Tuesday, August 20, 2013

Least Privilege Service Account Model for SharePoint 2013

The Below user accounts are based on the Least Privilege Account Model.

     Naming Format: svc_p_<FarmName>_<serviceName>
Generally _p_ indicates production, _d_ indicates development, _u_ indicates UAT.


SL. NO
Account Name
Description
Local Permissions
Account Type
SQL Server Accounts
1
SQL_Admin_<SQL ServerName>
Setup Account: The account which is used to Install the Software.
Box\Machine Admin,
Domain Account
2
SQL_Service_<SQL ServerName>
Service Account: The account which is used to run the Services.
N.A/ Login as Service & log in as Batch
Domain Account
SharePoint Accounts
3
Svc_p_<Farm Name>_adm
Setup Account: The account which is used to Install the Software.
Box\ Machine Admin & “Database Creator” & “Security Admin” roles on SQL Box
Domain Account
4
Svc_p_<Farm Name>_wApp
Web Application Pool Account: Service account for configuring the Web Application App pools
Login as Service & log in as Batch
Domain Account
5
Svc_p_<Farm Name>_sApp
Service Application Pool Account: Service account for configuring the Service Application App pools
Login as Service & log in as Batch
Domain Account
6
Svc_p_<Farm Name>_mApp
My Site Host Web Application Pool Account: Service account for configuring the Web Application App pool of my sites host
Login as Service & log in as Batch
Domain Account
7
Svc_p_<Farm Name>_Farm
Farm Account: Central Administration Application pool Account
Login as Service & log in as Batch
Domain Account
8
Svc_p_<Farm Name>_ca
Content Access Account: Account used for Crawling the content in the farm.
Login as Service & log in as Batch
Domain Account
9
Svc_p_<Farm Name>_UP
Profile Import Account:
“Replicate Directory Changes” permission on Domain.
Login as Service & log in as Batch
Domain Account
10
Svc_p_<Farm Name>_WF
Workflow Run As Account
Login as Service & log in as Batch
Domain Account
11
Grp_p_<Farm Name>_WF
Farm Workflow Group

Domain Group

SharePoint 2013 Service Configuration in a medium 3 Tier Server Farm


The below table shows what services needs to be Started in a traditional 3Tier Server Farm which consists of a WFE, Application Server(Search, Timer, UserProfiles, CentralAdmin etc.) and a Database Server.


Service Name
Web Frontend Server
Application Server
Access Database Service 2010
Stopped
Stopped
Access Services
Stopped
Started
App Management Service
Stopped
Started
Business Data Connectivity Service
Stopped
Started
Central Administration
Stopped
Started
Claims to Windows Token Service
Started
Started
Distributed Cache
Started
Started
Document Conversions Launcher Service
Stopped
Started
Document Conversions Load Balancer Service
Stopped
Started
Excel Calculation Services
Stopped
Started
Lotus Notes Connector
Stopped
Started
Machine Translation Service
Stopped
Stopped
Managed Metadata Web Service
Stopped
Started
Microsoft SharePoint Foundation Incoming E-Mail
Started
Stopped
Microsoft SharePoint Foundation Sandboxed Code Service
Started
Stopped
Microsoft SharePoint Foundation Subscription Settings Service
Stopped
Stopped
Microsoft SharePoint Foundation Web Application
Started
Stopped
Microsoft SharePoint Foundation Workflow Timer Service
Started
Stopped
PerformancePoint Service
Stopped
Started
PowerPoint Conversion Service
Stopped
Started
Request Management
Started
Stopped
Search Host Controller Service
Stopped
Started
Search Query and Site Settings Service
Stopped
Started
Secure Store Service
Stopped
Started
SharePoint Server Search
Stopped
Started
User Profile Service
Stopped
Started
User Profile Synchronization Service
Stopped
Started
Visio Graphics Service
Started
Started
Word Automation Services
Started
Started
Work Management Service
Stopped
Started

The Database server will host just the Databases and none of the above listed services will have any instances on the database server.