As the title of the this post says ‘Adhere to the security practice of least privilege’, this means that accounts used for SharePoint implementation should be created in such a way that it can be
given only the permission required to perform its task. Many times people just create one or two accounts and use it for running all the services and installation of the SharePoint this can be acceptable in development environment but is definitely not a good
practice for test/staging or production environment.
As you know SharePoint has close dependencies on, SQL Server and Active Directory. Active Directory stores user accounts and validates account logon and the services supports user logging on
to the SharePoint sites whereas SQL Server stores almost all of the configurations and content of the SharePoint farm.
Here are the accounts setups which enable least privilege implementation of the SharePoint; you need to create these accounts before installing the SharePoint.
Setup Active Directory Accounts:
Start the Active Directory Users and Computers and in the Service Accounts create following user accounts
Users Accounts
|
Descriptions
|
SQL_Admin
|
SQL Server administrator account, this account need to be local admin on the SQL Server machine and use this account for installation of the SQL Server database.
|
SQL_Service
|
SQL Server service accounts, use this account for running MSSQLSERVER and SQLSERVERAGENT services
|
SP_Admin
|
SharePoint administrator and setup users, add this account in the DnsAdmins group of the domain and also in the local administrators group of the SharePoint server machine.
|
SP_Farm
|
SharePoint farm service
|
SP_ServiceApps
|
SharePoint service applications
|
SP_WebApps
|
SharePoint web applications
|
SP_Crawl
|
SP_WebApps
|
SharePoint search crawler
|
SP_UserSync
|
SharePoint user profile synchronization
|
Setup SQL Server login for SharePoint Administrator:
SP_Admin is the only account for which a SQL login must be manually created, so you need to connect to your SQL Server and open SQL Server Management Studio, create a login for SP_Admin in the
SQL Server. Assign dbcreator and securityadmin servers roles to SP_Admin account
Once above account setups are done, you can proceed with SharePoint installation and use the above accounts during the installation and during the setup the services