MCT USE ONLY. STUDENT USE PROHIBITED Designing a Security Plan 5-5 • Installation privileges. SharePoint 2010 has its own account that you use to run the initial setup process and the SharePoint Products Configuration Wizard. You should not use your own account or a generic administrative account. This specific SharePoint account must be a local administrator but should not be a domain administrator. • Administrator privileges. Administrative privileges should only be granted if these privileges are necessary. Never grant them where they are not specifically required. This applies to domain administrators, local administrators, site collection administrators, and Internet Information Services (IIS) administrators. • Services. Each service relies on a service account. Some services require a separate account that is dedicated to their specific role. You can create a separate account for a particular service to provide isolation for that service. For example, you can create a separate account for the Search Crawl Service. This service is often configured to use the service account for the SharePoint farm, which grants more privileges than are required. This creates a security risk by exposing confidential information in the search results. By creating a separate account for the Search Crawl Service, you mitigate this security risk. • Application pools. IIS hosts application pools, and they use the application pool account, which identifies the application pools. You can isolate applications that host sensitive data by hosting them in their own application pool. MCT USE ONLY. STUDENT USE PROHIBITED 5-6 Designing a Microsoft® SharePoint® 2010 Infrastructure Security Architecture in SharePoint 2010 Key Points A security architecture describes the various elements that you require to configure security for your SharePoint infrastructure and the relationships between them. These are primarily SharePoint elements, such as SharePoint groups and permission levels. However, there are external elements that you must also consider, such as Active Directory® directory service groups and user accounts. Key elements include: • Service accounts. Service accounts enable SharePoint services to run and to communicate with other services. Service accounts are most often Active Directory user accounts. • Permission levels. Permission levels are collections of individual permissions that you group together to simplify the process of assigning permissions for securable objects. • Site collection and site permissions. Each site collection and each site in your SharePoint infrastructure has permissions that you can use to control user MCT USE ONLY. STUDENT USE PROHIBITED Designing a Security Plan 5-7 access. Your security plan must incorporate guidance about how to use these permissions. • Security groups. You can assign SharePoint 2010 permissions to SharePoint groups, Active Directory groups, or local Windows® operating system groups. Your security plan must include guidance about which type of group is appropriate in your SharePoint infrastructure. • Permission policies. Permission policies provide a centralized way to configure and manage a set of permissions that applies to only a subset of users or groups in a Web application. • SSL. In addition to configuring security content via permissions, for sites that contain sensitive information, you must ensure that traffic between the client and the Web Front End (WFE) server is secure. SSL is the recommended method for encrypting such traffic. MCT USE ONLY. STUDENT USE PROHIBITED 5-8 Designing a Microsoft® SharePoint® 2010 Infrastructure Lesson 2 Planning for Service Accounts SharePoint 2010 relies on service accounts to run services and service applications. You must configure these service accounts with sufficient permissions and privileges to perform their functions. However, you must not grant them so many permissions that you increase the risk of a security breach. It is particularly important to ensure that the service accounts do not have administrative privileges for the SharePoint farm, the Active Directory domain, or the local machine unless they are specifically required. Objectives After completing this lesson, you will be able to: • List the service accounts that SharePoint 2010 uses. • Plan security for service accounts. • Document your plan for security for service accounts. • Describe the best practices for security for service accounts. MCT USE ONLY. STUDENT USE PROHIBITED Designing a Security Plan 5-9 What Are Service Accounts? Key Points Service accounts enable services to run. They also enable communication between the different services on which SharePoint 2010 depends. Service accounts may be part of SharePoint 2010 or they may be part of an external system. Communication between the IT teams that manage the different aspects of the IT infrastructure is crucial when you plan a SharePoint 2010 deployment, A common reason for failure when you configure security for a SharePoint deployment is lack of coordination between the Windows (Active Directory) team, the SharePoint team, and the Microsoft SQL Server® database administrators (DBAs). Planning should identify the accounts that you require to deploy SharePoint 2010 and the time at which you will require them. You must ensure that you have created and granted the appropriate permissions to all of the required accounts before you begin the SharePoint deployment. The following table describes the purpose and requirements of the core service accounts that are used in a SharePoint 2010 farm. MCT USE ONLY. STUDENT USE PROHIBITED 5-10 Designing a Microsoft® SharePoint® 2010 Infrastructure Account Purpose Requirements for account SQL Server service account SQL Server uses this account to start and run the following services: • MSSQLSERVER • SQLSERVERAGENT