MOSS: Security Notes

When I set up SharePoint, I normally create a few groups before setting up service accounts / users. This way, when the required accounts, I only need to add them to specific AD groups, as opposed to logging on to relevant boxes to grant local admin rights / sql permissions.

The groups I create are as follows:

  • SQLSecurityAdminCreators – A group that is granted the security admin and db creator rights on the sql instance. The setup, farm admins and sql service accounts are added to this group. 
  • SPServerAdmins – A group that has local admin rights on the sharepoint boxes.
  • SPFarmAdmins – Used for central admin / default content access etc. Note – this group actually gets added to the above two groups, and is not issue with any additional perms. This group is just for easier maintenance of  SPFarm accounts.

I also normally create an Organisational Unit in AD named MOSSAccounts to contain all of these users and groups.

Note that this link is the proper way to add accounts, and you should follow this as closely as possible on production environments.

http://technet.microsoft.com/en-us/library/cc263445.aspx

Sidenote:

Note that when installing SQL, it should be on a separate box to the DC. As SQL is normally installed from an account that has local administrators rights, but a DC does not have a local administrators group – the way around this would be to install SQL as a Domain Admin – which is not good practice.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>