Office SharePoint Server Security Account Requirements

marlinlineInternet and Web Development

Oct 31, 2013 (3 years and 9 months ago)

93 views

Office SharePoint Server S
ecurity
A
ccount
R
equirements

This planning tool
includes descriptions and requirements for the following categories of accounts:



Server farm
-
level accounts



Shared Services Provider (SSP) accounts



Windows SharePoint Services search

accounts



Additional application pool accounts

Use this planning tool with the following article:
Plan for administrative and service accounts

(
http://go.microsoft.com/fwlink/?LinkId=9
2931&clcid=0x409
)
.


Server farm
-
level accounts

Account

Description

Single server standard
requirements

Server farm standard requirements

Least privilege administration

using

domain user account
s

Least privilege administration

using
SQL authentication

Lea
st privilege administration

with
domain user account
s
when connecting to
pre
-
created
database
s

SQL Server
service account

SQL Server prompts for this account
during SQL Server Setup. This account
is used for the following SQL Server
services:



SQL Server (
MSSQLSERVER
)



SQL Server Agent
(
SQLSERVERAGENT
)

If you are not using the default
instance, these services will
have the
following names
:



MSSQL$
InstanceName



SQLAgent$
InstanceName

Local
System
account (default)

Use either a
Local System

account or a
domain us
er account
.

If a
domain user account

is used,
this account
uses
Kerberos authentication

by default
,
which requires additional configuration in your
network environment
. If SQL Server
uses

a

service principal name

(
SPN
)

that is not valid
(
that is, that
doe
s not exist in the
Active
Directory
directory service
environment
),
Kerberos authentication fail
s
,

and
then NTLM
is used
. If SQL Server
uses

an SPN that is
valid but is not assigned to the appropriate
container in
Active Directory
,

authentication
fails
,

re
sulting in a "
Cannot generate SSPI
context
" error message.
Authentication will
always try to use the first SPN it finds, so
ensure

that there are no SPNs assigned to
inappropriate containers
in Active Directory
.

If you plan to back

up to or restore from an

external resource, permissions to the external
resource must be granted to the appropriate
account. If you use a domain
user
account for
the SQL Server service account,
grant

permissions to th
at domain user account
.
However, if you use
the Network Service

or
the L
ocal
S
ystem account
,

grant
permissions
to
the external resource
to
the machine
account

(
domain
_name
\
SQL_hostname
$
).

Server farm s
tandard requirements
with the following additions or
exceptions:



Use a separate
domain user
account.

Server farm s
tand
ard requirements with
the following additions or exceptions:



Use a separate domain user account
.

Note

All database accounts must be
created as
SQL Server login

accounts in
Microsoft
SQL Server 2000 Enterprise
Manager or SQL Server 2005
Management Studio.

These accounts
must be created before the creation of
any content databases, including the
configuration database and the
SharePoint_AdminContent database.

Create one
SQL Server login

for both the
configuration database and the
SharePoint_AdminContent dat
abase.

S
erver farm s
tandard
requirements with the following
additions or exceptions:



Use a separate domain user
account
.

Setup user
account

The user account that is used to run:



Setup on each server computer



The SharePoint Products and
Technologies Config
uration Wizard



The Psconfig command
-
line tool



The Stsadm command
-
line tool

Member of the Administrators group
on the local computer



Domain user account
.



Member of the Administrators group on
each server on which Setup is run
.



SQL Server login

on the
comput
er
running
SQL Server
.



Member of the following SQL Server
security roles:



s
ecurityadmin

fixed server role



d
bcreator

fixed server role

If you run Stsadm commands that affect
a
database, this account
must be a member of

the
db_owner

fixed database
role for
t
he
database
.

Server farm standard requirements
with the following additions or
exceptions:



Use a separate
domain user
account.



This account should
NOT

be

a
member of the Administrators
group on the
computer running
SQL Server.

Server farm standard requirem
ents with
the following additions or exceptions:



Use a separate domain user account
.



SQL Server login

on the SQL Server
computer
.



