOLS role for the SharePoint server farm configuration database.
•Membership in the WSS_CONTENT_APPLICATION_POOLS role for the SharePoint_Admin content database.
Default content access account
|
Naming convention |
SP15_CRAWL |
|
Comment |
The default content access account is used within a specific service application to crawl content |
|
NT rights |
Domain account |
|
SharePoint Rights |
explicitly grant this account full read permissions to the web applications that host the sites. |
|
DB rights |
/ |
Excel Services unattended service account
|
Naming convention |
SP15_SERV |
|
Comment |
Used with workbooks to refresh data. It is required when workbook connections specify “None” for authentication, or when any credentials that are notWindows credentials are used to refresh data. |
|
NT rights |
Domain account |
|
SharePoint Rights |
Excel Services application |
|
DB rights |
/ |
My Sites application pool account
|
Naming convention |
SP15_SERV |
|
Comment |
Used with workbooks to refresh data. It is required when workbook connections specify “None” for authentication, or when any credentials that are notWindows credentials are used to refresh data. |
|
NT rights |
Domain account |
|
SharePoint Rights |
Excel Services application |
|
DB rights |
/ |
Note: Granted automatically after configuration wizard
machine-level permissions include:
•Membership in WSS_WPG
database permissions include:
• SP_DATA_ACCESS role for the content databases
•Membership in the WSS_CONTENT_APPLICATION_POOLS role for the SharePoint server farm configuration database.
•Membership in the WSS_CONTENT_APPLICATION_POOLS role for the SharePoint_Admin content database.
User Profile Sync Service
|
Naming convention |
SP15_SYNC |
|
Comment |
Used to Sync Profiles between SharePoint and Active Directory |
|
NT rights |
Domain accountReplicating domain changes in the domain |
|
SharePoint Rights |
User profile sync connection |
|
DB rights |
/ |
Cache portal Super User
|
Naming convention |
SP15_CSU |
|
Comment |
The object cache stores properties about items in SharePoint Server 2013. Items in this cache are used by the publishing feature when it renders web pages. The goals of the object cache are to reduce the load on the computer on which SQL Server is running |
|
NT rights |
Domain account |
|
SharePoint Rights |
Web Application Full Control – Has full control (Policy for all zones) |
|
DB rights |
/ |
Cache portal Super Reader
|
Naming convention |
SP15_CSR |
|
Comment |
The object cache stores properties about items in SharePoint Server 2013. Items in this cache are used by the publishing feature when it renders web pages. The goals of the object cache are to reduce the load on the computer on which SQL Server is running |
|
NT rights |
Domain account |
|
SharePoint Rights |
Web Application Full Read – Has full read-only access |
|
DB rights |
/ |
Note: Here is the script to configure portal caching
$wa = Get-SPWebApplication -Identity "<WebApplication>" $wa.Properties["portalsuperuseraccount"] = "<SuperUser>" $wa.Properties["portalsuperreaderaccount"] = "<SuperReader>" $wa.Update()
Replace the following placeholders with values:
- <WebApplication> is the name of the web application.
- <SuperUser> is the account to use for the Portal Super User.
- <SuperReader> is account to use for the Portal Super Reader account
Techzrecords 