Check: SHPT-00-000191
Sharepoint 2010 SRG:
SHPT-00-000191
(in versions v1 r8 through v1 r7)
Title
SharePoint farm service account (Database Access account) must be configured with minimum privileges in Active Directory (AD). (Cat II impact)
Discussion
Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires the person accountable for approving an action not be the same person who is tasked with implementing the action. This requirement is intended to limit exposure due to user accounts being used to operate from within a privileged account or role. Limiting the access and permissions of privileged accounts to the minimum required, reduces exposure if the account is compromised and provides forensic history of activity when operating from these accounts. This policy limits the Farm Account privileges in AD. However, default permissions for this account are configured by the SharePoint Products Configuration Wizard during product installation. This account is referred to during the installation as the “Database Access” account. By default, the account is used as the service account for the SharePoint Timer Service and the SharePoint Central Administration Web Site Application Pool. These settings should not be changed. Furthermore, this account should not be used as the service account for non-privileged services, applications, or application pools. See TechNet Article cc678863 for information regarding required permission. The server farm account requires membership in the Domain Users group in Active Directory.
Check Content
Verify the account has least privilege in Active Directory. 1. Navigate to Active Directory Users and Computers -> Users. 2. Double click on the account to view the account properties. 3. Select the Members of tab and verify that this account is a member of the Domain Users group only. 4. Mark as a finding if the server farm service account is a member of an Active Directory security groups other than Domain Users.
Fix Text
Ensure the farm service account has minimum permissions in Active Directory. 1. Navigate to Active Directory Users and Computers -> Users. 2. Double click on the account to view the account properties. 3. Select the Members of tab to view group membership for this account. 4. Remove this account from membership in groups other than Domain Users.
Additional Identifiers
Rule ID:
Vulnerability ID: V-29306
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000225 |
The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. |
Controls
Number | Title |
---|---|
AC-6 |
Least Privilege |