The SQL Server service account must be either a local system account or a domain user account. Setup user account The Setup user account runs the following: • Setup • SharePoint Products Configuration Wizard The Setup user account must: • Be a domain user account. • Be a member of the Administrators group on each server on which Setup is run. • Have a SQL Server login on the computer running SQL Server. The Setup user account must be a member of the following SQL Server security roles: • securityadmin fixed server role • dbcreator fixed server role Server farm account The server farm account is used to perform the following tasks: • Configure and manage the server farm. • Act as the application pool identity for the SharePoint Central Administration Web site. • Run the Microsoft SharePoint Foundation Workflow Timer Service. The server farm account: • Must be a domain user account. • Has additional permissions that are automatically granted on Web servers and application servers that are joined to a server farm. The server farm account is automatically added as a SQL Server login on the computer running SQL Server. The account is added to the following SQL Server security roles: MCT USE ONLY. STUDENT USE PROHIBITED Designing a Security Plan 5-11 Account Purpose Requirements for account • dbcreator fixed server role • securityadmin fixed server role • db_owner fixed database role for all SharePoint databases in the server farm Search service account The Search service account is used as the service account for the SharePoint Foundation 2010 Search service. The Search service account must have domain user account permissions. Search content access account The SharePoint Foundation 2010 Search Service uses the SEARCH content access account to crawl content across sites. The Search content access account must: • Have domain user account permissions. • Not be a member of the farm administrators group. Other Service Accounts You can create accounts to use for specific service applications in your SharePoint infrastructure in accordance with the principle of least privilege. For example, you can create a generic account that most of the service applications use, and you can create specific accounts for service applications that you must manage more closely. You should also consider the service accounts that you use to identify application pools. Application pools contain the SharePoint Web applications. You should identify any Web applications that require isolation and create a separate account to identify the relevant application spool. Question: When would you configure the SQL Server service account as a local account? MCT USE ONLY. STUDENT USE PROHIBITED 5-12 Designing a Microsoft® SharePoint® 2010 Infrastructure Additional Reading For more information about account permissions and security settings for SharePoint Server 2010, see http://go.microsoft.com/fwlink/?LinkID=200876&clcid=0x409. MCT USE ONLY. STUDENT USE PROHIBITED Designing a Security Plan 5-13 Planning Security for Service Accounts Key Points When you plan security for the core service accounts, you must determine whether to use local or domain accounts for the services and devise a naming strategy for your accounts. You must also consider the implications of having different SharePoint environments in the same organization. For example, if you have development and staging environments in addition to your production environment, you should add a duplicate set of accounts to ensure that development and testing are valid. Using Local or Domain Accounts Most core service accounts must be Active Directory accounts, including the Setup user account and the Server farm account. However, some accounts—such as the SQL Server service account—may be either local accounts or domain-based accounts. If the computer on which SQL Server is installed is not part of a domain, a local user account without Windows administrator permissions is recommended. MCT USE ONLY. STUDENT USE PROHIBITED 5-14 Designing a Microsoft® SharePoint® 2010 Infrastructure If the computer on which SQL Server is installed is part of a domain, you should use a minimally privileged domain account. The SQL Server service account may need to perform server-to-server activities that can be accomplished only with a domain user account. A domain administrator should create this account in your environment before you install SharePoint 2010. If your organization has a separate Active Directory management team, your planning must incorporate schedules and mechanisms for liaising with this team. Naming Strategy It is recommended that when you devise a naming strategy, you document it clearly and use it consistently so that each account is identifiable. Consistent naming is particularly important if there is a separate Active Directory management team and you must accurately identify each account. In organizations with multiple environments—such as production, development and staging environments—the account names should identify the environment in which the account is used. For example, the service account for service applications may be named sp-p-serviceapp in the production environment and sp- s-serviceapp in the staging environment. . install SharePoint 2 010 . If your organization has a separate Active Directory management team, your planning must incorporate schedules and mechanisms for liaising with this team. Naming Strategy. SharePoint 2 010 depends. Service accounts may be part of SharePoint 2 010 or they may be part of an external system. Communication between the IT teams that manage the different aspects of the IT infrastructure. (Active Directory) team, the SharePoint team, and the Microsoft SQL Server® database administrators (DBAs). Planning should identify the accounts that you require to deploy SharePoint 2 010 and