SharePoint 2013 Service Accounts Best Practices

January 10, 2013 — Leave a comment

Source: http://www.absolute-sharepoint.com/2013/01/sharepoint-2013-service-accounts-best.html
You can download all the information here in PDF format on  here: http://sdrv.ms/U6hvuU

For the SQL Server

Name Description Local Rights Domain Rights
SQL_Admin The SQL Server service account is used to run SQL Server. It is the service account for the following SQL Server services: MSSQLSERVER SQLSERVERAGENT. SQL Admin on the SQL Server Local Administrator on the SQL Server Domain User

Explanation

As Stated previously, in the Low Security Option, we only use one Service Account for our SQL Server.  This account needs to be a Local Administrator on the SQL server in order to be able to install SQL. We will also run the SQL AGENT and the Database Engine services with this account.  This the account that will have the full power on your SQL server and you will use it to grant rights to your SP_Farm(more details to follow)

For the SharePoint Server

 

Name Description Local Rights Domain Rights
SP_Farm The server farm account is used to perform the following tasks:

-Setup
-SharePoint Products Configuration Wizard
-Configure and manage the server farm.
-Act as the application pool identity for the SharePoint Central Administration Web site.
-Run the Microsoft SharePoint Foundation Workflow Timer Service.
Local Administrator on all the SharePoint Servers. SecurityAdmin and DB_Creator rights on the SQL Instance Domain User
SP_Pool The Pool account is used to run the Web Application Pools None Domain User
SP_Services The Services Account is used to run the Service Application Pool None Domain User
SP_Crawl The Default Content Access Account for the Search Service Application None Domain User
SP_UserProfiles The User Profile Synchronization Account None Replicate Directory Changes permission on the domain. Guide:http://bit.ly/TSE7xs

Explanation

The Low Security Option uses the minimum amount of accounts while also keeping a level of security.  Here is the account breakdown:
SP_Farm is your main SharePoint account in this configuration. It needs to have Local Administrator rights to be able to install SharePoint Server and also the Securityadmin and DBcreator roles on the SQL Server to create the configuration and other databases.  This account will be your main Farm Administrator and also run the Timer Service and the web application for Central Administration use to access the SharePoint content database
SP_Pool  is a domain account used for application pool identity.. ex: When you create a Web Application, and you create a pool for it, you select this account!

SP_Services is a domain account used for the Service Applications Pools.  ex: When you create a Managed Metadata Service application and create a pool for it, you select this account!

SP_Crawl is used within the Search Service Application  to crawl content. The Search Service Application will automatically grant this account read access on all Web Applications. It will also run the SharePoint Windows Search Service.

SP_UserProfiles is the account used for the User Profile Synchronization between your Service Application and your Active Directory. This account does not need any local rights, however you need to give it Replicate Directory Changes rights on the Active Directory in order to allow the synchronization

Medium Security Option (Sweet Spot)

SUMMARY

The Medium Security option is the Sweet Spot of a SharePoint installation. It uses slightly more accounts than the Low Security Option however it provides a huge security improvement. By giving less rights to each account you limit the possible damage in case an account gets hacked  and also follow Microsoft’s recommendation of installing SharePoint 2013 with  least-privilege administration. More details on the changes under every section!

For the SQL Server

 

Name Description Local Rights Domain Rights
SQL_Admin SQL Admin on the SQL Server. Used to Install the SQL Server. Local Administrator on the SQL Server Domain User
SQL_Services It is the service account for the following SQL Server services: MSSQLSERVER SQLSERVERAGENT. None Domain User

Explanation

The difference between the Low Security and the Medium Security option for the SQL is that we now use two different accounts :The SQL_Admin and the SQL_Services. The big security improvement is that the account running the Agent and Database Engine services is not a local administrator anymore. Here is the account breakdown:
SQL_Admin: This will be your main SQL Administrator!. It needs Local Administrator rights in order to install the SQL server.
SQL_Services: This account does not have any local rights, it is only used to run the SQL Agent and Database Engine windows services.

For the SharePoint Server

 

Name Description Local Rights Domain Rights
SP_Farm The server farm account is used to perform the following tasks:

-Configure and manage the server farm.
-Act as the application pool identity for the SharePoint Central Administration Web site.
-Run the Microsoft SharePoint Foundation Workflow Timer Service.
SecurityAdmin and DB_Creator rights on the SQL Instance Domain User
SP_Admin The server farm account is used to perform the following tasks:

-Setup
-SharePoint Products Configuration Wizard
Local Administrator on all the SharePoint Servers. SecurityAdmin and DB_Creator rights on the SQL Instance Domain User
SP_Pool The Pool account is used to run the Web Application Pools None Domain User
SP_Services The Services Account is used to run the Service Application Pool None Domain User
SP_Crawl The Default Content Access Account for the Search Service Application None Domain User
SP_Search Service Account to run the SharePoint Search “Windows Service” None Domain User
SP_UserProfiles The User Profile Synchronization Account None Replicate Directory Changes permission on the domain. Guide:http://bit.ly/TSE7xs