NOT a member of the following SQL
Server security roles:



s
ecurityadmin

fixed server role



d
bcreator

fixed

server role



NOT a mem
ber of the Administrators
group on the
computer running
SQL
Server
.

Note

You must use the P
sconfig
command
-
line tool
to create the
configuration database and the
SharePoint_
AdminContent database. You
cannot use the SharePoint Products and
Technologies Co
nfiguration Wizard to
create these databases. T
o create a farm
or to join a computer to a farm, specify
the
SQL Server login

that you
created for
these databases as
the
dbusername

and
dbpassword
.

The same
SQL Server
login

is used to access both databases.

All other content databases can be
created in Central Administration by
selecting the SQL authentication option.

Server farm standard
requirements with the following
additions or exceptions:



Use a separate domain user
account
.



NOT a member of the
Administr
ators group on the
computer running
SQL Server.

This account
is used to configure
databases. After each database
has been created, change the
database owner (
dbo

or
db_owner
) to the Setup User
account.

Server farm
account

This

account is also referred to

as the

database access account.

This account is:



The
identity for the
application pool
that hosts the

SharePoint Central
Administration Web site
.



The process account for the
Windows SharePoint Services Timer
service
.

Network Service (default)

No manual co
nfiguration is necessary.



Domain user account
.



If the server farm is a child farm with
Web applications that consume shared
services from a parent farm, this account
must be a member of the
db_owner

fixed database

role

on the configuration
database of the
parent farm.

Additional permissions are automatically
granted for this account on Web servers and
application servers that are joined to a
server
farm.

This account is automatically
added as a
SQL
Server login

on the
computer running
SQL
Server and
added
to the following SQL Server
security roles:



d
bcreator

fixed server role



s
ecurityadmin

fixed server role



d
b_owner

fixed database role
for all
databases in the server farm

Server farm standard requirements
with the following additions or
exceptions:



Use a se
parate domain user
account
.



NOT

a member of the
Administrators group on any
server in the server farm,
including the
computer running
SQL Server.



This account does not require
permissions to SQL Server before
creating the configuration
database.

Server far
m standard requirements with
the following additions or exceptions:



Use a separate domain user account
.



NOT a member of the Administrators
group on any server in the server
farm, including the
computer running
SQL Server.



NOT a
SQL Server login

on the
comp
uter running
SQL
Server.




This account does not require
permissions to SQL Server before
creating the configuration database.


Server farm standard
requirements with the following
additions or exceptions:



Use a separate domain user
account
.



NOT a member of

the
Administrators group on any
server in the server farm,
including the
computer
running
SQL Server.



This account does not require
permissions to SQL Server
before creating the
configuration database.

A
fter the
Shared Services Provider
(
SSP
)

database and

the
SSP
search database are created, add
this account to the following for
each of these databases:



Users group



d
b_owner

fixed database
role


SSP accounts

Account

Purpose

Single server standard
requirements

Server farm standard requirements

Least privil
ege administration

using

domain user account
s

Least privilege administration

using SQL authentication

Least privilege administration

with
domain user account
s when connecting
to
pre
-
created
database
s

SSP
application
pool
account

Application pool identity
for the
shared services administration
Web application.

No manual configuration is
necessary.

No manual configuration is necessary.

The following are automatically configured
:



Membership in the
db_owner

role for
the SSP content database
.



Access to read fro
m and write

to the
SSP content database
.



Access to r
ead

from and
write to
content databases for Web applications
that are associated with the SSP
.



Access to r
ead from the configuration
database
.



Access to r
ead from the Central
Administration content databa
se
.



Additional permissions
to

front
-
end
Web servers and application servers
are automatically granted.

Server farm standard requirements with
the following additions or exceptions:



Use a separate domain user account
.



For security isolation, use a separate
service account for each SSP.

Server farm standard requirements
with the following additions or
exceptions:



Use a separate domain user
account
.



NOT a member of the local
Administrators group on any
server in the farm, including the
computer running
SQL
Ser
ver.



NOT a
SQL Server login
.

Server farm standard requirements with the
following additions or exceptions:



Use a separate domain user account
.



For security isolation, use a separate
service account for each SSP.

