You simply cannot have just one service account for multiple scenarios since not all scenarios require the same security levels, such as development and environment which do not in any way require the same kind of security levels that production does. A solution for this is to create different built-in service accounts for varying scenarios in SharePoint 2013 and SharePoint Online. We have compiled a list of three kinds of service accounts in the 2013 version of SharePoint based on varying security levels.
Low Security Option
The low security service account option is the one with comes with the minimum number of accounts required in order to install SharePoint properly. There is only one SQL account which is used as the administrator to run all services and five SharePoint service accounts listed below.
- Farm Administrator Account
- Web Application Pool Account
- SharePoint Service Application Pool Account
- Crawl Account
- User Profile Synchronization Account
The SQL Admin account is local administrator used to run the SQL server and it is a service account for services such as MSSQLSERVER SQLSERVERAGENT and SQL Admin on the SQL Server.
As we have mentioned before, this service account is for low security reasons which is why there is only one. This is the local administrative account and is needed to be able to install SQL. You can also run the SQL AGENT along with Database Engine Services with this administrative account. You may also use this account to grant rights to your SP Farm.
This security option is designed to utilize the lowest number of accounts while also maintaining the level of security that it promises. You can use SP Farm as your main SharePoint account during the configuration process but keep in mind that it needs to obtain local administrator rights first before being able to function adequately. Among the list of roles it needs, SP Farm also requires the Securityadmin and DBcreator roles on the server to create the configuration along with the databases. SP Farm will then become your Farm Administrator and it will run the Time Service and web apps for Central Administration so that it can easily access the SharePoint content database server.
This is a domain account which is used for the identification of the application pool. When you create a web application, a pool is created for it which is when you choose SP Pool.
This is a domain account which is created to be used for Service Application pools. When users create a Managed Metadata Service application and a pool is created, SP Services is the account to be chosen.
This account is made to be used within the Search Service Application. Its purpose is to crawl content. The service application automatically approves this request and allows it to gain access to overall web applications and to also run SharePoint Windows Search Service.
This profile is utilized for User Profile sync between your Active Directory and your Service Application. Though there are no local rights granted to this account, you can give it its own Replicate Directory Changes Rights in the Active Directory to smoothen then process of synchronization.
Medium Security Option
This security option is your best bet when it comes to installing SharePoint as it utilizes a handful of more accounts than the low security option but the performance differences are quite significant. When you give limited rights to every account, you reduce the chances of damage in the event that a certain account is hacked, and you are also compliant with Microsoft’s own recommendations which suggests that you should install SharePoint 2013 with the least-privilege administration.
This option was created to enhance security with the help of two administrative accounts rather than one: SP Admin and SP Search. In this setting, you don’t give the complete Farm administrative rights to the SP Farm account, but rather rely on SP Admin to install and configure SharePoint 2013. The SP Farm is only allowed to run the services as well as to connect to the database. What’s more is that instead of allowing the SP Crawl account to run the Windows Service along with having READ rights over all of the web applications, this task will now be done with SP Search.
This is a domain account on which SharePoint Timer Service and web applications for Central Administration access the SharePoint content database. To make this happen, this account does not need administrative rights. The SharePoint configuration wizard gives out the proper minimal privilege into the back-end development of the SQL Server database. This kind of minimum privilege has roles such as security admin and dbcreator.
You can use this domain account to not only install but to also configure the farm. SP Admin is also the account you use to run the SharePoint Configuration Wizard for SharePoint 2013. This is the only account which explicitly requires local administrative rights to function.
This account is utilized for application pool identity. When you create any web application and a pool is created for it, this is the account to be used.
SP Services is a domain account which you can use for Service Application Pools. When you create a managed metadata service application and a pool is created for it, this is the account to be used for it.
This domain account can be used within the Search Service application to migrate through the content to gain read access overall web applications.
This domain account is used to run the SharePoint Windows Search Service.
In the medium security level, this account is used to enable User Profile Sync between your active directory and your service applications, however, it does not require any local administrative rights to do so. You can give it its own Replicate Directory Changes Rights in the Active Directory to smoothen then process of synchronization.
High Security Option
This is the highest security level which provides you with the kind of security you need if your main goal is absolute safety. It comes with the most number of service accounts but provides only a small increase in security for the farm. However, you may use this security for a number of reasons.
There is a difference between the medium and high security options which means we now have a different account for two base services: SQL Agent and Database Agent, however, there are no new changes for the SQL Admin.
This is the local administrator accounts and it needs local rights to help install SharePoint 2013 and SharePoint online onto the SQL Server.
This account has no local rights and is only used to run the SQL Agent Windows Service.
This account is only utilized to run the Database engine windows service.
Since there is only one difference between the medium security and high security accounts options, we know that the new addition is that we now have a new account for the web application pool hosting which is why we will only be discussing the new addition here.
This is a new addition to the high security option. It is a domain account that’s sole purpose is to be used for My Sites Web Application Pool Identity which is fairly simple to the SP Pool. However, this account is only used for the My Sites Web Application.
Which security option you choose entirely depends on the needs your organization faces. However, should any confusions arise, you can always rely on reputable SharePoint development firms like Viftech to always have your back.