Jan 26
SharePoint 2010 Service Accounts – Do I really need to use more than one account?
Julie Boudro
I started my career in marketing and transitioned to technology consulting about 7 years ago when SharePoint 2007 beta was released. Since then, I’ve been involved in many SharePoint intranet and internet site design and architecture engagements.
When I am not dabbling in SharePoint I enjoy spending time with my husband and daughter, running, camping, and hanging with close friends and family. I especially enjoy dinner parties. My husband is a fabulous cook!
More about Julie
Articles by Julie Boudro
Organizations diving into SharePoint and are presented with the challenge of installation and configuration. One of the primary requirements is to establish a set of dedicated accounts in Active Directory to run the various services. This is a critical component that many organizations overlook.
Why so critical? Well, there are several reasons ranging from security concerns to health and monitoring. We have highlighted some of the primary concerns below.
Least Privilege Administration:
This approach assigns users the minimum amount of permissions required to execute necessary tasks. It also ensures that you’re not using accounts with full control for services that should be security trimmed, like SharePoint search and crawl accounts. For example, if you use the same account to install and configure SharePoint for your search account, search results may not be properly security trimmed for credentials, possibly exposing secure content.
Health and Monitoring:
Each SharePoint service application and web application has an associated work process that renders in the Task Manager on the server as w3wp.exe. If you use the same account for all your service and web applications, you’ll have no idea what service is consuming memory.
Application Pool Isolation:
Ensuring that you have a dedicated application pool for select services and web applications is a way for multiple services to run on the same server but still have their own worker process identity. This helps create isolation around sites that may have a corrupt application pool from malicious code or virus attacks. Additionally, isolating application pools helps with performance issues for sites or applications with code that consumes a lot of memory.
Password Management:
SharePoint 2010 makes it easier to change passwords for your service accounts via Central Administration. However, you may only want to change passwords for accounts that are used to access SharePoint, like your site collection administrator account. If you use one account for all services, a password change will change passwords for all services.
So, even though SharePoint 2010 does not prevent you from installing and configuring your sites and services with one account, you could be putting your environment at risk by not following industry implementation best practices. And, be aware, the SharePoint 2010 Health Analyzer will keep reminding you to update your environment to use multiple service accounts. Thankfully, this is extremely easy in SharePoint 2010, and all done via Central Administration. Just browse to the Security section and click on Configure Service Accounts. Now you’ll be able to choose the service you want to update, and the new managed account it should operate under.