The SharePoint farm service account (database access account) must be configured with minimum privileges on the SQL server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-59999	SP13-00-000165	SV-74429r1_rule		Medium

Description
Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires the person accountable for approving an action not be the same person who is tasked with implementing the action. This requirement is intended to limit exposure due to user accounts being used to operate from within a privileged account or role. Limiting the access and permissions of privileged accounts to the minimum required, reduces exposure if the account is compromised and provides forensic history of activity when operating from these accounts. This policy limits the Farm Account privileges in AD. However, default permissions for this account are configured by the SharePoint Products Configuration Wizard during product installation. This account is referred to during the installation as the "Database Access" account. By default, the account is used as the service account for the SharePoint Timer Service and the SharePoint Central Administration Web Site Application Pool. These settings should not be changed. Furthermore, this account should not be used as the service account for non-privileged services, applications, or application pools.

Description

Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires the person accountable for approving an action not be the same person who is tasked with implementing the action. This requirement is intended to limit exposure due to user accounts being used to operate from within a privileged account or role. Limiting the access and permissions of privileged accounts to the minimum required, reduces exposure if the account is compromised and provides forensic history of activity when operating from these accounts. This policy limits the Farm Account privileges in AD. However, default permissions for this account are configured by the SharePoint Products Configuration Wizard during product installation. This account is referred to during the installation as the "Database Access" account. By default, the account is used as the service account for the SharePoint Timer Service and the SharePoint Central Administration Web Site Application Pool. These settings should not be changed. Furthermore, this account should not be used as the service account for non-privileged services, applications, or application pools.

STIG	Date
MS SharePoint 2013 Security Technical Implementation Guide	2018-04-02

Details

Check Text ( C-60689r4_chk )
Review the SharePoint server configuration to ensure the farm service account (database access account) is configured with minimum privileges on the SQL server. - Launch the SQL Server Management Console and navigate to Security >> Logins. - Select the SharePoint farm service account. - Click on Server Roles and verify that only db_owner, dbcreator, and securityadmin are checked. Otherwise, this is a finding.

Check Text ( C-60689r4_chk )

Review the SharePoint server configuration to ensure the farm service account (database access account) is configured with minimum privileges on the SQL server.

- Launch the SQL Server Management Console and navigate to Security >> Logins.
- Select the SharePoint farm service account.
- Click on Server Roles and verify that only db_owner, dbcreator, and securityadmin are checked.

Otherwise, this is a finding.

Fix Text (F-65409r4_fix)
Configure the SharePoint farm service account (database access account) with minimum privileges on the SQL server. Configure the account on each SQL server in the farm. - Launch the SQL Server Management Console and navigate to Security >> Logins. - Select the SharePoint farm service account. - Click on Server Roles. - Configure the farm service account for the following: dbcreator fixed server role, the securityadmin fixed server role, and the db_owner fixed database role. - Deselect any other role for this account.

Fix Text (F-65409r4_fix)

Configure the SharePoint farm service account (database access account) with minimum privileges on the SQL server.

Configure the account on each SQL server in the farm.
- Launch the SQL Server Management Console and navigate to Security >> Logins.
- Select the SharePoint farm service account.
- Click on Server Roles.
- Configure the farm service account for the following: dbcreator fixed server role, the securityadmin fixed server role, and the db_owner fixed database role.
- Deselect any other role for this account.