Explanation

In the Medium Security option we increase the security by adding two new accounts: The SP_Admin and the SP_Search. Instead of giving all the Farm Administration power to the SP_Farm account, the SP_Admin will be the one that installs and configures SharePoint 2013 and have the local administrator rights, while the SP_Farm will only run the services and connect to the database. Furthermore, instead of letting the SP_Crawl account run both the Windows Service and have FULL-READ rights on all the web applications, the SP_Search will now run the Windows Service. Here is the breakdown of the accounts:

SP_Farm is a domain account that the SharePoint Timer service and the web application for Central Administration use to access the SharePoint content database. This account does not need to be a local administrator. The SharePoint configuration wizard grants the proper minimal privilege in the back-end SQL Server database.The minimum SQL Server privilege configuration is membership in the roles securityadmin and dbcreator.

SP_admin is a domain account you use to install and configure the farm. It is the account used to run the SharePoint Configuration Wizard  for SharePoint 2013.The SPAdmin account is the only account that requires local Administrator rights. To configure the SPAdmin account in a minimum privilege scenario, it should be a member of the roles securityadmin and dbcreator on the SQL server.

SP_Pool  is a domain account used for application pool identity.. ex: When you create a Web Application, and you create a pool for it, you select this account!

SP_Services is a domain account used for the Service Applications Pools.  ex: When you create a Managed Metadata Service application and create a pool for it, you select this account!

SP_Crawl is used within the Search Service Application  to crawl content. The Search Service Application will automatically grant this account read access on all Web Applications.

SP_Search Is used to run the SharePoint Windows Search Service.

SP_UserProfiles is the account used for the User Profile Synchronization between your Service Application and your Active Directory. This account does not need any local rights, however you need to give it Replicate Directory Changes rights on the Active Directory in order to allow the synchronization.

High Security Option

SUMMARY

The High Security Option is the ones that provides the best security and of course the most Service Accounts. This only ads a small amount of extra security to the farm, however that extra security might be needed in some scenarios

For the SQL Server

 

Name Description Local Rights Domain Rights
SQL_Admin SQL Admin on the SQL Server. Used to Install the SQL Server. Local Administrator on the SQL Server Domain User
SQL_AGENT It is the service account for the following SQL Server services: SQL SERVER AGENT. None Domain User
SQL_ENGINE It is the service account for the following SQL Server services: Database Engine. None Domain User

Explanation

The difference between the Medium Security and High Security Option is that we now have a separate account for each of the two base services: SQL_Agent and Database Engine.  Nothing changes for the SQL_Admin

SQL_Admin: This will be your main SQL Administrator!. It needs Local Administrator rights in order to install the SQL server.
SQL_Agent: This account does not have any local rights, it is only used to run the SQL Agent Windows Service

SQL_Engine: This account does not have any local rights, it is only used to run the Database Engine windows service.

 

For the SharePoint Server

 

Name Description Local Rights Domain Rights
SP_Farm The server farm account is used to perform the following tasks:

-Configure and manage the server farm.
-Act as the application pool identity for the SharePoint Central Administration Web site.
-Run the Microsoft SharePoint Foundation Workflow Timer Service.
SecurityAdmin and DB_Creator rights on the SQL Instance Domain User
SP_Admin The server farm account is used to perform the following tasks:

-Setup
-SharePoint Products Configuration Wizard
Local Administrator on all the SharePoint Servers. SecurityAdmin and DB_Creator rights on the SQL Instance Domain User
SP_Pool The Pool account is used to run the Web Application Pools None Domain User
SP_Services The Services Account is used to run the Service Application Pool None Domain User
SP_Crawl The Default Content Access Account for the Search Service Application None Domain User
SP_Search Service Account to run the SharePoint Search “Windows Service” None Domain User
Sp_MySitePool Used for the My Sites Web Application None Domain User
SP_UserProfiles The User Profile Synchronization Account None Replicate Directory Changes permission on the domain. Guide:http://bit.ly/TSE7xs

Explanation

The only difference between the Medium security and the High Security option is that we now have a separate account for the Web Application Pool hosting the ‘My Sites’  since it has a different security policy than the other Web Applications .  I will only give the details for the new account in the breakdown:

SP_MySitePool  is a domain account used for the My Sites Web Application Pool Identity. It’s very similar to the SP_Pool, however it is only used for the My Sites Web Application.

Source: http://www.absolute-sharepoint.com/2013/01/sharepoint-2013-service-accounts-best.html
You can download all the information here in PDF format on  here: http://sdrv.ms/U6hvuU

No Comments

Be the first to start the conversation!

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s