UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

SharePoint service accounts must be configured for separation of duties.


Overview

Finding ID Version Rule ID IA Controls Severity
V-29398 SHPT-00-000199 SV-38296r2_rule Medium
Description
Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. SharePoint service accounts must be configured for separation of duties, particularly the farm services account which should not be used to manage other services. The required service accounts must be created in AD (default users group member only). These AD accounts are applied when installing and configuring SharePoint services. If the default Farm Services Account is used for all services during initial configuration, this must be changed when each service is configured. This violates the principles of least privilege since not all services have equal trust levels. Some services, (e.g., Excel Service or Search Service), may be configured to interact with outside resources. Microsoft recommends separate accounts for each service with the minimum required privileges for each service account. When each service is installed, a service account is requested by the application. Ensure one service account is not used for all services. Either use separate accounts for all services or group the services based on trust and access privileges. Each account will be a member of the default user domain group in AD. The exact services installed on each farm may vary.
STIG Date
MS SharePoint 2010 Security Technical Implementation Guide 2019-01-02

Details

Check Text ( C-37711r5_chk )
1. In SharePoint Central Administration, click Security.
2. On the Security page, in the General Security list, click Configure service accounts.
3. On the Service Accounts page, in the Credential Management section, select each service installed, and view the service account entry.
4. Verify each service is managed by a separate account or accounts are assigned based on common access permissions or trust levels.
5. If each service does not operate using a unique account or accounts are not assigned based on common access permissions or trust levels, this is a finding.
Fix Text (F-32958r5_fix)

1. In SharePoint Central Administration, click Security.
2. On the Security page, in the General Security list, click Configure service accounts.
3. On the Service Accounts page, in the Credential Management section, select each service installed, and configure the service account field by selecting the appropriate AD account from the drop-down menu.
4. Create separate accounts for each service (or assign accounts based on common access permissions or trust levels).