Ads

Thursday, 4 April 2013

SharePoint 2007 Security Accounts

Great summary on SPS 2007 service accounts:
I’ve been working on a number of MOSS implementations lately, and I always get a lot of questions about what service accounts are needed to get the implementation rolling. Microsoft has a really nice, but very long article on the accounts.more info at
 (http://technet2.microsoft.com/Office/en-us/library/f07768d4-ca37-447a-a056-1a67d93ef5401033.mspx?mfr=true), but most of my clients do not have the time or want to read that article. So I put together some basic guidelines on MOSS service accounts…

The following covers the most common service accounts that need to be setup and their typical permissions in order for MOSS to function properly. Note that each deployment is different, so these accounts may differ based upon individual requirements. There are some additional accounts that you may need for other optional services, but they are not mentioned here.

Running MOSS Setup
On every server where MOSS is to be installed, the account you run setup with must belong to the local administrators group. In addition, this account must be a Domain User and be a member of the following SQL server security roles: Logins, Securityadmin & Dbcreator. This account is going to be doing a lot – creating new databases, and also creating new IIS sites – so make sure you have enough permissions! Typically, an account such as the domain administrator is used to run the installation, which addresses all of the security requirements.

SQL Server (SQL_Service)
This account is specified when a new SQL server is being brought online or a new instance installed. It typically is used for running both the SQL Server & SQL Server Agent, however, each can have their own account. For our purposes, we will utilize one account for both SQL Server & the Agent. The account only needs to be a basic Domain Account with no specific permissions set. When SQL Server is installed, all of the other appropriate permissions will be granted to the account.

Database Access Account / Farm Account (Farm_Service)
This account serves a few roles. The first is that it is used by MOSS to access the databases… it acts as the account by which the server(s) MOSS is installed on communicates back and forth to SQL with (read/write). Additionally, it is used as the identity for the Central Administration application pool & the WSS Timer service. This account needs to be a Domain Account - but note that it is believed to have to be a local admin on every MOSS box - this is not true, as Spence points out very eloquently.

Shared Service Provider (SSP#_Service)
Each shared service provider can run under its own account, therefore, it is desirable to name the account using a number. This way, if your MOSS farm ends up having a large number of SSPs, you can map the SSPs back to their specific service accounts easily. This account is used for the SSP web services & the SSP timer jobs. The account only needs to be a basic Domain Account with no specific permissions set.

Office SharePoint Server Search (Search_Service)
This account is utilized by all of the Shared Service Provider to crawl local & remote content. This account should be a Domain Account & have local administrator permissions on each MOSS server.

Default Content Access Account (SSP#ContentAccess_Service)
When a shared service provider crawls content, this is the default account used if a specific account (see below) is not specified for the content source being crawled. This account is specific for each individual SSP. This account should be a Domain Account & have read access to the content sources it needs to crawl.

Content Access Account (XXXXContent_Service)
If you have specific content sources that need to be crawled, and you do not want to allow the default content access account to crawl them, then you specify an individual content access account (specified at the time a Crawl Rule is setup). This account is a Domain Account with read permissions specifically on the content source it crawls.

Windows SharePoint Services Search Account (WSSSearch_Service)
The WSS Services Search is used only to provide search capabilities within the Help content. If this search feature is desired, then this account should be configured as a Domain Account with no specific permissions.

