| Service | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| SharePoint | Plan For Least Privileged Administration | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointServer/security-for-sharepoint-server/plan-for-least-privileged-administration.md | - + + Title: "Plan for least-privileged administration in SharePoint Server" -The concept of least-privileged administration is to assign users the minimum permissions that are required for users to complete authorized tasks. The goal of least-privileged administration is to configure and help maintain secure control of an environment. The result is that each account under which a service runs is granted access to only the resources that are absolutely necessary. +The concept of least-privileged administration is to assign users the minimum permissions that are required for users to complete authorized tasks. The goal of least-privileged administration is to configure and help maintain secure control of an environment. The result is that each account under which a service runs is granted access to only the resources that are necessary. -We recommend that you deploy SharePoint Server with least-privileged administration even though implementing least-privileged administration can result in increased operational costs because additional resources might be required to maintain this level of administration. Moreover, the ability to troubleshoot security problems can also be made more complex. +Microsoft recommends deploying SharePoint Server with least-privileged administration. Implementing least-privileged administration can result in increased operational costs as other resources might be required to maintain this level of administration. Moreover, the ability to troubleshoot security problems become more complex. ## Introduction <a name="Introduction"> </a> -Organizations implement least-privileged administration to achieve better security than would be typically recommended. Only a small percentage of organizations require this heightened level of security because of the resource costs of maintaining least-privileged administration. Some deployments that might require this heightened level of security include governmental agencies, security organizations, and organizations in the financial services industry. The implementation of a least-privileged environment should not be confused with best practices. In a least-privileged environment, administrators implement best practices together with additional heightened levels of security. +Organizations implement least-privileged administration to achieve better security than would be typically recommended. Only a small percentage of organizations requires this heightened level of security because of the resource costs of maintaining least-privileged administration. Some deployments that might require this heightened level of security include governmental agencies, security organizations, and organizations in the financial services industry. The implementation of a least-privileged environment shouldn't be confused with best practices. In a least-privileged environment, administrators implement best practices together with other heightened levels of security. ## Least-privileged environment for accounts and services <a name="AcctServices"> </a> -To plan for least-privileged administration, you must consider several accounts, roles, and services. Some apply to SQL Server and some apply to SharePoint Server. As administrators lock down additional accounts and services, daily operational costs are likely to increase. +To plan for least-privileged administration, you must consider several accounts, roles, and services. Some apply to SQL Server and some apply to SharePoint Server. As administrators lock down other accounts and services, daily operational costs are likely to increase. ### SQL Server roles <a name="SQLRoles"> </a> In a SharePoint Server environment, several accounts may be granted the followin - **Dbcreator** - Members of the dbcreator fixed server role can create, alter, drop, and restore any database. -- **Securityadmin** - Members of the securityadmin fixed server role manage logins and their properties. They can GRANT, DENY, and REVOKE server-level permissions. They can also GRANT, DENY, and REVOKE database-level permissions if they have access to a database. Additionally, they can reset passwords for SQL Server logins. +- **Securityadmin** - Members of the securityadmin fixed server role manage logins and their properties. They can GRANT, DENY, and REVOKE server-level permissions. They can also GRANT, DENY, and REVOKE database-level permissions if they have access to a database. Additionally, they can reset passwords for SQL Server logins. > [!NOTE]-> The ability to grant access to the database engine and to configure user permissions allows the securityadmin to assign most server permissions. You should treat the securityadmin role as equal to the sysadmin role. +> The ability to grant access to the database engine and to configure user permissions allows the securityadmin to assign most server permissions. You should treat the securityadmin role as equal to the sysadmin role. -For additional information about SQL Server server-level roles, see [Server Level Roles](/sql/relational-databases/security/authentication-access/server-level-roles). +For more information about SQL Server server-level roles, see [Server Level Roles](/sql/relational-databases/security/authentication-access/server-level-roles). If you remove one or more of these SQL Server roles, you might receive "Unexpected" error messages in the Central Administration web site. In addition, you may receive the following message in the Unified Logging Service (ULS) log file: The following list provides information about locking down other SharePoint Serv - **SharePoint_Shell_Access role** - When you remove this SQL Server role, you remove the ability to write entries to the configuration and content database and the ability to perform any tasks by using Microsoft PowerShell. For additional information about this role, see [Add-SPShellAdmin](/powershell/module/sharepoint-server/add-spshelladmin?view=sharepoint-ps&preserve-view=true). + When you remove this SQL Server role, you remove the ability to write entries to the configuration and content database and the ability to perform any tasks by using Microsoft PowerShell. For more information about this role, see [Add-SPShellAdmin](/powershell/module/sharepoint-server/add-spshelladmin?view=sharepoint-ps&preserve-view=true). - **SharePoint Timer service (SPTimerV4)** - We recommend that you do not limit the default permissions granted to the account under which this service runs and that you never disable this account. Instead, use a secure user account, for which the password is not widely known, and leave the service running. By default, this service is installed when you install SharePoint Server and maintains configuration cache information. If you set the service type to disabled you may experience the following behavior: + We recommend that you don't limit the default permissions granted to the account