Alexander’s Blog

For security reasons, it is best to ensure that the service accounts used with Microsoft Office SharePoint Server (MOSS) 2007 run with only the minimum permissions necessary. This is referred to as the principle of least privilege.

Microsoft recommends two general rules that you should apply to all your MOSS 2007 service accounts:
- Use separate domain user accounts for services with different security requirements.
- Do not use domain user accounts with the local administrator or domain administrator privileges to run any services.

Microsoft suggests in one of its white paper that you can use a single service account with administrative privileges to install MOSS 2007 and when everything is working perfectly then you can go back and assign the services with different accounts with minimum permissions. Here’s the exact quote from Microsoft:

To reduce troubleshooting time, you can install an Office SharePoint Server 2007 server farm by using a single service account with administrative privileges. When you are sure that everything works correctly, you can then assign the services to different accounts with minimum permissions.

However, I am totally against this recommendation. On paper this may sound like a good idea but in the real world this can potentially become a nightmare. It’s bad enough that you need so many different accounts to run SharePoint, once you start messing with the service accounts you may end up running around in circles and troubleshooting can become very difficult.

If you must change service accounts and passwords, then check out my blog from December 2008: How to Change Service Accounts and Service Passwords in MOSS 2007 & WSS 3.0.

Here’s a table of Minimum Permissions Required for MOSS 2007 Service Accounts. The information is based on a Microsoft TechNet document. If you are interested in only the necessary SharePoint service accounts then check out Sharee’s blog Necessary SharePoint Service Accounts. She uses her vast SharePoint knowledge to explain things in more detail. There are so many lists out there that document MOSS accounts necessary to install SharePoint properly and some of them are really convoluted. Because Sharee has done tons of successful  installations at our clients based on the table that she has put together, I’ve created a table of accounts based on her table and then I also put together a script that creates all the accounts in an OU called Service Accounts. I have tested the script and it works great. Make sure you check out her blog because she has additional valuable information that I have not included in this post.

Table of Necessary MOSS Accounts (based on Sharee’s recommendation)

Here’s a table of necessary MOSS 2007 accounts. This is a fancy version of Sharee’s table. The table includes the purpose of each account, and its group, domain and SQL rights. You can use your own naming convention. I started my accounts with SP (for SharePoint….or SeattlePro) so I can recognize them as the accounts that were created by me, rather than the system.

WARNING! Although standard Active Directory accounts can have spaces and can be longer than 20 characters, I suggest you limit your account names to 20 characters because the Pre-Windows 2000 login names are limited to 20 characters in WS08 and can’t have spaces. You may not run into any issues in the near future if you don’t follow my advice but I think it is better to be safe than sorry.

Script to Create Necessary MOSS Accounts

To create all the above necessary accounts and the OU, you can download the script here. The results will look like this. This script adds all the necessary permissions required for the accounts in the description so you can easily verify that you have the permissions set properly.

WARNING! Make sure you change the password in the script to match with the password that you want to use for your service accounts.

Troubleshooting Tip

You may encounter a problem when you try to give the service accounts permission to impersonate a client after authentication. On your WS08 Domain Controller you can start Group Policy Management Console, go to Group Policy Objects, right-click Default Domain Controllers Policy and select Edit. In the Group Policy Management Editor, go to Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, User Rights Assignment and double-click Impersonate a client after authentication. Check the box Define these policy settings. If you simply add the service accounts you created and then click Apply or OK you won’t get anywhere. Notice that the warning at the bottom is telling you that you need to add the Administrators and the SERVICE account.

It may not be obvious but what that means is that you need to literally add the Administrators and SERVICE account as shown below in the screenshot and then when you click Apply the warning message will disappear and you will be able to click OK to proceed.

According to reports, some Microsoft Windows computers are experiencing a “Black Screen of Death.” The phrase Black Screen of Death came out of the famous “Blue Screen of Death”, which caused system crash on earlier Windows operating systems. According to MSNBC:

The problem may be tied to security updates recently released by the software maker. “Microsoft is investigating reports that its latest release of security updates is resulting in system issues for some customers,” the company said in a statement. “Once we complete our investigation, we will provide detailed guidance on how to prevent or address these issues.”

British security firm Prevx writes about the problem on its blog, and suggests following this procedure:

1. Restart your PC
2. Log on and wait for the black screen to appear
3. Make sure your PC should be able to connect to the Internet (black screen does not appear to affect this)
4. Press the CTRL, ALT and DEL keys simultaneously
5. When prompted, Click Start Task Manager
6. In Task Manager Click on the Application Tab
7. Next Click New Task
8. Now enter the command:
“C:\Program Files\Internet Explorer\iexplore.exe” “http://info.prevx.com/download.asp?GRAB=BLACKSCREENFIX”
9.  Click OK and your (Web) browser should start up and begin the download process
10.  When prompted for the download Click run, the black screen fix program will download and run to automatically fix the issue.
11.  Now restart your PC and the black screen problem will hopefully be gone.

“There appears to be many causes of the black screen issue,” wrote Dave Kennerley of Prevx Support on the company’s blog. “The symptoms are very distinctive and troublesome. After starting your Windows 7, Vista, XP, NT, W2K, W2K3 or W2K8 PC or server the system appears normal.

“However, after logging on there is no desktop, task bar, system tray or side bar. Instead you are left with a totally black screen and a single My Computer Explorer window. Even this window might be minimized making it hard to see.”

Now that Microsoft is offering a free anti-virus software to the public called Microsoft Security Essentials, the anti-virus vendors are not too happy, which is understandable. But the way some of them are fighting back is rather strange. For example, Sophos, which offers security products such as anti-virus, anti-spam, and firewall client decided to get even with Microsoft by making claims that Windows 7 failed to prevent 80% of malware attacks in their lab test. According to Sophos,  “Windows 7 disappointed just like earlier versions of Windows.”

