Does SharePoint Security Start at Deployment?
I read an interesting Blog post from one of our suppliers (Titus) and I thought it would be worth sharing with you.
SharePoint repositories can contain a significant amount of an organization’s sensitive data and it is critical that you ensure that your SharePoint environment is set up correctly from the beginning. If all the precautions are taken to ensure appropriate user access to libraries and lists, they can be completely undone if security best practices at the administration level are neglected.
Microsoft SharePoint security starts at the time of deployment. By setting up proper user accounts, it ensures that the proper separation of responsibilities and activity auditing are completed. Therefore, you should set up multiple user accounts with limited privileges and these accounts exist for specific administrative functions. There should be at least, three different user accounts created to manage setup, SQL management, and SharePoint farm administration.
- The Setup User Account
The setup user account is used only for running the SharePoint setup wizard, the product configuration wizard and for installing any patches, service packs, cumulative updates or hot fixes. Any time you plan to run the setup and configuration wizards or plan to install updates, this is the account that should be used.
The Setup User Account should not have any special administrative privileges on the SQL Server system as long as the SQL Server is on a separate system or VM from the SharePoint servers. When running the SharePoint setup and configuration wizards, these processes will use the Setup User Account credentials to create databases and SQL logins for other SharePoint accounts. However, despite the lack of administrative privileges to the SQL Server system (as recommended above), before starting to setup SharePoint, you must assign the Setup User Account to the securityadmin and dbcreator roles in SQL Server.
- SQL Server Service Account
This account should be set up before you begin the installation, as the SharePoint setup wizard will ask for this account during setup. This account is used specifically by SharePoint when it tries to access data from your SQL server. This account will be given all appropriate rights to SQL Server during the SQL Server setup process. Best practices dictate that this account needs to be a user account in the Active Directory domain and it should be secured according to your IT security policies.
- SharePoint Farm Account
This is the farm administrator’s account and has the highest security privileges within SharePoint. It provides access to the SharePoint central administration console, it is this account that is used to run and manage the entire farm. For example, during the setup and configuration process, several critical SharePoint services (including the timer service) will be configured to use the Farm Account as the identity under which they run.
Please note: Do not use personal accounts when deploying SharePoint. The Setup User Account becomes owner of the SharePoint farm. The Farm Account becomes dbowner of the SharePoint Config database. There are many places where the account, and its email address, get integrated into the farm. The use of a personal account will make you the farm’s owner and could compromise security if you have privileges on other systems. In addition, personal accounts change if your role changes, so it is important that a personal user account is not left owning the SharePoint farm.
Please share this information with your colleagues and send us your questions, comments and feedback to: firstname.lastname@example.org . Additionally, we appreciate your time and look forward to answering any SharePoint security questions you may have; please contact us at 1 (800) 263-8733.
If you would like more information about managing security in SharePoint, please fill in the form below to received the Titus Introduction to Security in SharePoint 2013 white paper today.
SharePoint Metadata Security