Absolute SharePoint Blog by Vlad Catrinescu

SharePoint 2013 Service Accounts Best Practices Explained

You are here: Home / Blog / SharePoint 2013 Service Accounts Best Practices Explained
January 7, 2013
Categories: Guides, SharePoint2013

Several weeks ago I did a post about SharePoint 2013 Service accounts Best practices titled : SharePoint 2013 Service Accounts Best Practices! Is there a golden solution for all farms?.  The post talked about how important Service Accounts were in the installation of SharePoint 2013 because if they are not set up correctly  they can open big security holes in your organization or give you problems down the road.

The article also suggested that you cannot have only one set of Service accounts for every scenario, since not all  scenarios require the same security (ex: a development  environment does not require same security as the production one). So, I suggested three sets of service accounts for different deployment scenarios of SharePoint 2013, however I got some feedback that my choices and the accounts weren’t explained in detail.

This post will go over all the three sets of service accounts, explaining the difference between the sets and also what every account does!

NOTE: This sets only cover the basic installation and configuration of SharePoint 2013 and SQL.  Other Service accounts will be needed for some Service Applications (Ex: Excel, Visio, Performance Point, etc)

Low Security Option

Summary

The Low security option is of course the one with the least accounts possible to install SharePoint in a proper manner. It uses only 1 SQL account that will be the SQL administrator and also run the services, and 5 SharePoint accounts: The Farm Administrator, the Web Application pool account, the SharePoint Service Application Pool account  the Crawl account and the User Profile Synchronization account. More details under each section

For the SQL Server

Name Description Local Rights Domain Rights
SQL_Admin The SQL Server service account is used to run SQL Server. It is the service account for the following SQL Server services: MSSQLSERVER SQLSERVERAGENT. SQL Admin on the SQL Server Local Administrator on the SQL Server Domain User

Explanation

As Stated previously, in the Low Security Option, we only use one Service Account for our SQL Server.  This account needs to be a Local Administrator on the SQL server in order to be able to install SQL. We will also run the SQL AGENT and the Database Engine services with this account.  This the account that will have the full power on your SQL server and you will use it to grant rights to your SP_Farm(more details to follow)

For the SharePoint Server

Name Description Local Rights Domain Rights
SP_Farm The server farm account is used to perform the following tasks:
-Setup
-SharePoint Products Configuration Wizard
-Configure and manage the server farm.
-Act as the application pool identity for the SharePoint Central Administration Web site.
-Run the Microsoft SharePoint Foundation Workflow Timer Service.
Local Administrator on all the SharePoint Servers. SecurityAdmin and DB_Creator rights on the SQL Instance Domain User
SP_Pool The Pool account is used to run the Web Application Pools None Domain User
SP_Services The Services Account is used to run the Service Application Pool None Domain User
SP_Crawl The Default Content Access Account for the Search Service Application None Domain User
SP_UserProfiles The User Profile Synchronization Account None Replicate Directory Changes permission on the domain. Guide: http://bit.ly/TSE7xs

Explanation

The Low Security Option uses the minimum amount of accounts while also keeping a level of security.  Here is the account breakdown:  
SP_Farm is your main SharePoint account in this configuration. It needs to have Local Administrator rights to be able to install SharePoint Server and also the Securityadmin and DBcreator roles on the SQL Server to create the configuration and other databases.  This account will be your main Farm Administrator and also run the Timer Service and the web application for Central Administration use to access the SharePoint content database
SP_Pool  is a domain account used for application pool identity.. ex: When you create a Web Application, and you create a pool for it, you select this account!

SP_Services is a domain account used for the Service Applications Pools.  ex: When you create a Managed Metadata Service application and create a pool for it, you select this account!

SP_Crawl is used within the Search Service Application  to crawl content. The Search Service Application will automatically grant this account read access on all Web Applications. It will also run the SharePoint Windows Search Service.

SP_UserProfiles is the account used for the User Profile Synchronization between your Service Application and your Active Directory. This account does not need any local rights, however you need to give it Replicate Directory Changes rights on the Active Directory in order to allow the synchronization

Medium Security Option (Sweet Spot)

Summary

The Medium Security option is the Sweet Spot of a SharePoint installation. It uses slightly more accounts than the Low Security Option however it provides a huge security improvement. By giving less rights to each account you limit the possible damage in case an account gets hacked  and also follow Microsoft’s recommendation of installing SharePoint 2013 with  least-privilege administration. More details on the changes under every section!