Application Pool Process Account (XXXXPool_Service)
When each application pool is setup, you must specify an account that will be used for that specific application pool’s identity. This account will be used to access the content databases associated with the web application. It is recommended that a new service account is created for each application pool. This should be a Domain Account with no specific permissions. When the account is specified & SharePoint creates the application pool, it automatically grants the account additional needed permissions

Q) What are some of the tools that can be used when backing up a SharePoint 2010 environment?
SharePoint farm backup and recovery
SQL Server
System Center Data Protection Manager
Q) What Microsoft tool can be used for incremental backups?
System Center Data Protection Manager
Managed Metadata Questions
Q) What is Managed Metadata?
Managed metadata is a hierarchical collection of centrally managed terms that you can define, and then use as attributes for items.
Q) What are Terms and Term Sets?
A term is a word or a phrase that can be associated with an item.  A term set is a collection of related terms.
Q) How do Terms And Term Sets relate to Managed Metadata?
Managed metadata is a way of referring to the fact that terms and term sets can be created and managed independently from the columns themselves.
Q) Are there different types of Term Sets?
There are Local Term Sets and Global Term Sets, one created within the context of a site collection and the other created outside the context of a site collection, respectively.
Q) How are terms created and used?
There are several ways; however the most common is to use the Term Store Management Tool.
Q) How is Managed Metadata, and the related Term technology used?
Through the UI, the most common use is through the managed metadata list column which allows you to specify the term set to use. It also related to searching and enhancing the user search experience.
Q) What is a sandboxed solution?
Components that are deployed to run within the sandboxed process rather than running in the production Internet Information Services (IIS) worker process.
Q) What are some examples of things that might run within the SharePoint sandbox?
Any of the following are acceptable answers:
 Web Parts
Event receivers
Feature receivers
Custom Microsoft SharePoint Designer workflow activities
Microsoft InfoPath business logic
others….
Q) Why are sandboxed solutions used?
Primarily because they promote high layers of isolation. By default they run within a rights-restricted, isolated process based around Code Access Security (CAS). Isolation is possible to increase with activities like running the sandboxing service on only specific SharePoint 2010 servers.
Q) What is a content source in relation to SharePoint search? What’s the minimum amount of content sources?
A content source is a set of options that you can use to specify what type of content is crawled, what URLs to crawl, and how deep and when to crawl. You must create at least one content source before a crawl can occur.
Q) What is a search scope?
A search scope defines a subset of information in the search index. Users can select a search scope when performing a search.
Q) What is a federated location with SharePoint search?
Federated locations provide information that exists outside of your internal network to your end-users.
Q) How does managed metadata affect search?
Enhances the end-user search experience by mapping crawled properties to managed properties. Managed properties show up in search results and help users perform more successful queries.
Q)  What is query logging in SharePoint 2010?
Collects information about user search queries and search results that users select on their computers to improve the relevancy of search results and to improve query suggestions.
Q) What authentication type does the SharePoint crawler use?
The crawl component requires access to content using NTLM authentication.
Q) Please describe what a Service Application is in SharePoint 2010.
Service applications in SharePoint 2010 are a set of services that can possibly be shared across Web applications. Some of these services may or may not be shared across the SharePoint 2010 farm. The reason these applications are shared is the overall reduction of resources required to supply the functionality these services cultivate.
Q) Please provide an example of one of these service applications.
Any of the below are acceptable answers:
Access Services
Business Data Connectivity service
Excel Services Application
Managed Metadata service
PerformancePoint Service Application
Search service
Secure Store Service
State service
Usage and Health Data Collection service
User Profile service
Visio Graphics Service
Web Analytics service
Word Automation Services
Microsoft SharePoint Foundation Subscription Settings Service
Q) What are Service Application Groups used for?
Just provides a logical grouping of services that are scoped to a particular Web Application.
Q) How are Service Applications deployed in terms of IIS (Internet Information Services)?
They are provisioned as a single Internet Information Services (IIS) Web site.
Q) Explain how connections are managed with Service Applications.
A virtual entity is used that is referred to as a proxy, due to label in PowerShell.
Q) What are some common examples of SharePoint 2010 services architectures, and what are the advantages of each design?
