STIGQter STIGQter: STIG Summary: MS SharePoint 2013 Security Technical Implementation Guide Version: 1 Release: 8 Benchmark Date: 25 Oct 2019: The SharePoint farm service account (database access account) must be configured with minimum privileges in Active Directory (AD).

DISA Rule

SV-74427r1_rule

Vulnerability Number

V-59997

Group Title

SRG-APP-000062

Rule Version

SP13-00-000160

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the SharePoint farm service account (database access account) with minimum privileges in Active Directory (AD).

Ensure the Setup User domain user has minimum permissions in Active Directory.
- Using the AD DS console, navigate to “Active Directory Users and Computers” >> Users.
- Double click on the account to view the account properties.
- Select the “Members of” tab and configure the farm service account is a member of the Domain Users group. Remove any other group membership from the account.
- Select the other tabs in this area and remove any services or permissions configured for this account.

Check Contents

Review the SharePoint server configuration to ensure the farm service account (database access account) is configured with minimum privileges in Active Directory (AD).

- Verify the account has least privilege in Active Directory.
- Navigate to “Active Directory Users and Computers” >> Users.
- Double click on the account to view the account properties.
- Select the “Members of” tab and verify this account is a member of the Domain Users group only.
- Select the other tabs in this area to verify no other services or permissions are configured for this account.

If the farm service account is a member of other groups other than Domain Users, this is a finding.

If the Setup User account has unneeded permissions or services assigned, this is a finding.

Vulnerability Number

V-59997

Documentable

False

Rule Version

SP13-00-000160

Severity Override Guidance

Review the SharePoint server configuration to ensure the farm service account (database access account) is configured with minimum privileges in Active Directory (AD).

- Verify the account has least privilege in Active Directory.
- Navigate to “Active Directory Users and Computers” >> Users.
- Double click on the account to view the account properties.
- Select the “Members of” tab and verify this account is a member of the Domain Users group only.
- Select the other tabs in this area to verify no other services or permissions are configured for this account.

If the farm service account is a member of other groups other than Domain Users, this is a finding.

If the Setup User account has unneeded permissions or services assigned, this is a finding.

Check Content Reference

M

Target Key

2801

Comments