Plan for least-privileged administration in SharePoint ServerPlan for least-privileged administration in SharePoint Server

摘要:了解如何使用最低權限管理來設定及維護 SharePoint 2013 和 SharePoint Server 2016 伺服器陣列和增強安全性。Summary: Learn about how to use least-privileged administration to configure and maintain a SharePoint 2013 and SharePoint Server 2016 farm and enhance security.

最低權限管理的概念是將完成授權工作需要的最低權限指派給使用者。最低權限管理的目標是設定及協助維護環境的安全控制。其結果是僅將絕對必要的資源存取權限授與執行服務的每個帳戶。The concept of least-privileged administration is to assign users the minimum permissions that are required for users to complete authorized tasks. The goal of least-privileged administration is to configure and help maintain secure control of an environment. The result is that each account under which a service runs is granted access to only the resources that are absolutely necessary.

即使實作最低權限管理可能增加營運成本 (因為可能需要額外的資源來維護此管理層級),我們仍建議您使用最低權限管理部署 SharePoint Server。此外,疑難排解安全性問題的能力也可能變得更複雜。We recommend that you deploy SharePoint Server with least-privileged administration even though implementing least-privileged administration can result in increased operational costs because additional resources might be required to maintain this level of administration. Moreover, the ability to troubleshoot security problems can also be made more complex.

簡介Introduction

組織可實作最低權限管理來獲得比一般建議更高的安全性。只有少數的組織需要此增強的安全性層級,因為維護最低權限管理必須符出大量資源成本。有某些部署可能需要此增強的安全性層級,包括政府機構、安全性組織及金融服務業組織。最低權限環境的實作不應與最佳作法混淆。在最低權限環境中,管理員將一起實作最佳作法與額外增強的安全性層級。Organizations implement least-privileged administration to achieve better security than would be typically recommended. Only a small percentage of organizations require this heightened level of security because of the resource costs of maintaining least-privileged administration. Some deployments that might require this heightened level of security include governmental agencies, security organizations, and organizations in the financial services industry. The implementation of a least-privileged environment should not be confused with best practices. In a least-privileged environment, administrators implement best practices together with additional heightened levels of security.

帳戶和服務的最低權限環境Least-privileged environment for accounts and services

若要規劃最低權限管理,您必須考量數個帳戶、角色和服務。其中一些帳戶、角色和服務適用於 SQL Server,部分則適用於 SharePoint Server。當管理員鎖定其他帳戶和服務時,可能會增加日常營運成本。To plan for least-privileged administration, you must consider several accounts, roles, and services. Some apply to SQL Server and some apply to SharePoint Server. As administrators lock down additional accounts and services, daily operational costs are likely to increase.

SQL Server 角色SQL Server roles

在 SharePoint Server 環境中,可能會將下列兩個 SQL Server 伺服器層級角色授與數個帳戶。在最低權限的 SharePoint Server 環境中,我們建議您僅將這些權限授與執行 Microsoft SharePoint Foundation 工作流程計時器服務的帳戶。一般而言,計時器服務會在伺服器陣列帳戶下執行。對於日常作業,我們建議您從 SharePoint 管理所使用的所有其他帳戶中移除下列兩個 SQL Server 伺服器層級角色:In a SharePoint Server environment, several accounts may be granted the following two SQL Server server-level roles. In a least-privileged SharePoint Server environment, we recommend that you only grant these privileges to the account under which the Microsoft SharePoint Foundation Workflow Timer Service runs. Typically, the timer service runs under the server farm account. For day-to-day operations, we recommend that you remove the following two SQL Server server-level roles from all other accounts that are used for SharePoint administration:

  • Dbcreator - 可建立、改變、捨棄及還原任何資料庫的 dbcreator 固定伺服器角色的成員。Dbcreator - Members of the dbcreator fixed server role can create, alter, drop, and restore any database.

  • Securityadmin - 管理登入及其屬性的 securityadmin 固定伺服器的成員。他們可「授與」、「拒絕」和「撤銷」伺服器層級權限。如果他們有資料庫的存取權,也可以「授與」、「拒絕」和「撤銷」資料庫層級權限。此外,他們也能重設 SQL Server 登入的密碼。Securityadmin - Members of the securityadmin fixed server role manage logins and their properties. They can GRANT, DENY, and REVOKE server-level permissions. They can also GRANT, DENY, and REVOKE database-level permissions if they have access to a database. Additionally, they can reset passwords for SQL Server logins.

    [!安全性提示] 授與資料庫引擎存取權和設定使用者權限的能力可讓 securityadmin 指派大多數伺服器權限。您應該將 securityadmin 角色視為等同於 sysadmin 角色。 The ability to grant access to the database engine and to configure user permissions allows the securityadmin to assign most server permissions. You should treat the securityadmin role as equal to the sysadmin role.

