SharePoint 2013 Service Accounts Best Practices! Is there a golden solution for all farms?
Service Accounts are a very big part of installing almost every version of SharePoint, however everyone has a different way of setting them up. And once you install your SharePoint with a set of service accounts, it’s easier to do a clean install than to change them all.
Every SharePoint admin you ask will probably have a different view of how many service accounts you need, how you should name them , and what permissions you need to give each one of them. Depending on the level of security you want to achieve in your SharePoint Farm, you can install everything with only one account (please don’t) , and you can make as many as 10 to 15 accounts. Even if all the SharePoint administrators have different views and different ways , it doesn’t mean one of them is wrong and one of them has the golden solution for every SharePoint farm.
To get to the subject, which is Service Accounts for the newly released version of SharePoint, SharePoint 2013, I recently read an article on TechNet that suggests a set of “best practices” service accounts. I read the accounts and the permissions multiple times, and although they weren’t wrong.. I didn’t think it was right. You can read the original article here, however I will do a little summary. Here are the proposed accounts:
- SQL_Service, for the SQL Server service.
- SQL_Admin, for the SQL Server administrator.
- SP_Admin, for the SharePoint administrator and setup user.
- SP_Farm, for the SharePoint farm service.
- SP_WebApps, for the user-facing web application app pool.
- SP_ServiceApps, for the service application app pool.
- SP_Crawl, default content access account.
- SP_UserSync, user profile synchronization account.
- SP_EnterpriseAdmin, powerful account for handling all kinds of high privileg operations.
- Farm administrators, normal admin user accounts are used as SharePoint Farm Administrators.
Here is my opinion on this:
Although this set of service accounts isn’t wrong, I think that it isn’t well balanced. Let me explain:
I think there is a lot of security on the “farm admin” (SP_Admin, SP_Farm, SP_EnterpriseAdmin, Farm administrators), and there is some pretty basic stuff missing ex: Having an account for the windows search service, and a different one for the crawl.
Then, I asked myself what would I do to make it better. How could we define a real set of service accounts that could fit any scenario, from a small development farm to a huge multi-tier farm. The answer is simply, you can’t! There is not one single set of Service Accounts that could be used because the security requirements for each scenario are different. But how can we define a set of Service account that while it keeps a certain standard of security, it also doesn’t use too many service accounts for what we need and respects the requirements of the client?
|Some clients and companies will ask you explicitly to install and configure their SharePoint infrastructure according to Best Practices without even knowing what they are!|
So this is what I came out with: I made three different sets of Service Accounts that can be used for reference. Every set is for a level of security, Low Security, Medium Security and High Security. As you probably guessed, as you go higher on the security chart, you add more accounts and each of them has less privileges on the farm.
I made this PDF (doing tables with Blogger is a real mess) and embedded it into the page (if you can’t see it, scroll to the end of the post, there is a download link). Please read it, and tell me what you think. I am really open to suggestions and want to hear your opinions on this delicate matter.
[scribd id=117074973 key=key-10r9talgbbfxh0z6xp4t mode=scroll]
If you don’t see the document, or want to download it, you can get it from my SkyDrive here: Download
Please spread the word about this post using the buttons at the end so we can get the most visibility and most opinions on the very delicate subject of Service Accounts in SharePoint 2013.
Please leave a comment to let me know what you think about this and don’t forget to like us on Facebook here and to follow me on Google+ here and on Twitter here for the latest news and technical articles on SharePoint.