SSP service
account

Used by the following:



SSP Web services for inter
-
server communication



SSP Timer service to run
specific types of jobs



Application
pool
identity of
application pool associated
with the virtual directory
associated with a given SSP



No manual configuration is
necessary.



This acco
unt should not be a
member of the Administrators
group on any computer in the
server farm.



Use a domain

user

account.



No manual configuration is necessary.
The same permissions as the SSP
application pool account are
automatically granted.



This account sh
ould not be a member
of the Administrators group on any
computer in the server farm.

Server farm standard requirements with
the following additions or exceptions:



Use a separate domain user account
.


Server farm standard requirements
with the following add
itions or
exceptions:



Use a separate domain user
account
.



NOT a member of the
Administrators group on any
server in the farm, including the
computer running
SQL
Server
.



NOT a
SQL Server login
.

Server farm standard requirements with the
following additions
or exceptions:



Use a separate domain user account
.

After the configuration database and the
Central Administration content databases are
created, add this account to the following for
these

database
s
:



Users group



WSS_Content_Application_Pools

database
role

After the content database for
the

Shared
Services Administration site
, the SSP
database,

and
the

SSP search database are

created, add this account to the following for
each of these databases
:



Users group



d
b_owner

role

After My Sites are created, add thi
s account
to the following for the My Sites Web
application content database:



Users group



d
b_owner

role

After
each content database is created
, add
this account to the following:



Users group



d
b_owner

role

Office
SharePoint
Server Search
service
account

Us
ed as the service account for the
Office SharePoint Server Search
service. There is only one instance
of this service and it is used by all
SSPs.

By default, this account runs as the
Local System

account.

If you want to crawl remote content
by changing th
e default con
t
ent
access account or
by
using crawl
rules, change this to a domain user
account. If you do not change this
account to a domain user account,
you cannot change the default
content access account to a domain
user account or add crawl rules to
crawl this content. This restriction is
designed to prevent elevation of
privilege for any other process
running as the
Local System

account.



Must be a domain
user
account
.



Should not

be a member of the Farm
Administrators group

on the server
.

The followin
g are automatically configured
:



Access to r
ead from the configuration
database
.

Server farm standard requirements with
the following additions or exceptions:



Use a separate domain user account
.

Server farm standard requirements
with the following additions

or
exceptions:



Use a separate domain user
account
.



NOT a member of the
Administrators group on any
server in the farm, including the
computer running
SQL
Server.



NOT a
SQL Server login
.

Server farm standard requirements with the
following additions or exc
eptions:



Use a separate domain user account
.

After the configuration database and the
Central Administration content databases are
created, add this account to the following for
these databases:



Users group



WSS_Content_Application_Pools

role

After the SSP
database and the SSP search
database are created, add this account to the
following for each of these databases:



Users group



d
b_owner

role

Default content
access account

The default account used within a
specific SSP to crawl content
,
unless a different a
uthentication
method is specified by a crawl rule
for a URL or URL pattern.

No manual configuration is necessary
if this account is only crawling local
farm
content. If you want to crawl
remote content by using crawl rules,
change this to a domain
user
acc
ount, and apply the requirements
listed for a server farm.



Must be a domain
user
account
.



Must not be a member of the
Farm
Administrators group
.



Read access to external or secure
content sources that you want to crawl
by using this account
.



For sites that
are not a part of the
server farm, this account must
explicitly be granted
Full Read
permissions

on

the
Web applications
that
host the sites
.

The following are automatically configured
:



Full
Read

permissions are

automatically
granted to content databases h
osted
by the server farm.


Server farm standard requirements with
the following additions or exceptions:



Use a separate domain user account
.



By default,
in a server farm
environment
,

the Office
SharePoint

Server Search
service
account is
used until a diffe
rent account is
specified.
After completing Setup
and running the configuration
wizard, change this account to a
domain
user
account.



Do not
grant

the default content
access account access to the
directory service.

For added security, use a
different

def
ault content access account for each
SSP.

Server farm standard requirements
with the following additions or
exceptions:



Use a separate domain user
account
.