如需 SQL Server 伺服器層級角色的詳細資訊,請參閱伺服器層級角色For additional information about SQL Server server-level roles, see Server Level Roles.

如果移除其中一或多個 SQL Server 角色,您可能會在 管理中心 網站中收到「非預期」錯誤訊息。此外,您可能會在統一登入服務 (ULS) 記錄檔中收到下列訊息:If you remove one or more of these SQL Server roles, you might receive "Unexpected" error messages in the Central Administration web site. In addition, you may receive the following message in the Unified Logging Service (ULS) log file:

System.Data.SqlClient.SqlException… <operation type> permission denied in database <database>. Table <table>System.Data.SqlClient.SqlException… <operation type> permission denied in database <database>. Table <table>

隨著可能顯示的錯誤訊息,您可能無法執行下列任何工作:Along with an error message that may be displayed, you may be unable to perform any of the following tasks:

  • 還原伺服器陣列的備份,因為您無法寫入至資料庫Restore a backup of a farm because you can't write to a database

  • 佈建服務執行個體或 Web 應用程式Provision a service instance or web application

  • 設定受管理的帳戶Configure managed accounts

  • 變更 Web 應用程式的受管理帳戶Change managed accounts for web applications

  • 在需要 管理中心 網站的任何資料庫、受管理帳戶或服務上執行任何動作Perform any action on any database, managed account, or service that requires the Central Administration web site

在特定情況下,資料庫管理員 (DBA) 可能想要獨立於 SharePoint Server 管理員之外操作,以及建立和管理所有資料庫。在安全性需求和公司原則需要不同管理員角色的 IT 環境中,時常會發生這種情況。伺服器陣列管理員會向 DBA 提供 SharePoint Server 資料庫需求,DBA 接著建立必要的資料庫和設定伺服器陣列所需要的登入。In certain situations, database administrators (DBAs) may want to operate independently from SharePoint Server administrators and create and manage all the databases. This is typical in IT environments where security requirements and company policies require a separation of administrator roles. The farm administrator provides SharePoint Server database requirements to the DBA, who then creates the necessary databases and sets up the logins that are required for the farm.

依預設,DBA 已完成存取 SQL Server 執行個體,但需要其他權限才能存取 SharePoint Server。DBA 一般會使用 Windows PowerShell 3.0 來新增、建立、移動或重新命名 SharePoint 資料庫,因此他們必須是下列帳戶的成員:By default, the DBA has complete access to the SQL Server instance but requires additional permissions to access SharePoint Server. DBAs typically use Windows PowerShell 3.0 when they add, create, move, or rename SharePoint databases, so they must be a member of the following accounts:

  • SQL Server 執行個體上的 Securityadmin 固定伺服器角色。Securityadmin fixed server role on the SQL Server instance.

  • SharePoint 陣列中所有資料庫上的 Db_owner 固定資料庫角色。Db_owner fixed database role on all databases in the SharePoint farm.

  • 執行 PowerShell Cmdlet 的電腦上的管理員群組。Administrators group on the computer on which they run the PowerShell cmdlets.

此外,DBA 可能必須是 SharePoint_Shell_Access 角色的成員才能存取 SharePoint 內容資料庫。在某些情況下,DBA 可能會想要將安裝程式使用者帳戶新增至 db_owner 角色。Additionally, the DBA may have to be a member of the SharePoint_Shell_Access role to access the SharePoint content database. In some conditions, the DBA may want to add the Setup user account to the db_owner role.

SharePoint Server 角色和服務SharePoint Server roles and services

一般而言,您應該移除從 SharePoint Server 服務帳戶建立新資料庫的能力。除了執行計時器服務的帳戶 (一般是伺服器陣列帳戶) 之外,SharePoint Server 服務帳戶都不應在 SQL Server 執行個體上具有 sysadmin 角色,且沒有 SharePoint Server 服務帳戶應該成為執行 SQL Server 的伺服器上的本機管理員。In general, you should remove the ability to create new databases from SharePoint Server service accounts. Other than the account under which the timer service runs (typically the farm account), no SharePoint Server service account should have the sysadmin role on the SQL Server instance and no SharePoint Server service account should be a local Administrator on the server that runs SQL Server.

如需 SharePoint Server 帳戶的詳細資訊,請參閱 SharePoint Server 2016 中的帳戶權限及安全性設定For more information about SharePoint Server accounts, see Account permissions and security settings in SharePoint Server 2016.

如需 SharePoint Server 2013 的帳戶資訊,請參閱 SharePoint 2013 中的帳戶權限及安全性設定For account information in SharePoint Server 2013, see Account permissions and security settings in SharePoint 2013.

