Sharepoint 2013 : Security and Policy - Security Administration

SharePoint Administrators

Have you seen a SharePoint farm configured where the farm administrator account has rights to perform every SharePoint task under the sun? I am willing to bet that the farm administrator account has local server administration rights on the web-front-end servers and database cluster, too. Convenient as this scenario is, it leaves a large attack surface open for hackers; once a hacker gains access to the farm account, he or she has access to the entire farm configuration. The alternative SharePoint provides is to assign administrators specific roles. Read on through this section for the various administration roles in SharePoint.

• Local Server Administrators—Contrary to common belief, the main SharePoint Farm account does not have to be a local server admin—Microsoft recommends quite the opposite. One exception is when installing SharePoint 2013 , where making the farm account user a local admin ensures access to configure IIS, access to SQL, and installation of SharePoint binaries. After installation, ensure that the farm account is not a local administrator by accessing the Administrators Security Group under Server Management in Windows.

• SharePoint Farm Administrators—They have full control of the entire SharePoint farm. Ensure that the main SharePoint farm account is a member of this group (the default post-installation) for SharePoint 2013 to function correctly. Members of the local server administrators group already have farm access. An existing farm administrator may add another user, not part of the local server administrators group, via Central Administration, as follows:

1. Click the Manage the Farm Administrators Group link, under the Security heading.
2. SharePoint shows you the list of users already in the farm administrators group.
3. From the horizontal sub-menu, click the New button and select Add Users from the drop-down box.
4. A people picker dialog should appear and allow you to select users from any of the user credential stores (the default is typically Active Directory).
5. To remove one or more users from the farm administrators group, click the Actions menu after selecting existing users from the list (check the check box next to each user to delete) and then Remove Selected Users from Group.

• PowerShell Administrators—PowerShell administrators require additional permissions to provide administration operations via the SharePoint Management Shell (PowerShell). The following PowerShell Cmdlet provides shell administration permissions. Supply the usernames to receive shell administration permissions and the content database instance in which they can perform operations.

  Add-SPShellAdmin -UserName <user name> -Database <database name>

• Service Administrators—Service administrators control specific service applications and cannot administer service applications other than those they are granted access to by farm administrators. For example, a farm administrator may delegate administration of the Managed Metadata Service Application to one set of administrators and the Search Service Application to another set. To grant administration access to a service application, visit Central Admin => Application Management => Manage Service Applications => Highlight the service application item, and then click the Administrators icon on the ribbon for the selected managed service application.
• Feature Administrators—Feature administrators manage administration of particular features as part of existing managed service applications. Not all managed service applications permit such granular control with permissions, but for those that do—such as the User Profile Service Application—you can highlight the Manage Service Applications item in Central Administration (see the previous bullet) and then click the Permissions icon on the ribbon to access the settings.
• Site Collection Administrators—Site collection administrators have rights to configure and change settings across a particular site collection. Farm administrators by default do not belong to all site collection administration groups, but they do have the power to add themselves to any site collection administration group via Central Administration. Regardless of how users secure content within a site, within a list, or at the list item, site collection administrators have exclusive full control access to all content in the site collection. Thus, assign users to the site collection administrators group with care.A farm administrator may add a user as a site collection administrator from Central Administration as follows:

1. Click the Application Management heading.
2. Under Site Collection, click the link to change site collection administrators.
3. You should see a page like Figure 1.

   

   Figure 1. Assigning site collection administrators from Central Administration

4. Ensure that the correct site collection is in the drop-down.
5. Central Administration enables assignment of one primary and one secondary site collection administrator; use the people picker boxes on this page to assign them.

• Existing site collection administrators may add other users to the site collection administrators group from the site collection, using the following steps:

1. Click the gear icon.
2. Click the Site Settings menu option from the menu.
3. Click the Site Collection Administrators link from the Users and Permissions heading.
4. Add users in the page shown in Figure 2.

   

   Figure 2. Assigning site collection administrators from Site Settings

5. You should see existing site collection administrators, already assigned by a farm administrator—SharePoint will not allow you to remove all site administrators.