For the SQL Server

Name Description Local Rights Domain Rights
SQL_Admin SQL Admin on the SQL Server. Used to Install the SQL Server. Local Administrator on the SQL Server Domain User
SQL_Services It is the service account for the following SQL Server services: MSSQLSERVER SQLSERVERAGENT. None Domain User

Explanation

The difference between the Low Security and the Medium Security option for the SQL is that we now use two different accounts :The SQL_Admin and the SQL_Services. The big security improvement is that the account running the Agent and Database Engine services is not a local administrator anymore. Here is the account breakdown:
SQL_Admin: This will be your main SQL Administrator!. It needs Local Administrator rights in order to install the SQL server. 
SQL_Services: This account does not have any local rights, it is only used to run the SQL Agent and Database Engine windows services.

For the SharePoint Server

Name Description Local Rights Domain Rights
SP_Farm The server farm account is used to perform the following tasks:
-Configure and manage the server farm.
-Act as the application pool identity for the SharePoint Central Administration Web site.
-Run the Microsoft SharePoint Foundation Workflow Timer Service.
SecurityAdmin and DB_Creator rights on the SQL Instance Domain User
SP_Admin The server farm account is used to perform the following tasks:
-Setup
-SharePoint Products Configuration Wizard
Local Administrator on all the SharePoint Servers. SecurityAdmin and DB_Creator rights on the SQL Instance Domain User
SP_Pool The Pool account is used to run the Web Application Pools None Domain User
SP_Services The Services Account is used to run the Service Application Pool None Domain User
SP_Crawl The Default Content Access Account for the Search Service Application None Domain User
SP_Search Service Account to run the SharePoint Search “Windows Service” None Domain User
SP_UserProfiles The User Profile Synchronization Account None Replicate Directory Changes permission on the domain. Guide: http://bit.ly/TSE7xs

Explanation

In the Medium Security option we increase the security by adding two new accounts: The SP_Admin and the SP_Search. Instead of giving all the Farm Administration power to the SP_Farm account, the SP_Admin will be the one that installs and configures SharePoint 2013 and have the local administrator rights, while the SP_Farm will only run the services and connect to the database. Furthermore, instead of letting the SP_Crawl account run both the Windows Service and have FULL-READ rights on all the web applications, the SP_Search will now run the Windows Service. Here is the breakdown of the accounts:

SP_Farm is a domain account that the SharePoint Timer service and the web application for Central Administration use to access the SharePoint content database. This account does not need to be a local administrator. The SharePoint configuration wizard grants the proper minimal privilege in the back-end SQL Server database.The minimum SQL Server privilege configuration is membership in the roles securityadmin and dbcreator.

SP_admin is a domain account you use to install and configure the farm. It is the account used to run the SharePoint Configuration Wizard  for SharePoint 2013.The SPAdmin account is the only account that requires local Administrator rights. To configure the SPAdmin account in a minimum privilege scenario, it should be a member of the roles securityadmin and dbcreator on the SQL server.

SP_Pool  is a domain account used for application pool identity.. ex: When you create a Web Application, and you create a pool for it, you select this account!

SP_Services is a domain account used for the Service Applications Pools.  ex: When you create a Managed Metadata Service application and create a pool for it, you select this account!

SP_Crawl is used within the Search Service Application  to crawl content. The Search Service Application will automatically grant this account read access on all Web Applications.

SP_Search Is used to run the SharePoint Windows Search Service.

SP_UserProfiles is the account used for the User Profile Synchronization between your Service Application and your Active Directory. This account does not need any local rights, however you need to give it Replicate Directory Changes rights on the Active Directory in order to allow the synchronization.

High Security Option

Summary

The High Security Option is the ones that provides the best security and of course the most Service Accounts. This only ads a small amount of extra security to the farm, however that extra security might be needed in some scenarios

For the SQL Server

Name Description Local Rights Domain Rights
SQL_Admin SQL Admin on the SQL Server. Used to Install the SQL Server. Local Administrator on the SQL Server Domain User
SQL_AGENT It is the service account for the following SQL Server services: SQL SERVER AGENT. None Domain User
SQL_ENGINE It is the service account for the following SQL Server services: Database Engine. None Domain User

Explanation

The difference between the Medium Security and High Security Option is that we now have a separate account for each of the two base services: SQL_Agent and Database Engine.  Nothing changes for the SQL_Admin

SQL_Admin: This will be your main SQL Administrator!. It needs Local Administrator rights in order to install the SQL server. 
SQL_Agent: This account does not have any local rights, it is only used to run the SQL Agent Windows Service

SQL_Engine: This account does not have any local rights, it is only used to run the Database Engine windows service.

