Lesson: The SharePoint Farm account should not be a local or domain administrator. The Farm account should have limited use!
Microsoft SharePoint offers a great deal of features that helps solve many of our business solutions. In reviewing many SharePoint farms over the past years, I have found that while most people think they are security focus, they take short cuts and disregard security recommendations. In doing so, they open up not only their SharePoint to an attack but their entire network; case in point, let’s assume you (or someone in your organization) used the SharePoint 2013 Products Configuration Wizard, in doing so, I am making the following assumptions:
- The Farm Account is probably a local administrator; it may even be a domain admin.
- The Farm Account has complete control of your SharePoint environment.
- The Farm Account is the account for every SharePoint Application Service.
- The Farm Account has more rights than it needs to your SQL Servers.
Now, you may be thinking that this is OK because no one knows the Farm Account password. Before you pat yourself on the back, jump on the SharePoint server hosing Central Administration and open up Internet Information Services (IIS) Manager. There will you find all of the Application Pools and Web Sites that make up your SharePoint server that are hosted on that particular server. Take note of the name ‘SharePoint Central Administration v4’.
If you launch a CMD prompt (with Administrator rights), you can execute the following:
C:\Windows\System32\inetsrv\appcmd list apppool “SharePoint Central Administration v4” /text:*
You should see something similar to below.
In case you missed it in the above image, check out the highlighted area below.
Remember that warning in Central Administration Monitoring that states that your Farm Account shouldn’t be a local administrator? Maybe it’s time to go fix that.