下列清單提供鎖定其他 SharePoint Server 角色和服務的詳細資訊:The following list provides information about locking down other SharePoint Server roles and services:

  • SharePoint_Shell_Access roleSharePoint_Shell_Access role

    當您移除此 SQL Server 角色時,會移除將項目寫入設定和內容資料庫的能力,以及使用 Microsoft PowerShell 執行任何工作的能力。如需此角色的其他相關資訊,請參閱 Add-SPShellAdminWhen you remove this SQL Server role, you remove the ability to write entries to the configuration and content database and the ability to perform any tasks by using Microsoft PowerShell. For additional information about this role, see Add-SPShellAdmin.

  • SharePoint Timer service (SPTimerV4)SharePoint Timer service (SPTimerV4)

    我們建議您不要限制將預設權限授與執行此服務的帳戶,也絕對不要停用此帳戶。相反地,請使用密碼未廣為人知的安全使用者帳戶,並維持執行服務。依預設,安裝 SharePoint Server 時會安裝此服務,並維護設定快取資訊。如果設定停用服務類型,您可能會遇到下列情況:We recommend that you do not limit the default permissions granted to the account under which this service runs and that you never disable this account. Instead, use a secure user account, for which the password is not widely known, and leave the service running. By default, this service is installed when you install SharePoint Server and maintains configuration cache information. If you set the service type to disabled you may experience the following behavior:

    • 未執行計時器工作Timer jobs won't run

    • 未執行狀況分析器規則Health analyzer rules won't run

    • 維護及伺服器陣列設定將過期Maintenance and farm configuration will be out of date

  • SharePoint Administration service (SPAdminV4)SharePoint Administration service (SPAdminV4)

    此服務會執行自動化變更,需要在伺服器上擁有本機管理員權限才能執行。當服務未在執行時,您必須手動處理伺服器層級管理變更。我們建議您不要限制將預設權限授與執行此服務的帳戶,也絕對不要停用此帳戶。相反地,請使用密碼未廣為人知的安全使用者帳戶,並維持執行服務。如果設定停用服務類型,您可能會遇到下列情況:This service performs automated changes that require local administrator permission on the server. When the service is not running, you must manually process server-level administrative changes. We recommend that you do not limit the default permissions granted to the account under which this service runs and that you never disable this account. Instead, use a secure user account, for which the password is not widely known, and leave the service running. If you set the service type to disabled, you may experience the following behavior:

    • 未執行管理計時器工作Administrative timer jobs won't run

    • 未更新 Web 設定檔案Web configuration files won't be updated

    • 未更新安全性和本機群組Security and local groups won't be updated

    • 未寫入登錄值和機碼Registry values and keys won't be written

    • 可能無法啟動或重新啟動服務Services may be unable to be started or restarted

    • 可能無法完成服務佈建Provisioning of services may be unable to be completed

  • SPUserCodeV4 ServiceSPUserCodeV4 Service

    此服務可讓網站集合管理員將沙箱化解決方案上傳到解決方案庫。如果您未使用沙箱化解決方案,則可停用此服務。This service lets a site collection administrator upload sandboxed solutions to the Solutions gallery. If you are not using sandboxed solutions, you can disable this service.

  • Claims To Windows Token service (C2WTS)Claims To Windows Token service (C2WTS)

    預設會停用此服務。可能需要 C2WTS 服務才能部署 Excel Services、PerformancePoint Server,或必須在 SharePoint 安全性權杖與 Windows 型實體之間轉譯的 SharePoint 共用服務。例如,當您設定 Kerberos 限制委派來存取外部資料來源時可使用此服務。如需 C2WTS 的詳細資訊,請參閱規劃 SharePoint Server 的 Kerberos 的驗證By default, this service is disabled. The C2WTS service may be required for a deployment with Excel Services, PerformancePoint Servers, or SharePoint shared services that must translate between SharePoint security tokens and Windows-based identities. For example, you use this service when you configure Kerberos-constrained delegation for accessing external data sources. For more information about C2WTS, see Plan for Kerberos authentication in SharePoint Server.

下列功能可能會在某些情況下遇到其他徵兆:The following features may experience additional symptoms under certain circumstances:

  • Backup and restoreBackup and restore

    如果您已移除資料庫權限,則可能無法從備份執行還原。The ability to perform a restore from a backup may fail if you have removed database permissions.

  • UpgradeUpgrade

    升級程序正確啟動,但如果您沒有資料庫的適當權限,接下來將失敗。如果您的組織已處於最低權限環境,則因應措施是移至最佳作法環境以完成升級,然後移回最低權限環境。The upgrade process starts correctly, but then fails if you do not have suitable permissions to databases. If your organization is already in a least-privileged environment, the workaround is to move to a best practices environment to complete the upgrade, and then move back to a least-privileged environment.

