Configuring a Min-priv environment for PowerPivot for SharePoint 2013
The new SharePoint 2013 release is bringing lots of exciting
new things, and on this blog post we will go over what’s necessary to configure
PowerPivot for SharePoint 2013 in a least-privileged accounts environment. The
main idea is to use different accounts for different purposes, but all of them
to have the least amount of privilege as possible for the environment to work.
This increases the security of the farm by restricting what each service can
The first noticeable difference for PowerPivot for
SharePoint 2013 is that now you can configure the Analysis Services instance
process account to be the Network Service account. Note that this is not
possible when running any of the PowerPivot for SharePoint releases on
SharePoint 2010, since SharePoint 2010 requires a domain account for Analysis
Services running inside the farm.
Briefly, the Network Service account is a special, built-in
account that is similar to an authenticated user account. The Network Service
account has the same level of access to resources and objects as members of the
Users group. This limited access helps safeguard your system if individual
services or processes are compromised. Services that run as the Network Service
account access network resources using the credentials of the computer account.
Now off to the PowerPivot for SharePoint 2013 configuration.
You will need at least three accounts to configure SharePoint 2013 and
PowerPivot for SharePoint 2013 in a min-priv environment:
- SharePoint Administrator account
- Farm account
- Service Account for PowerPivot
The SharePoint Administrator account
This account is the domain account you use to configure the
farm. I’ll reference it as the SPAdmin account. That is, it’s the account used
to run the configurations programs such as the SharePoint Configuration Wizard,
the PowerPivot Configuration Tool for SharePoint 2013, psconfig.exe,
Let’s say you will be using the PowerPivot Configuration
Tool for SharePoint 2013 (from now on refered as the PowerPivot configuration
tool). The SPAdmin account is the only
account that requires local Administrator rights. Also, prior to running the PowerPivot
Configuration tool, you need to grant the SPAdmin account to the backend SQL
Server database where SharePoint will place its databases. This minimum
privilege requirement for SPAdmin account in SQL Server is membership in the securityadmin and dbcreator roles.
The Farm account
This is the domain account that the SharePoint Timer service
and the Web application for Central Administration use to access the SharePoint
content database. I’ll refer to it as the SPFarm account. This account does not
need to be a local administrator, and the PowerPivot Configuration tool will
grant the proper minimal privilege in the back end SQL Server database (which
is also securityadmin and dbcreator roles).
The Service Account for PowerPivot Service
Here is where the extra work needs to be done. By default,
if you are configuring a SharePoint farm from scratch, and by that I mean that
there is no PowerPivot service, nor Excel Services nor Secure Store service
application yet, the PowerPivot Configuration tool will create the PowerPivot
Service application along with the Excel Services application and Secure Store
application and place all of them in an existing application pool that
SharePoint created when the Central Administration Application is created by
the PowerPivot Configuration tool. This application pool runs as the SPFarm
account, which has access to many resources that a service account does not
To make the environment a min-priv environment, you will
need to add a new domain account as a SharePoint Service account. This account
has no local administrator privilege, neither any privilege in the back end
SharePoint database. The only privilege this account requires is to be granted
administrative rights to the PowerPivot Instance of the Analysis Services.
You can do that through the UI, through the Central
Administration application > Security > Configure Service Accounts. Click
on the link Register new managed account.
Let’s name it SPSvc.
Finally, after successfully registering the new SPSvc
account, go back to Central Administration application > Security >
Configure Service Accounts; chose the
service application pool where the PowerPivot Service application is; and
select the new SPSvc account from the drop-down menu.
After changing the service account, you need to grant it
access to the web application. The way to do it is through the SharePoint 2013
Management Shell. Run it as the administrator, and type the following PowerShell
$webApp = Get-SPWebApplication "http://<servername>"
To make the environment even more secure, you could create a
new application pool which only the PowerPivot service application would be
part of. And this pool can run as a different service account than the one
running the Excel Services and Secure Store service applications. The two
service accounts, the one running the PowerPivot Service application pool and
the one running the Excel Services application pool need administrator rights
on the Analysis Services PowerPivot instance and be granted access to the web
application (through the PowerShell cmdlets above).
SharePoint Administrator account
Backend Database roles:
Backend Database roles:
Service Account for PowerPivot
Administrator at the Analysis Services PowerPivot instance