The SharePoint Setup User domain account must be configured with the minimum privileges in SQL server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-30365	SHPT-00-000194	SV-40024r1_rule	ECLP-1	Medium

Description
Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires the person accountable for approving an action not be the same person tasked with implementing the action. This requirement is intended to limit exposure due to users (or entities acting on behalf of users) being used to operate from within a privileged account or role. Limiting the access and permissions of privileged accounts to the minimum required, reduces exposure if the account is compromised and provides forensic history of activity when operating from these accounts. See TechNet Article cc678863 for information regarding required permission. The setup user administrator account is used during initial creation of the farm, to update the farm servers, and to configure certain farm configuration option. The setup user administrator account must be assigned to the db_owner, securityadmin, and dbcreator SQL Server security roles.

Description

Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires the person accountable for approving an action not be the same person tasked with implementing the action. This requirement is intended to limit exposure due to users (or entities acting on behalf of users) being used to operate from within a privileged account or role. Limiting the access and permissions of privileged accounts to the minimum required, reduces exposure if the account is compromised and provides forensic history of activity when operating from these accounts. See TechNet Article cc678863 for information regarding required permission. The setup user administrator account is used during initial creation of the farm, to update the farm servers, and to configure certain farm configuration option. The setup user administrator account must be assigned to the db_owner, securityadmin, and dbcreator SQL Server security roles.

STIG	Date
SharePoint 2010 Security Technical Implementation Guide (STIG)	2011-12-20

Details

Check Text ( C-39040r1_chk )
1. Launch the SQL Server Management Console and navigate to Security -> Logins. 2. Select the SharePoint Setup User account. 3. Click on "Server Roles" and verify only db_owner, dbcreator, securityadmin, and public are checked. 4. Mark as a finding if "Server Roles" assigned are not only db_owner, dbcreator, securityadmin, and public.

Fix Text (F-34140r1_fix)
Configure the account on the SQL server. 1. Launch the SQL Server Management Console and navigate to Security -> Logins. 2. Select the SharePoint Setup User account. 3. Click on "Server Roles". 4. Check the db_owner, dbcreator, securityadmin, and public roles. 5. Remove checks from all other roles.