Running in a Least Privileged Mode

• Thursday, February 16, 2012 3:53 PM

   

   
  

  0

  We spent a lot of time configuring our SharePoint 2010 environment using a least privileged method.  Then when installing ForeFront we used the suggestion permissions from the documentation this invovled giving the account that runs ForeFront the following permissions from the documentation "This account must be a member of the Local Administrators group on the SharePoint server and have SharePoint Farm Administrators privileges.  If SharePoint is configured to connect to the database using Windows authentication, this account must also be a member of the SQL sysadmin role on the database server." 

  Unfortunately configuring ForeFront in this way partially comprimises a least privileged setup becuase we now have an account that is an Administrator on the database and all of our web front ends and inside of sharepoint.  So if this account gets comprimised it has administrative control of our servers, our database and our SharePoint environment.  This is the exact scenario that a Least Priviledged setup is trying to avoid.  Are there any suggestions for reducing the privilege level that ForeFront runs under so that if the account does get comprimised it does not comprimise such a large portion of our environment?  Since it actually has less privileges than a ForeFront account configured in the prefered manner but has access to all of the SharePoint resources would it be better to just run ForeFront as the Farm account? 

  

  ---

  If this post was helpful please mark it as helpful, if it solved your problem please mark it as answered.
  Visit my Blog: http://matthewchurilla.blogspot.com/

  • Reply
  • Quote