I want to move to Least-Privilege, but my farm is already in Production. What do I do?
Hello All,
Not sure how often others see this, but I seem to hit this question all the time. I usually show up and the environment is built and in production, users are connected and working and the security team has told the SharePoint Admins that they have to move to a Least-Privilege environment. We have to minimize issues and downtime that could happen from a change like this. And these are the steps I recommend.
To setup least privilege in a SPS2010 farm that has already be configured with a single account here is what I would do.
Decide what accounts you want to use for what functions. There are many different opinions out there and I will not say any are wrong but you could certainly use the word 'complex' to describe some of them. Here is what I would do based on my experiences.
-
-
- Setup Account
- Would be used to install SharePoint bits to servers
- Install Service Packs/Hotfixes/Cumulative Updates to servers.
- Run psconfig on all servers
- Farm account
- This account is used for configuration of the farm and all it's objects.
- It is the log on account for the Central Admin Application Pool.
- It is the service account for the User Profile Service Application
- Service Application - Application Pool Account
- The log on account for all Application Pools that are used by Service Application like Search, Manage Metadata, etc
- Due to security boundaries within your industry or company there could be reason to have two or more of these.
- Web Application - Application Pool Account
- The log on account for the application pools that are used by your Web Applications.
- Due to security boundaries within your industry or company there could be reason to have two or more of these.
- Crawl Account
- The account that is used by the crawl process for authentication.
- User Profile Connection Account
- The account that is used by the User Profile Service when it is synchronizing with a domain.
- Setup Account
-
We need to decide what you will do with the single account that is currently in use. My suggestion is that it becomes the Farm Account that way we will need to make only a few changes in its permissions.
We need to assign permissions to the remaining six accounts. I will list all six account and you can decide which account you will use for Step#2 (Don't need to add anything for that account). You will need to add the following permissions for your newly created accounts.
-
-
- Setup Account
- Add it to the following local groups on each SharePoint server
- Local Administrators
- WSS_ADMIN
- IIS_WPG
- In SQL it requires the following permissions
- db_owner for the configuration database
- db_owner for the Admin Database
- In SQL it needs to have the following roles
- Security Admin
- dbcreator
- Add it to the following local groups on each SharePoint server
- Farm account
- Add it to the following local groups on each SharePoint server
- WSS_ADMIN_WPG
- WSS_WPG
- WSS_RESTRICTED_WPG
- In SQL it needs the following roles
- Dbowner for all databases
- Dbcreator fixed server role
- Securityadmin fixed server role
- For Config and Admin Content databases add the account to the role WSS_CONTENT_APPLICATION_POOLS
- Add it to the following local groups on each SharePoint server
- Service Application - Application Pool Account
- Add it to the following local groups on each SharePoint server
- Member of WSS_WPG
- In SQL it needs to have the following roles
- For Config and Admin Content databases add the account to the role WSS_CONTENT_APPLICATION_POOLS
- For all Service Applications databases add to db_owner role
- Add it to the following local groups on each SharePoint server
- Web Application - Application Pool Account
- In SQL it needs to have the following roles
- Assigned to db_owner role on all Content Databases
- For Config and Admin Content databases add the account to the role WSS_CONTENT_APPLICATION_POOLS
- In SQL it needs to have the following roles
- Crawl Account
- In SQL it needs
- For the Config and Admin Content databases it needs read permission
- For Search Service databases add to db_owner role
- In the farm
- Needs to have full read to all Web Applications, suggest you use a policy for this.
- Insure that this account has no more than this if it is an account that has any kind of full permissions you run the risk of crawling unpublished versions of pages.
- For any external sources being crawled ie File Shares, Other farms
- It requires that full read be assigned to the account.
- Insure that this account has no more than this if it is an account that has any kind of full permissions you run the risk of crawling unpublished versions of pages.
- In SQL it needs
- User Profile Connection Account
- Account requires replicate directory changes on the root of the domain
- If the NETBIOS name does not equal the FQDN ie atoscorp compared to atos.com then the account requires replicate directory changes on CN=Configuration for the domain. As well if there is a root domain we require replicate directory changes to the CN=Configuration container for it as well
- Setup Account
-
Now that we have assigned all the permissions we need to place those accounts into the proper permissions in the farm. This step should be performed during off hours as it could cause small (~15 min outages as the system changes log on accounts and resets app pools)
-
-
- Open Central Admin
- Go to Security -> Configure Managed Accounts
- And add all accounts as a managed account
- Then go to Security -> Configure Service Accounts
- And you will configure each service by following these steps, continue till you have completed all the components
- Select a component by using the drop down
- Select an account for the component by using the following matrix
- Farm Account component goes with Farm Account
- Windows Service - Claims to Windows Token Service component goes with Farm Account
- Windows Service - Document Conversions Launcher Service component goes with Farm Account
- Windows Service - Document Conversions Load Balancer Service component goes with Farm Account
- Windows Service - Microsoft SharePoint Foundation Sandboxed Code Service goes with Farm Account
- Windows Service - SharePoint Foundation Search goes with Service Application - Application Pool Account
- Windows Service - SharePoint Server Search goes with Service Application - Application Pool Account
- Windows Service - User Profile Synchronization Service goes with Farm Account
- Windows Service - Web Analytics Data processing Service goes with Service Application - Application Pool Account
- Web Application - <Web Application Name> goes with Web Application - Application Pool Account
- Service Application Pool - <Service Application> goes with Service Application - Application Pool Account
- Click ok
-
Then to configure the crawl account perform the following
-
- Go to General Application Settings -> Farm Search Administration
- Click on the link Search Service Application
- Find the status for 'Default content access account' click on the account name to the right
- Enter the user name and password
- Click Ok
Then to configure the Active Directory Connection Account perform the following
-
- Go to Application Management -> Manage Service Applications
- Select your User Profile Service Application and select Manage
- Click on Configure Synchronization Connections
- Select each Connection and edit
- Put in the new Username and Password
- Once you have completed all connections, perform a full impor
Then we will have to remove permissions from the account in Step#2 to secure the farm. If we assume that your single account became the farm admin account you would have to remove the following permissions:
-
- Remove it from the following local groups on all SharePoint Servers
- Local Administrator
- WSS_Admin
- IIS_WPG
- Remove it from the following local groups on all SharePoint Servers
Articles of Interest
Plan for administrative and service accounts (SharePoint Server 2010) https://technet.microsoft.com/en-us/library/cc263445.aspx
Account permissions and security settings (SharePoint Server 2010) https://technet.microsoft.com/en-us/library/cc678863.aspx
Initial deployment administrative and service accounts (SharePointServer 2010) https://technet.microsoft.com/en-us/library/ee662513.aspx