SharePoint service accounts must be configured for separation of duties.

From MS SharePoint 2010 Security Technical Implementation Guide

Part of SRG-APP-000062-COL-000046

Associated with: CCI-002220

SV-38296r2_rule SharePoint service accounts must be configured for separation of duties.

Vulnerability discussion

Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. SharePoint service accounts must be configured for separation of duties, particularly the farm services account which should not be used to manage other services. The required service accounts must be created in AD (default users group member only). These AD accounts are applied when installing and configuring SharePoint services. If the default Farm Services Account is used for all services during initial configuration, this must be changed when each service is configured. This violates the principles of least privilege since not all services have equal trust levels. Some services, (e.g., Excel Service or Search Service), may be configured to interact with outside resources. Microsoft recommends separate accounts for each service with the minimum required privileges for each service account.When each service is installed, a service account is requested by the application. Ensure one service account is not used for all services. Either use separate accounts for all services or group the services based on trust and access privileges. Each account will be a member of the default user domain group in AD. The exact services installed on each farm may vary.

Check content

1. In SharePoint Central Administration, click Security. 2. On the Security page, in the General Security list, click Configure service accounts. 3. On the Service Accounts page, in the Credential Management section, select each service installed, and view the service account entry. 4. Verify each service is managed by a separate account or accounts are assigned based on common access permissions or trust levels. 5. If each service does not operate using a unique account or accounts are not assigned based on common access permissions or trust levels, this is a finding.

Fix text

1. In SharePoint Central Administration, click Security. 2. On the Security page, in the General Security list, click Configure service accounts. 3. On the Service Accounts page, in the Credential Management section, select each service installed, and configure the service account field by selecting the appropriate AD account from the drop-down menu. 4. Create separate accounts for each service (or assign accounts based on common access permissions or trust levels).

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer