• Home
  • Library
  • Wiki
  • Learn
  • Gallery
  • Downloads
  • Support
  • Forums
  • Blogs
Resources For IT Professionals
Microsoft Technet Image
United Kingdom (Proper English-like)
Skip to locale bar
    •  
    Wiki  >  TechNet Articles  > 
    • Article
    • History

    SharePoint 2010 Installation – Adhere to the security practice of least privilege - TechNet Articles - United States (English) - TechNet Wiki

    As the title of the this post says ‘Adhere to the security practice of least privilege’, this means that accounts used for SharePoint implementation should be created in such a way that it can be given only the permission required to perform its task. Many times people just create one or two accounts and use it for running all the services and installation of the SharePoint this can be acceptable in development environment but is definitely not a good practice for test/staging or production environment.

    As you know SharePoint has close dependencies on, SQL Server and Active Directory. Active Directory stores user accounts and validates account logon and the services supports user logging on to the SharePoint sites whereas SQL Server stores almost all of the configurations and content of the SharePoint farm.

    Here are the accounts setups which enable least privilege implementation of the SharePoint; you need to create these accounts before installing the SharePoint.

    Setup Active Directory Accounts:
    Start the Active Directory Users and Computers and in the Service Accounts create following user accounts

    Users Accounts
    Descriptions
    SQL_Admin
    SQL Server administrator account, this account need to be local admin on the SQL Server machine and use this account for installation of the SQL Server database.
    SQL_Service
    SQL Server service accounts, use this account for running MSSQLSERVER and SQLSERVERAGENT services
    SP_Admin
    SharePoint administrator and setup users, add this account in the DnsAdmins group of the domain and also in the local administrators group of the SharePoint server machine.
    SP_Farm
    SharePoint farm service
    SP_ServiceApps
    SharePoint service applications
    SP_WebApps
    SharePoint web applications
    SP_Crawl
    SP_WebApps
    SharePoint search crawler
    SP_UserSync
    SharePoint user profile synchronization

    Setup SQL Server login for SharePoint Administrator:
    SP_Admin is the only account for which a SQL login must be manually created, so you need to connect to your SQL Server and open SQL Server Management Studio, create a login for SP_Admin in the SQL Server. Assign dbcreator and securityadmin servers roles to SP_Admin account

    Once above account setups are done, you can proceed with SharePoint installation and use the above accounts during the installation and during the setup the services
    • C 2015 Microsoft Corporation. All rights reserved.
    • Terms of Use
    • Trademarks
    • Privacy Statement
    • [Copied from] v5.6.915.0
    • This page has been extacted by Pete Laker, Microsoft Azure MVP & Microsoft IT Implementer
    X