The three most popular designs are single farms with either a single service application group or multiple service application groups, or Enterprise services farms.
Single farms with a single service application group are generally the most common, and have the advantages of easy deployment, simple service application allocation, effective resource utilization and cohesive management.
Single farms with multiple service application groups is less common, and have the advantage of potential individual management of service applications as well as allowing data isolation, and while being more complex to deploy and maintain allows targeting of sites to particular service applications.
Enterprise Service Farms is pretty uncommon as it is a complete farm dedicated to Service Applications but promotes autonomous management and high levels of data isolation.
Q) Are there any other type of relevant service architectures?
Depending on the environment requirements, a specialized farm can also be used in order to deploy specific services tailored to the organizational requirements which can aid in scaling out and conservation of resources.
Q) What is the User Profile service?
Allows configuring and managing User profile properties, Audiences, Profile synchronization settings, organization browsing and management settings, and My Site settings.
Q) What are User Profiles?
Aggregates properties from diverse identity content sources together to create unified and consistent profiles across an organization, used throughout the SharePoint environment.
Q) What is Excel Services?
Allows sharing, securing, managing, and using Excel 2010 workbooks in a SharePoint Server Web site or document library. Excel Services consists of the Excel Calculation Services (ECS), Microsoft Excel Web Access (EWA), and Excel Web Services (EWS) components.
Q) What is PerformancePoint Services?
Allows users to monitor and analyze a business by building dashboards, scorecards, and key performance indicators (KPIs).
Q) What is Visio Services?
Allows users to share and view Microsoft Visio Web drawings. The service also enables data-connected Microsoft Visio 2010 Web drawings to be refreshed and updated from various data sources.
Q) What is Access Services?
Allows users to edit, update, and create linked Microsoft Access 2010 databases that can be viewed and manipulated by using an internet browser, the Access client, or a linked HTML page.
Q) What is the Secure Store Service (SSS)?
A secure database for storing credentials that are associated with application IDs.
Q) What is Content Deployment?
Content deployment enables you to copy content from a source site collection to a destination site collection.
Backup / DR Questions.
Q) Describe how redundancy can be built into a SharePoint environment. Please be specific in regards to any auxiliary components.
Multiple front-end web servers (WFE’s) can be deployed and correlated through Windows NLB or anything approach. Application servers can be deployed into the farm for a variety of purposes, depending on organizational requirements. Databases can be clustered or mirrored, again depending on requirements and environment.
Q) From a basic standpoint, what is the difference between SQL clustering and mirroring?
Clustering provides a failover scenario whereby one or more nodes can be swapped as active depending on whether a node goes down. In mirroring, transactions are sent directly from a principal database and server to a mirror database to establish essentially a replica of the database.
Q) What Is Governance in terms of SharePoint 2010?
Governance is the set of policies, roles, responsibilities, and processes that guide, direct, and control how an organization’s business divisions and IT teams cooperate to achieve business goals.
Q) What are some useful, OOB features of SharePoint that aid with governance of an environment?
Any of the below are acceptable answers. There are some others but these are the major ones that I generally look for from a candidate:
Site templates – consistent branding, site structure, and layout can be enforce a set of customizations that are applied to a site definition.
Quotas – limits to the amount of storage a site collection can use.
Locks - prevent users from either adding content to a site collection or using the site collection.
Web application permissions and policies – comprehensive security settings that apply to all users and groups for all site collections within a Web application.
Self-service site creation - enables users to create their own site collections, thus must be incorporated into a governance scheme.
Q) Describe the monitoring features that are baked into SharePoint 2010.
Diagnostic logging captures data about the state of the system, whereas health and usage data collection uses specific timer jobs to perform monitoring tasks, collecting information about:
Performance Counter Fata
Event Log Data
Timer Service Data
Metrics For Site Collections and Sites
Search Usage Data

Q) What is a declarative workflow? Can non-authenticated users participate in workflows?
Ans.Workflows created by using Microsoft SharePoint Designer 2010, the default setting enables deployment of declarative workflows. Yes, however you do not give non-authorized users access to the site. The e-mail message and attachments sent from notifications might contain sensitive information.


No comments:

Post a Comment

Ads