Information
The SharePoint farm service account (database access account) must be configured with
the minimum privileges for the local server.
Rationale:
Separation of duties is a prevalent Information Technology control implemented at
different layers of the information system including the operating system and in
applications. It serves to eliminate or reduce the possibility that a single user may carry out
a prohibited action. Separation of duties requires the person accountable for approving an
action not be the same person who is tasked with implementing the action.
This requirement is intended to limit exposure due to user accounts being used to operate
from within a privileged account or role. Limiting the access and permissions of privileged
accounts to the minimum required, reduces exposure if the account is compromised and
provides forensic history of activity when operating from these accounts.
This policy limits the Farm Account privileges in AD. However, default permissions for this
account are configured by the SharePoint Products Configuration Wizard during product
installation. This account is referred to during the installation as the Database Access
account. By default, the account is used as the service account for the SharePoint Timer
Service and the SharePoint Central Administration Web Site Application Pool. These
settings should not be changed. Furthermore, this account should not be used as the service
account for non-privileged services, applications, or application pools.
Solution
1. On the server(s) where the SharePoint software is installed, navigate to Server
Manager > Local Users and Groups.
2. Select the Member of tab and ensure this account is only a member of the
WSS_RESTRICTED_WPG, WSS_ADMIN_WPG, and WSS_WPG groups.
3. Select the other tabs in this area to ensure there are no other services or
permissions are configured for this account.