SharePoint Security Starts at Deployment

As the repository of a great deal of an organization’s sensitive data, it is imperative to ensure that your SharePoint web applications are set up properly from the moment of deployment. All the precautions taken to ensure appropriate user access to libraries and lists can be completely undone if security best practices at the administration level are neglected.

Security in Microsoft SharePoint starts at the time of deployment. Setting up the proper user accounts ensures the proper separation of responsibilities and activity auditing. Therefore, it is important to set up multiple user accounts with limited privileges. These accounts exist for specific administrative functions and nothing more. At minimum, there should be three different user accounts created to manage setup, SQL management, and for SharePoint farm administration.

  1. The Setup User Account

The setup user account is used only for running the SharePoint setup wizard, the product configuration wizard and for installing any patches, service packs, cumulative updates or hot fixes. Any time you plan to run the setup and configuration wizards or plan to install updates, this is the account that should be used.

The Setup User Account should not have any special administrative privileges on the SQL Server system as long as the SQL Server is on a separate system or VM from the SharePoint servers. When running the SharePoint setup and configuration wizards, these processes will use the Setup User Account credentials to create databases and SQL logins for other SharePoint accounts. However, despite the lack of administrative privileges to the SQL Server system (as recommended above), before starting to setup SharePoint, you must assign the Setup User Account to the securityadmin and dbcreator roles in SQL Server.

  1. SQL Server Service Account

This account should be set up before you begin the installation process as the SharePoint setup wizard will request this account during setup. This account is used specifically by SharePoint when it tries to access data from SQL server. This account will be given all appropriate rights to SQL Server during the SQL Server setup process. Best practices dictate that this account needs to be a user account in the Active Directory domain and it should be secured according to your IT security policies.

  1. SharePoint Farm Account

This is the farm administrator’s account and is all powerful within SharePoint. Providing access to the SharePoint central administration console, it is this account that is used to run and manage the entire farm. For example, during the setup and configuration process, several critical SharePoint services (including the timer service) will be configured to use the Farm Account as the identity under which they run.

One final note: do not use personal accounts when deploying SharePoint. The Setup User Account becomes owner of the SharePoint farm. The Farm Account becomes dbowner of the SharePoint Config database. There are many places where the account, and its email address, get integrated into the farm. Use of a personal account will make you the farm’s owner and could compromise security if you have privileges on other systems. In addition, personal accounts change if your role changes, so it is important that a personal user account is not left owning the SharePoint farm.

Leave a Reply