As
the title of the this post says ‘Adhere to the security practice of least
privilege’, this means that accounts used for SharePoint implementation should
be created in such a way that it can be given only the permission required to
perform its task. Many times people just create one or two accounts and use it
for running all the services and installation of the SharePoint this can be
acceptable in development environment but is definitely not a good practice for
test/staging or production environment.
As
you know SharePoint has close dependencies on, SQL Server and Active Directory.
Active Directory stores user accounts and validates account logon and the
services supports user logging on to the SharePoint sites whereas SQL Server
stores almost all of the configurations and content of the SharePoint farm.
Here
are the accounts setups which enable least privilege implementation of the SharePoint;
you need to create these accounts before installing the SharePoint.
Setup Active
Directory Accounts:
Start
the Active Directory Users and Computers and in the Service Accounts create
following user accounts
Users Accounts
|
Descriptions
|
SQL_Admin
|
SQL
Server administrator account, this account need to be local admin on the SQL
Server machine and use this account for installation of the SQL Server
database.
|
SQL_Service
|
SQL
Server service accounts, use this account for running MSSQLSERVER and
SQLSERVERAGENT services
|
SP_Admin
|
SharePoint
administrator and setup users, add this account in the DnsAdmins group of the
domain and also in the local administrators group of the SharePoint server
machine.
|
SP_Farm
|
SharePoint
farm service
|
SP_ServiceApps
|
SharePoint
service applications
|
SP_WebApps
|
SharePoint
web applications
|
SP_Crawl
|
SharePoint
search crawler
|
SP_UserSync
|
SharePoint
user profile synchronization
|
Setup SQL Server
login for SharePoint Administrator:
SP_Admin
is the only account for which a SQL login must be manually created, so you need
to connect to your SQL Server and open SQL Server Management Studio, create a
login for SP_Admin in the SQL Server. Assign dbcreator and securityadmin
servers roles to SP_Admin account
Once
above account setups are done, you can proceed with SharePoint installation and
use the above accounts during the installation and during the setup the
services
No comments:
Post a Comment