SHPT-00-000199 - SharePoint service accounts must be configured for separation of duties.


Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action.

SharePoint service accounts must be configured for separation of duties, particularly the farm services account which should not be used to manage other services. The required service accounts must be created in AD (default users group member only). These AD accounts are applied when installing and configuring SharePoint services. If the default Farm Services Account is used for all services during initial configuration, this must be changed when each service is configured. This violates the principles of least privilege since not all services have equal trust levels. Some services, (e.g., Excel Service or Search Service), may be configured to interact with outside resources. Microsoft recommends separate accounts for each service with the minimum required privileges for each service account.

When each service is installed, a service account is requested by the application. Ensure one service account is not used for all services. Either use separate accounts for all services or group the services based on trust and access privileges. Each account will be a member of the default user domain group in AD. The exact services installed on each farm may vary.


1. In SharePoint Central Administration, click Security.
2. On the Security page, in the General Security list, click Configure service accounts.
3. On the Service Accounts page, in the Credential Management section, select each service installed, and configure the service account field by selecting the appropriate AD account from the drop-down menu.
4. Create separate accounts for each service (or assign accounts based on common access permissions or trust levels).

See Also

Item Details


References: 800-53|AC-5c., CAT|II, CCI|CCI-002220, Rule-ID|SV-38296r2_rule, STIG-ID|SHPT-00-000199, Vuln-ID|V-29398

Plugin: Windows

Control ID: ced44d482be173dc2875c2cc5e8067eb59c0389924851e57a790c9cc4ef6f72a