For the SharePoint Server

Name Description Local Rights Domain Rights
SP_Farm The server farm account is used to perform the following tasks:
-Configure and manage the server farm.
-Act as the application pool identity for the SharePoint Central Administration Web site.
-Run the Microsoft SharePoint Foundation Workflow Timer Service.
SecurityAdmin and DB_Creator rights on the SQL Instance Domain User
SP_Admin The server farm account is used to perform the following tasks:
-Setup
-SharePoint Products Configuration Wizard
Local Administrator on all the SharePoint Servers. SecurityAdmin and DB_Creator rights on the SQL Instance Domain User
SP_Pool The Pool account is used to run the Web Application Pools None Domain User
SP_Services The Services Account is used to run the Service Application Pool None Domain User
SP_Crawl The Default Content Access Account for the Search Service Application None Domain User
SP_Search Service Account to run the SharePoint Search “Windows Service” None Domain User
Sp_MySitePool Used for the My Sites Web Application None Domain User
SP_UserProfiles The User Profile Synchronization Account None Replicate Directory Changes permission on the domain. Guide: http://bit.ly/TSE7xs

Explanation

The only difference between the Medium security and the High Security option is that we now have a separate account for the Web Application Pool hosting the ‘My Sites’  since it has a different security policy than the other Web Applications .  I will only give the details for the new account in the breakdown:

SP_MySitePool  is a domain account used for the My Sites Web Application Pool Identity. It’s very similar to the SP_Pool, however it is only used for the My Sites Web Application.

Sources

http://technet.microsoft.com/en-us/library/cc678863.aspx

Download

You can download all the information here in PDF format on my SkyDrive here: http://sdrv.ms/U6hvuU

I think that this post gives all the information necessary for SharePoint 2013 Service Accounts for the years to come, and don’t forget that this post only covers the basic Service Accounts needed for SharePoint 2013 and that other Service Accounts will be needed for some Service Application (ex: Excel Unattended Service, Visio, etc )

If you have any questions or comments please do not hesitate to post a comment, because your opinions will only make this post better!


 Leave  a comment and don’t forget to like us on Facebook here and to follow me on Google+ here and on Twitter here  for the latest news and technical articles on SharePoint.  Also, don’t forget to check the SharePoint Community Partners list for other great SharePoint Sites, and vote for my blog if you like my content!

 
Comments
Sean O’Leary
January 11, 2013 at 8:26 pm

Security is a huge thing to consider in your SharePoint environment. It’s necessary that each user have the proper amount of access. Too much or too little can cause frustration, headaches, and errors.

Reply
Derek Wildstar
March 1, 2013 at 3:55 pm

In Medium and High Security options, SP_Farm does not have local Admin permissions, yet runs the SP Timer service. If not a local Admin, what permissions does it need to run SP Timer service?

Reply
Vlad Catrinescu
March 1, 2013 at 7:10 pm

Hi Derek,

That is a very good question a lot of people don’t know the answer!. The SP_Farm account does not need Local Administrator Permissions to run the Sp Timer service. When you set it up as the “database connection account” he gets all the rights he needs. It is further documented here: http://technet.microsoft.com/en-ca/library/ee662513.aspx You can see that the Setup User Account is a member of the Local Administrator Group, but not the Farm Account.

If you have any other questions, don’t hesitate!

Reply
Vlad Catrinescu
March 1, 2013 at 7:50 pm

However, I will have to add that it’s strongly recommended to add the sp_farm account in local admins during UPS provisioning!

Reply
Stephen
March 7, 2013 at 9:48 am

Hi Vlad, great post thanks. I’m having an odd issue though. I have the SP_Admin account as a member of the admin group on all servers which is fine, I access CA with the SP_Farm account and all is good until i try to look at the services on server section of CA in which case i get permission denied error. The only way i can view these sections as SP_Farm is if i add that account as a member of the admin group ONLY on the server that CA is installed.

This doesn’t seems like normal behavior, have you seen this before?

Reply
Vlad Catrinescu
March 12, 2013 at 12:52 am

Hi, no this is not really normal!. I did some tests but it worked, however I will do more tests these days. Hopefully I can replicate it

Reply
Vlad Catrinescu
March 12, 2013 at 12:54 am

Have an idea!, how to you get to the central administration? do you go trough the Central Admin shortcut, or trough IE directly? You might have this problem because if your Internet Explorer is not “run as admin”

Reply
Stephen
March 13, 2013 at 12:21 pm

Hey Vlad, thanks for getting back to me. I access CA through a host header on my own machine to the server. I’m using chrome at the moment too, I’ve tried in IE but I get the same results if the Farm account is not in the local administrator group. For some reason though I can’t login into CA on the server using the farm account, i have to login using the Admin account if the farm account is not in the local admin group.

Reply
SharePoint Perth
March 8, 2013 at 10:27 am

Well Written Post..Thanks for sharing..!!

Reply
Vlad Catrinescu
March 12, 2013 at 12:53 am

Thanks! I am glad you liked it!