under which this service runs and that you never disable this account. Instead, use a secure user account, for which the password isn't widely known, and leave the service running. By default, this service is installed when you install SharePoint Server and maintains configuration cache information. If you set the service type to disabled, you may experience the following behavior: - Timer jobs won't run The following list provides information about locking down other SharePoint Serv - **SharePoint Administration service (SPAdminV4)** - This service performs automated changes that require local administrator permission on the server. When the service is not running, you must manually process server-level administrative changes. We recommend that you do not limit the default permissions granted to the account under which this service runs and that you never disable this account. Instead, use a secure user account, for which the password is not widely known, and leave the service running. If you set the service type to disabled, you may experience the following behavior: + This service performs automated changes that require local administrator permission on the server. When the service isn't running, you must manually process server-level administrative changes. We recommend that you don't limit the default permissions granted to the account under which this service runs and that you never disable this account. Instead, use a secure user account, for which the password isn't widely known, and leave the service running. If you set the service type to disabled, you may experience the following behavior: - Administrative timer jobs won't run The following list provides information about locking down other SharePoint Serv - **SPUserCodeV4 Service** - This service lets a site collection administrator upload sandboxed solutions to the Solutions gallery. If you are not using sandboxed solutions, you can disable this service. + This service lets a site collection administrator upload sandboxed solution to the Solutions gallery. If you are not using sandboxed solutions, you can disable this service. - **Claims To Windows Token service (C2WTS)** The following features may experience additional symptoms under certain circumst - **Upgrade** - The upgrade process starts correctly, but then fails if you do not have suitable permissions to databases. If your organization is already in a least-privileged environment, the workaround is to move to a best practices environment to complete the upgrade, and then move back to a least-privileged environment. + The upgrade process starts correctly, but then fails if you don't have suitable permissions to databases. If your organization is already in a least-privileged environment, the workaround is to move to a best practices environment to complete the upgrade, and then move back to a least-privileged environment. - **Update** - The ability to apply a software update to a farm will succeed for the schema of the configuration database, but fail on the content database and services. + The ability to apply a software update to a farm succeeds for the schema of the configuration database, but fail on the content database and services. ### Additional things to consider for a least-privileged environment <a name="additionalReq"> </a> The following features may experience additional symptoms under certain circumst In addition to the previous considerations, you might have to consider more operations. The following list is incomplete. Selectively use the items at your own discretion: - **Setup user account** - This account is used to set up each server in a farm. The account must be a member of the Administrators group on each server in the SharePoint Server farm. For additional information about this account, see [Initial deployment administrative and service accounts in SharePoint Server](../install/initial-deployment-administrative-and-service-accounts-in-sharepoint-server.md).- -- **Synchronization account** - For SharePoint Server Server, this account is used to connect to the directory service. We recommend that you do not limit the default permissions granted to the account under which this service runs and that you never disable this account. Instead, use a secure user account, for which the password is not widely known, and leave the service running. This account also requires Replicate Directory Changes permission on AD DS which enables the account to read AD DS objects and to discover AD DS objects that were changed in the domain. The Grant Replicate Directory Changes permission does not enable an account to create, change or delete AD DS objects. ++ When you build a new SharePoint farm and the based build has October 2022 CU or a new slipstreamed into the build process, you're using the least privileged security model. After completing the *psconfig* on the first server in the farm, prior to running the Farm configuration wizard or provisioning other components, the following commands must be executed to ensure access to the SharePoint Databases: + ```powershell + Get-SPDatabase | %{$_.GrantOwnerAccessToDatabaseAccount()} + ``` + +- **Synchronization account** - For SharePoint Server, this account is used to connect to the directory service. We recommend that you don't limit the default permissions granted to the account under which this service runs and that you never disable this account. Instead, use a secure user account, for which the password isn't widely known, and leave the service running. This account also requires Replicate Directory Changes permission on AD DS, which enables the account to read AD DS objects and to discover AD DS objects that were changed in the domain. The Grant Replicate Directory Changes permission doesn't enable an account to create, change or delete AD DS objects. - **My Site host application pool account** - This is the account under which the My Site application pool runs. To configure this account, you must be a member of the Farm Administrators group. You can limit privileges to this account. -- **Built-in user group** - Removing the built-in user security group or changing the permissions may have unanticipated consequences. We recommend that you do not limit privileges to any built-in accounts or groups. +- **Built-in user group** - Removing the built-in user security group or changing the permissions may have unanticipated consequences. We recommend that you don't limit privileges to any built-in accounts or groups. - **Group permissions** - By default the **WSS_ADMIN_WPG** SharePoint group has read and write access to local resources. The following **WSS_ADMIN_WPG** file system locations, _%WINDIR%\System32\drivers\etc\Hosts_ and _%WINDIR%\Tasks_ are needed for SharePoint Server to work correctly. If other services or applications are running on a server, you might consider how they access the Tasks or Hosts folder locations. For additional information about account settings for SharePoint Server, see [Account permissions and security settings in SharePoint Server 2016](../install/account-permissions-and-security-settings-in-sharepoint-server-2016.md). |