NOT a member of the
Administrators group on any
server in the farm, including the
computer running
S
QL
Server.



NOT a
SQL Server login

on the
SQL
Server
Host
.

Server farm standard requirements with the
following additions or exceptions:



Use a separate domain user account
.



By default, in a server farm environment
,

the Office SharePoint Server Search
servic
e
account is used until a different
account is specified. After completing
Setup and running the configuration
wizard, change this account to a domain
user account.



Do not give the default content access
account access to the directory service.

For added

security, use a separate default
content access account for each SSP.

After the configuration database and the
Central Administration content databases are
created, add this account to the following for
these databases:



Users group



WSS_Content_Application
_Pools

database
role

Content access
account

A specific account that is
configured to access a content
source. This account is optional
and is specified when you create a
new crawl rule.
For example,
content sources that are external
to
Office SharePoint S
erver

(such
as a file share) might require a
different
content
access account.

Same as the SSP default content
access account listed previously
.



Read access to external or secure
content sources that this account is
configured to access
.



For
Web
sites that

are not a part of the
server farm, this account must
explicitly be granted
Full Read
permissions on
the
Web applications
that
host the sites
.

Server farm standard requirements with
the following additions or exceptions:



Use a separate domain user account
.


Server farm standard requirements
with the following additions or
exceptions:



Use a separate domain user
account
.



NOT a member of the
Administrators group on any
server in the farm, including the
computer running
SQL
Server
.



NOT a
SQL Server login
.

Serve
r farm standard requirements with the
following additions or exceptions:



Use a separate domain user account
.


Profile import
default access
account

Used to:



Connect to a directory service,
such as the Active Directory
directory service, a
Lightweight Dire
ctory Access
Protocol (LDAP) directory, a
Business Data Catalog
application, or other directory
source.



Import profile data from a
directory service.

If no account is specified, the
default content access account is
used. If the default content access
acco
unt does not have read access
to the directory or directories that
you want to import data from, use
a different account. You can plan
up to one account per directory
connection.

Same requirements as server farm
.



Read access to the directory service
.



If En
able Server Side Incremental is
selected for an Active Directory
connection and the environment is
Windows 2000 Server, the account
must have the Replicate Changes
permission in Active Directory. This
permission is not required for Windows
Server 2003 Acti
ve Directory
environments.



Manage
User Profiles personalization
services permission
.



View
permission
s on entities used in
Business Data Catalog import
connections.

Server farm standard requirements with
the following additions or exceptions:



Use a separate

domain user account
.



This account can be the same
account as the default content
access account
,

or you can use a
separate account.



R
ead access to the directory service
.




Manage User Profiles personalization
services permission
.



This account should not b
e a
member of the Administrators group
on any computer in the server farm.

Server farm standard requirements
with the following additions or
exceptions:



Use a separate domain user
account
.



NOT a member of the
Administrators group on any
server in the farm,

including the
computer running
SQL
Server.



NOT a
SQL Server login
.

Server farm standard requirements with the
following additions or exceptions:



Use a separate domain user account
.



This account can be the same account as
the default content access account

or you
can use a separate account.



Use an account that has read access to
the directory service and the
Manage
User Profiles personalization services
permission.


This account should not be a member of the
Administrators group on any computer in the
serve
r farm.

Excel Services
unattended
service account

The account that Excel Calculation
Services
uses

to
connect to
external
data sources that require
a non
-
Windows user

name and
passw
ord string for authentication.
If
this

account is not configured,
Excel Se
rvices will not attempt to
connect to these types of data
sources.

Although the account
credentials are used to connect to
non
-
Windows data sources, the
account must be a member of the
domain in order for Excel
Calculation Services to use it.

Must be a dom
ain user account.

Must be a domain user account.

Must be a domain user account.

Must be a domain user account.

Must be a domain user account.


Windows SharePoint Services Search accounts

Account

Purpose

Single server standard
requirements

Server farm sta
ndard requirements

Least privilege administration

using

domain user account
s

Least privilege administration

using SQL authentication

Least privilege administration

with
domain user
account
s when connecting to
pre
-
created
database
s

Windows
SharePoint
Servi
ces Search
service account


Used as the service account for
the Windows SharePoint
Services
Help
Search service.
There is only one instance of
this service in a farm.