Reply
Francis Navarro
March 16, 2013 at 11:12 am

There are mainly two accounts available that is administrative and service accounts on servers running SharePoint 2013 and SQL Server which used to to modify and maintain the environment.

Reply
Suresh Pydi
March 20, 2013 at 5:39 pm

This comment has been removed by a blog administrator.

Reply
Kaigh Taylor
March 20, 2013 at 11:33 pm

If I have a sharepoint.config db how do I add the SP_Service to the following SQL Server services: MSSQLSERVER SQLSERVERAGENT. If I didn’t set it up that way initially?

Reply
Remco
March 28, 2013 at 12:16 pm

Thanks, but i just read a whitepaper about SQL Server 2012 Security best practices from Microsoft and they say Best Practices for SQL Server service accounts: On Windows 2008 R2 use managed Services Service accounts and virtual server accounts. Virtual accounts are default during installation and i think there is not a reason to not use them. They are even able to access the network, at least the Virtual account can. You don’t have to create them yourself, they don’t have a manageable/abusive-able password so to me that seems a win-win. Although i really appreciate your posting because I am a new to Sharepoint and SQL. Could someone please tell me if i am right ?

Reply
Ian Addis
April 4, 2013 at 9:18 am

Please can you expand your very useful article to include recommendations for the following service accounts:
* Windows Service – Claims to Windows Token Service
* Windows Service – Distributed Cache
* Windows Service – Microsoft SharePoint Foundation Sandboxed Code Service
* Service Application Pool – Security Token Service Application Pool
* Service Application Pool – SharePoint Web Services System

I’ve found no instructions on the net to explain what credentials they should use. Some say not C2WTS MUST run as Local System, yet SharePoint complains if you do so. MS article explains that Distributed Cache runs as the farm account, yet SharePoint complains if it does!

Reply
Vlad Catrinescu
April 30, 2013 at 2:19 pm

Claims to Windows Token Service > SP_Services or Dedicated account for it.
Distributed Cache > Sp_Services
Microsoft SharePoint Foundation Sandboxed Code Service > SP_Farm
Security Token Service Application Pool> Sp_Farm
Service Application Pool – SharePoint Web Services System > Sp_Farm

Reply
Sebastian James Harani
April 18, 2013 at 7:34 am

This comment has been removed by a blog administrator.

Reply
jbwdevos
April 26, 2013 at 8:25 am

I have the same question as +Ian Addis. Can you please explain?

Reply
Vlad Catrinescu
April 30, 2013 at 2:18 pm

Claims to Windows Token Service > SP_Services or Dedicated account for it.
Distributed Cache > Sp_Services
Microsoft SharePoint Foundation Sandboxed Code Service > SP_Farm
Security Token Service Application Pool> Sp_Farm
Service Application Pool – SharePoint Web Services System > Sp_Farm

Reply
sharepoint
April 27, 2013 at 3:22 am

Hello Vlad, great blog article. there is one small deteail missing an that is the KERBEROS and claims connection to the service account like the SQL service account and its delegation settings. this piece like its kin in the sharepoint side, is very important to a well configured sharepoint farm.

all in all a great article, thank you for sharing

LCR

Reply
Osama Mosleh Mohamad
April 28, 2013 at 9:47 am

I have the same question as jbwdevos and Ian Addis.

Can You provide us some more explaination?

Reply
Vlad Catrinescu
April 30, 2013 at 2:18 pm

Claims to Windows Token Service > SP_Services or Dedicated account for it.
Distributed Cache > Sp_Services
Microsoft SharePoint Foundation Sandboxed Code Service > SP_Farm
Security Token Service Application Pool> Sp_Farm
Service Application Pool – SharePoint Web Services System > Sp_Farm

Reply
Anonymous
May 2, 2013 at 12:18 pm

Great post and informative article. After reviewing the PowerShell script files, all accounts are created under one OU. Is there a way via the script to separate the SQL Accounts created into a separate OU container from the SP Accounts?

Reply
Vlad Catrinescu
May 2, 2013 at 2:01 pm

That is a good idea, I will try to get a V2 out this weekend. I already had a few changes in mind! I will include this

Reply
Gary Hagan
May 2, 2013 at 1:53 pm

OK, everything makes sense so far. Are all these local computer accounts, or Domain accounts?

Reply
Vlad Catrinescu
May 2, 2013 at 2:01 pm

SharePoint should only be installed in a domain, so they are all domain accounts!

Reply
Chris
May 7, 2013 at 8:14 pm

Great Post. Wish I saw it earlier. I have been trying to figure out why the SharePoint Health Analyzer was complaining about “Accounts used by application pools or service identities are in the local machine Administrators group” now I know. neded up with a medium low security level.

Reply
Leave a Reply


Follow me on Twitter
    Recent Posts
    Archives
    Categories
    Sponsors