SharePoint farm service account (Database Access account) must be configured with minimum privileges on the SQL server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-30368	SHPT-00-000192	SV-40027r1_rule	ECLP-1	Medium

Description
Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires the person accountable for approving an action not be the same person who is tasked with implementing the action. This requirement is intended to limit exposure due to user accounts being used to operate from within a privileged account or role. Limiting the access and permissions of privileged accounts to the minimum required, reduces exposure if the account is compromised and provides forensic history of activity when operating from these accounts. The SharePoint farm service account requires dbcreator fixed server role, securityadmin fixed server role, and db_owner for all databases in the server farm. NOTE: Membership in the WSS_CONTENT_APPLICATION_POOLS roles for the SharePoint Server 2010 server farm configuration database and the SharePoint Server 2010 SharePoint_Admin content database is also required for this account. However, excessive application pool membership is checked as a part of the IIS STIG security review.

Description

Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires the person accountable for approving an action not be the same person who is tasked with implementing the action. This requirement is intended to limit exposure due to user accounts being used to operate from within a privileged account or role. Limiting the access and permissions of privileged accounts to the minimum required, reduces exposure if the account is compromised and provides forensic history of activity when operating from these accounts. The SharePoint farm service account requires dbcreator fixed server role, securityadmin fixed server role, and db_owner for all databases in the server farm. NOTE: Membership in the WSS_CONTENT_APPLICATION_POOLS roles for the SharePoint Server 2010 server farm configuration database and the SharePoint Server 2010 SharePoint_Admin content database is also required for this account. However, excessive application pool membership is checked as a part of the IIS STIG security review.

STIG	Date
SharePoint 2010 Security Technical Implementation Guide (STIG)	2011-12-20

Details

Check Text ( C-39043r1_chk )
1. Launch the SQL Server Management Console and navigate to Security -> Logins. 2. Select the SharePoint farm service account. 3. Click on Server Roles and verify that only db_owner, dbcreator, securityadmin, and public are checked. 4. Mark as a finding if roles other than db_owner, dbcreator, securityadmin, and public are checked.

Fix Text (F-34144r1_fix)
Configure the account on each SQL server in the farm. 1. Launch the SQL Server Management Console and navigate to Security -> Logins. 2. Select the SharePoint farm service account. 3. Click on Server Roles. 4. Configure the farm service account for the following: dbcreator fixed server role, the securityadmin fixed server role, public, and the db_owner fixed database role. 5. Deselect any other role for this account.

Fix Text (F-34144r1_fix)

Configure the account on each SQL server in the farm.
1. Launch the SQL Server Management Console and navigate to Security -> Logins.
2. Select the SharePoint farm service account.
3. Click on Server Roles.
4. Configure the farm service account for the following: dbcreator fixed server role, the securityadmin fixed server role, public, and the db_owner fixed database role.
5. Deselect any other role for this account.