|
One are the negatives or problems with using a single account to run your MOSS 2007 farm?
I am currently working on a system that does just that and want to present a complelling aruguement why one account is troublesome.
One right off the top is that if a user adminisrtering stsadm command locks the account by usingan incorrect password multiple times, it will lock the account.
Any thoughts/links would be appreciated
themush |
| themush1326 Thursday, August 21, 2008 5:15 PM |
So generally speaking its a "best practice" to give minimally necessary permissions to a process as possible. This way if there is any vulnerability in any of the components (MS or 3rd Party) the foot print that is exposes is as little as possible. This is likely the core reason behind the MS recommendation of so many different services accounts. The permissions one needs to manage a farm (eg central administration) or the shared service provider (personal info in profiles) is larger then that of a particular site. If a site is compromised they aren't going to have permissions to the rest of the farm. Yes it can be a royal pain to manage all those accounts which is a de-motivating factor for an administrator but any administrator worth a grain of salt should understand the impacts of being "lazy" when it comes to security :)
On a side note I would set the services accounts to not allow interactive logon that way you don't have the possibility of someone fat fingering a logon and shutting down your sharepoint farm.
Regards,
Josh Carlisle - Edited byJosh Carlisle Thursday, August 21, 2008 6:09 PMspelling
- Marked As Answer byLambert QinMSFT, ModeratorMonday, August 25, 2008 5:46 AM
- Proposed As Answer bySameer Dhoot Friday, August 22, 2008 3:05 PM
- Edited byJosh Carlisle Thursday, August 21, 2008 6:09 PMspelling
-
|
| Josh Carlisle Thursday, August 21, 2008 6:08 PM |
- Marked As Answer byLambert QinMSFT, ModeratorMonday, August 25, 2008 5:46 AM
-
|
| James Waymire - MSFT Friday, August 22, 2008 3:20 PM |
So generally speaking its a "best practice" to give minimally necessary permissions to a process as possible. This way if there is any vulnerability in any of the components (MS or 3rd Party) the foot print that is exposes is as little as possible. This is likely the core reason behind the MS recommendation of so many different services accounts. The permissions one needs to manage a farm (eg central administration) or the shared service provider (personal info in profiles) is larger then that of a particular site. If a site is compromised they aren't going to have permissions to the rest of the farm. Yes it can be a royal pain to manage all those accounts which is a de-motivating factor for an administrator but any administrator worth a grain of salt should understand the impacts of being "lazy" when it comes to security :)
On a side note I would set the services accounts to not allow interactive logon that way you don't have the possibility of someone fat fingering a logon and shutting down your sharepoint farm.
Regards,
Josh Carlisle - Edited byJosh Carlisle Thursday, August 21, 2008 6:09 PMspelling
- Marked As Answer byLambert QinMSFT, ModeratorMonday, August 25, 2008 5:46 AM
- Proposed As Answer bySameer Dhoot Friday, August 22, 2008 3:05 PM
- Edited byJosh Carlisle Thursday, August 21, 2008 6:09 PMspelling
-
|
| Josh Carlisle Thursday, August 21, 2008 6:08 PM |
you would still need the account to perform stsadm functions, how would they work if interactive logon is disabled?
|
| themush1326 Thursday, August 21, 2008 8:37 PM |
The Farm Administrators group should be able to do the majority of STSADM actions. Any admin that needs to use STSADM should be a member of this group. For the majority of tasks you probably do not want your admins logging in using the service account. |
| James Waymire - MSFT Friday, August 22, 2008 2:45 PM |
Adding to what Josh has pointed, i would recommend to have different account for
- Group for Farm Admins
- Service Account for CA
- Service Account for SSP
- Service Account for SiteCollection (Probaly 1 for each SiteCollection depends on how you information architecture is. You may have site for different business divisions with sensitive data)
- Account for Enterprise Search Crawler
Also if you are talking about internet facing deployment then this becomes most sensitive thing and most probaly your IS folk should follow the Server Hardening process.
Sameer Dhoot |
http://intellects.in |
| Sameer Dhoot Friday, August 22, 2008 3:05 PM |
- Marked As Answer byLambert QinMSFT, ModeratorMonday, August 25, 2008 5:46 AM
-
|
| James Waymire - MSFT Friday, August 22, 2008 3:20 PM |
Doesnt an account need to be DBO on any stsadm account accesing the DB?
|
| themush1326 Monday, August 25, 2008 1:02 PM |
Yes the account needs to be a DBO (for related db's) if you are doing any operations using stsadm.
It not required for the account to have dbo as a server role.
Sameer Dhoot |
http://intellects.in |
| Sameer Dhoot Monday, August 25, 2008 2:08 PM |
index > SharePoint - General Question and Answers and Discussion > MOSS 2007 Service accounts