What Sophos didn’t tell everyone was that the Windows 7 computer that they tested didn’t have any anti-virus software. Hello? Anybody home? Sophos completely rigged the results as if no one would notice that they were cheating. Microsoft didn’t think this was funny and fired back.

I understand that Sophos didn’t like the fact that Microsoft is offering a free anti-virus software tool but I am sure they could have used a better way to express their frustration. Risking your credibility may not be an ideal way to fight back but that’s exactly what Sophos did. Hopefully other vendors will use better judgment.

Although it is not a common practice to issue certificates for a long duration and therefore Microsoft doesn’t allow the default Certificate Authority (CA) in Windows Server 2008 to issue a certificate for a period of longer than 2 years, if for some reason you decide to issue a certificate for longer than the default period, here’s what you need to do.

1. Create a V3 template with the expiration period of your choice for the certificate.

2. Use the CertUtil tool to configure the maximum allowed validity. For example, the following commands will configure the certificate validity for 5 years:

CertUtil -setreg CA\ValidityPeriodUnits 5
CertUtil -setreg CA\ValidityPeriod “Years”

3. Restart the certificate service (at the command prompt type “net stop certsvc” and then “net start certsvc” without the quotes).

In Active Directory Certificate Services (AD CS), V3 certificate templates supersede the V1 and V2 certificate templates introduced in earlier versions of Windows and support the latest Windows Server 2008 CNG cryptographic algorithms. V3 templates also provide a more secure method for client validation of domain controllers, and can encrypt client and server AD CS–related communications.

NOTE: You must be running a WS08 CA in order to use V3 templates. Keep in mind that V3 templates can only be used by WS08/Windows Vista and later clients.

Microsoft Security Essentials provides real-time protection for your home PC and guards your computer against viruses, spyware, and other malicious software.

Microsoft Security Essentials is a free download from Microsoft that is always kept up to date. According to Microsoft, it runs quietly in the background so that you are free to use your Windows-based PC the way you want—without interruptions or long computer wait times.

The tool will detect any potential threats and provide Alert level and recommendation on what action to take, as shown in the screenshot below.

The orangish-brown color means you are potentially unprotected. Green means you are protected.

What About Your Privacy? Because not everyone is willing to risk their privacy and send private data to Microsoft, with each new operating system and program Microsoft is tightening the screws and pretty much force users to send data to help Microsoft enhance their software. Sending error reports used to be optional but with Windows Vista and Windows 7 Microsoft developers have very cleverly made it difficult for users to disable error reporting by practically hiding the options from the users.

You Can Have Any Color Car as Long as Its Black

In the past joining Microsoft SpyNet was optional (e.g. in Windows Defender) but with Microsoft Security Essentials you are only given two choices.

Choice #1: You must agree to have information automatically collected and sent to Microsoft, including your personal information.

Choice #2: You must agree to have information automatically collected and sent to Microsoft, including your personal information.

That’s right. Those are the only two choices. You can either send some information to Microsoft or you can send a lot of information to Microsoft. So what’s your pleasure?

Basic Membership: You agree to send some information to Microsoft.

Advanced Membership: You agree to send a lot of information to Microsoft.

In either case Microsoft warns you that you might be risking your privacy because your personal information might be unintentionally sent to Microsoft. Do you have the option to not send personal information to Microsoft? Absolutely not! If you want to use Microsoft Security Essentials you have no choice but to agree to risk your privacy. I don’t know why Microsoft does not give you the option to opt-out but if I found out I will update this post. I guess if the application is free and does a good job of protecting us then we need to quit whining about privacy. However, I believe if enough people complain then Microsoft will add the third option of opting out of Microsoft SpyNet.

Microsoft Forefront Client Security

As I mentioned earlier, Microsoft Security Essentials is meant for home computers. If you want similar protection for your business computers, check out Microsoft Forefront Client Security. Forefront Client Security provides unified malware protection for business desktops, laptops, and server operating systems that is easy to manage and control. It delivers simplified administration through central management and provides critical visibility into threats and vulnerabilities.

If you plan to use Microsoft Forefront Client Security, keep the following things in mind.

* If you are installing multiple Client Security deployments, you must use unique computer names for each collection database server and reporting database server, as well as unique Management group names. Unique names allow you to use the Client Security Enterprise Manager tool to aggregate reporting and to manage your Client Security environment from a single Client Security console.
* The operating system, the software prerequisites (including SQL Server and WSUS), and the installation of Client Security on the servers must all be in the same language version. You can, however, install the English version of Client Security on a server with an operating system of a different language version.
* Client Security server components are not supported for x64 and Itanium operating systems; however, Client Security client components are supported for x64 (but not Itanium) operating systems.

Client Security supports:
- Installing Client Security client components on clustered nodes
- Running Client Security server components on a 32-bit guest hosted on Windows Server 2008 with Hyper-V
- Running WSUS 3.0 or higher on x64 operating systems that are not also running Client Security server components

Client Security does not support:
- Installing Client Security server components on a domain controller
- Installing Client Security client components or server components on a Server Core installation of Windows Server 2008 R2
- Installing Client Security server components on Windows Server 2008 R2
- Installing Client Security server components on a Server Core installation of Windows Server 2008
- Using a clustered installation of SQL Server for Client Security server components
- Running the server components of Client Security within a Microsoft Virtual Server environment
- Installing Client Security server components on Microsoft Windows Small Business Server 2003, Windows Small Business Server 2003 R2, or Windows Small Business Server 2008

Click here for more details on Forefront Client Security system requirements.