Least Privilege Service Account Model for SharePoint 2013

The Below user accounts are based on the Least Privilege Account Model.

     Naming Format: svc_p_<FarmName>_<serviceName>

Generally _p_ indicates production, _d_ indicates development, _u_ indicates UAT.

SL. NO	Account Name	Description	Local Permissions	Account Type
SQL Server Accounts
1	SQL_Admin_<SQL ServerName>	Setup Account: The account which is used to Install the Software.	Box\Machine Admin,	Domain Account
2	SQL_Service_<SQL ServerName>	Service Account: The account which is used to run the Services.	N.A/ Login as Service & log in as Batch	Domain Account
SharePoint Accounts
3	Svc_p_<Farm Name>_adm	Setup Account: The account which is used to Install the Software.	Box\ Machine Admin & “Database Creator” & “Security Admin” roles on SQL Box	Domain Account
4	Svc_p_<Farm Name>_wApp	Web Application Pool Account: Service account for configuring the Web Application App pools	Login as Service & log in as Batch	Domain Account
5	Svc_p_<Farm Name>_sApp	Service Application Pool Account: Service account for configuring the Service Application App pools	Login as Service & log in as Batch	Domain Account
6	Svc_p_<Farm Name>_mApp	My Site Host Web Application Pool Account: Service account for configuring the Web Application App pool of my sites host	Login as Service & log in as Batch	Domain Account
7	Svc_p_<Farm Name>_Farm	Farm Account: Central Administration Application pool Account	Login as Service & log in as Batch	Domain Account
8	Svc_p_<Farm Name>_ca	Content Access Account: Account used for Crawling the content in the farm.	Login as Service & log in as Batch	Domain Account
9	Svc_p_<Farm Name>_UP	Profile Import Account:	“Replicate Directory Changes” permission on Domain. Login as Service & log in as Batch	Domain Account
10	Svc_p_<Farm Name>_WF	Workflow Run As Account	Login as Service & log in as Batch	Domain Account
11	Grp_p_<Farm Name>_WF	Farm Workflow Group		Domain Group

SharePoint 2013 Service Configuration in a medium 3 Tier Server Farm

The below table shows what services needs to be Started in a traditional 3Tier Server Farm which consists of a WFE, Application Server(Search, Timer, UserProfiles, CentralAdmin etc.) and a Database Server.

Service Name	Web Frontend Server	Application Server
Access Database Service 2010	Stopped	Stopped
Access Services	Stopped	Started
App Management Service	Stopped	Started
Business Data Connectivity Service	Stopped	Started
Central Administration	Stopped	Started
Claims to Windows Token Service	Started	Started
Distributed Cache	Started	Started
Document Conversions Launcher Service	Stopped	Started
Document Conversions Load Balancer Service	Stopped	Started
Excel Calculation Services	Stopped	Started
Lotus Notes Connector	Stopped	Started
Machine Translation Service	Stopped	Stopped
Managed Metadata Web Service	Stopped	Started
Microsoft SharePoint Foundation Incoming E-Mail	Started	Stopped
Microsoft SharePoint Foundation Sandboxed Code Service	Started	Stopped
Microsoft SharePoint Foundation Subscription Settings Service	Stopped	Stopped
Microsoft SharePoint Foundation Web Application	Started	Stopped
Microsoft SharePoint Foundation Workflow Timer Service	Started	Stopped
PerformancePoint Service	Stopped	Started
PowerPoint Conversion Service	Stopped	Started
Request Management	Started	Stopped
Search Host Controller Service	Stopped	Started
Search Query and Site Settings Service	Stopped	Started
Secure Store Service	Stopped	Started
SharePoint Server Search	Stopped	Started
User Profile Service	Stopped	Started
User Profile Synchronization Service	Stopped	Started
Visio Graphics Service	Started	Started
Word Automation Services	Started	Started
Work Management Service	Stopped	Started

The Database server will host just the Databases and none of the above listed services will have any instances on the database server.