By default, this account runs as the
Local System

account.



Must be a domain
user
account
.



Should not

be a member of the Farm
Administrators group

on the server
.

The following are automatically configured
:



Access to read from

the
configuration
database

and the
SharePoint_
Admin
Content database
.



Membership in the
db_owner

role for
the Windows Sh
arePoint Services
Search database
.


Server farm standard requirements
with the following additions or
exceptions:



Use a separate domain user
account
.

Server farm standard
requirements with the following
additions or exceptions:



Use a separate domain user
a
ccount
.



NOT a member of the
Administrators group on any
server in the farm, including
the
computer running
SQL
Server
.



NOT a
SQL Server login
.


Server farm standard requirements with the following
additions or exceptions:



Use a separate domain user account
.

After the SSP database and the SSP search database are
created, add this account to the following for each of
these databases:



Users group



d
b_owner

role

When running the Psconfig
command
-
line
tool to start
the
Windows SharePoint Services Search
service,
membership is
automatically configured

in the following
:



Users group and
db_owner

role for the
WSS
_
Search
database.



Users group in the configuration database.



Users group in the Central Administration content
database
.

Windows
SharePoint
Services Search
c
ontent access
account

Used by the Windows SharePoint
Services Search application
server role to crawl content
across sites.

Must not be a member of the Farm
Administrators group
.

The following are
automatically
configured
:



Added to the Web application
Full

Read policy for
the

farm
.



Same requirements as the Windows
SharePoint Services Search service
account
.

The following are automatically configured
:



Added to the Web application Full Read
policy for
the

farm
.

Server farm standard requirements
with the follo
wing additions or
exceptions:



Use a separate domain user
account
.

Server farm standard
requirements with the following
additions or exceptions:



Use a separate domain user
account
.



NOT a member of the
Administrators group on any
server in the farm, includin
g
the
computer running
SQL
Server.



NOT a
SQL Server login
.

S
erver farm standard requirements with the following
additions or exceptions:



Use a separate domain user account
.

When running the Psconfig

command
-
line
tool to start
the W
indows
S
harePoint
S
ervice
s

Search
service,
membership is automatically
configured

in the following
:



Users group and the
db_owner

role
in
the WSS


Search
database.



Users group in the configuration database.



Users group in the Central Administration content
database
.


Additional
ap
plication p
ool
identity
accounts

Account

Purpose

Single server standard
requirements

Server farm standard requirements

Least privilege administration

using

domain user account
s

Least privilege administration

using SQL authentication

Least privilege adminis
tration

with
domain user account
s when connecting
to
pre
-
created
database
s

Application

pool
identity

The user account that the worker
processes
that service

the
application pool use as their
process identity. This account is
used to access content databa
ses
associated with the Web
applications that reside in the
application pool.


No manual configuration is
necessary.

The

Network Service account is
used

for the default
Web site

that
is created during
Setup
and
configuration
.


No manual configuration is ne
cessary.

The following are automatically
configured
:



Membership in the
db_owner

role for
content databases
and search databases
associated with the Web application
.



Access to read

from the configuration

and
the SharePoint_AdminContent database
s
.



Access to

read from and write to

the
associated SSP database
.




Additional permissions for this account
to

front
-
end Web servers and application
servers are automatically granted.

Server farm standard requirements with
the following additions or exceptions:



Use a se
parate domain user account

for each application pool.



This account should not be a
member of the Administrators group
on any computer in the server farm.

Server farm standard requirements
with the following additions or
exceptions:



Use a separate domain us
er
account
.



NOT a member of the
Administrators group on any
server in the farm, including the
computer running
SQL
Server.



NOT a
SQL Server login
.

Server farm standard requirements with the
following additions or exceptions:



Use a separate domain user acco
unt

for
each application pool.



This account should not be a member of
the Administrators group on any
computer in the server farm.

After the SSP database and the SSP search
database are created, add this account to the
following for each of these databases
:



Users group



d
b_owner

role