  • UpdateUpdate

    針對設定資料庫的結構描述,將可將軟體更新套用至陣列,但無法更新內容資料庫和服務。The ability to apply a software update to a farm will succeed for the schema of the configuration database, but fail on the content database and services.

最低權限環境的其他考量事項Additional things to consider for a least-privileged environment

除了先前的考量以外,您可能必須考量更多操作。下列是不相容的清單。請自行決定選擇使用項目:In addition to the previous considerations, you might have to consider more operations. The following list is incomplete. Selectively use the items at your own discretion:

  • 安裝程式使用者帳戶 - 此帳戶是用於設定陣列中的每一台伺服器。帳戶必須是 SharePoint Server 陣列中每一台伺服器的管理員群組成員。如需此帳戶的其他資訊,請參閱 在 SharePoint Server 中初次部署管理帳戶和服務帳戶Setup user account - This account is used to set up each server in a farm. The account must be a member of the Administrators group on each server in the SharePoint Server farm. For additional information about this account, see Initial deployment administrative and service accounts in SharePoint Server.

  • Synchronization account - 若為 SharePoint Server Server,此帳戶可用於連線至目錄服務。我們建議您不要限制將預設權限授與執行此服務的帳戶,也絕對不要停用此帳戶。反之,使用密碼未廣為人知的安全使用者帳戶,並維持執行服務。此帳戶在 AD DS 上也需要擁有「複寫目錄變更」權限,才能讀取 AD DS 物件及探索網域中已變更的 AD DS 物件。「授與複寫目錄變更」權限不會允許帳戶建立、變更或刪除 AD DS 物件。Synchronization account - For SharePoint Server Server, this account is used to connect to the directory service. We recommend that you do not limit the default permissions granted to the account under which this service runs and that you never disable this account. Instead, use a secure user account, for which the password is not widely known, and leave the service running. This account also requires Replicate Directory Changes permission on AD DS which enables the account to read AD DS objects and to discover AD DS objects that were changed in the domain. The Grant Replicate Directory Changes permission does not enable an account to create, change or delete AD DS objects.

  • 我的網站主機應用程式集區帳戶 - 這是執行 我的網站 應用程式集區的帳戶。若要設定此帳戶,您必須是伺服器陣列管理員群組的成員。您可以限制此帳戶的權限。My Site host application pool account - This is the account under which the My Site application pool runs. To configure this account, you must be a member of the Farm Administrators group. You can limit privileges to this account.

  • 內建使用者群組 - 移除內建使用者安全性群組或變更權限可能會產生非預期的結果。我們建議您不要限制任何內建帳戶或群組的權限。Built-in user group - Removing the built-in user security group or changing the permissions may have unanticipated consequences. We recommend that you do not limit privileges to any built-in accounts or groups.

  • 群組權限-預設WSS_ADMIN_WPG SharePoint 群組擁有 「 讀取和寫入權限本機資源。下列WSS_ADMIN_WPG檔案系統位置、 %WINDIR%\System32\drivers\etc\Hosts_和%WINDIR%\Tasks_所需的 SharePoint Server 才能正常運作。如果在伺服器執行其他服務或應用程式,您可能會考慮如何存取工作或主機資料夾位置。如需 SharePoint server 的帳戶設定的其他資訊,請參閱帳戶權限與 SharePoint Server 2016 中的安全性設定Group permissions - By default the WSS_ADMIN_WPG SharePoint group has read and write access to local resources. The following WSS_ADMIN_WPG file system locations, %WINDIR%\System32\drivers\etc\Hosts and %WINDIR%\Tasks are needed for SharePoint Server to work correctly. If other services or applications are running on a server, you might consider how they access the Tasks or Hosts folder locations. For additional information about account settings for SharePoint Server, see Account permissions and security settings in SharePoint Server 2016.

    如需 SharePoint Server 2013 的帳戶資訊,請參閱 SharePoint 2013 中的帳戶權限及安全性設定For account information in SharePoint Server 2013, see Account permissions and security settings in SharePoint 2013.

  • 變更服務的權限 - 服務權限變更可能會產生非預期的結果。例如,如果下列登錄機碼 HKLM\System\CurrentControlSet\Services\PerfProc\Performance\Disable Performance Counters 具有值 0,則將停用「使用者程式碼主機」服務,從而導致沙箱式解決方案停止運作。Change permission of a service - A change of a permission of a service may have unanticipated consequences. For example, if the following registry key, HKLM\System\CurrentControlSet\Services\PerfProc\Performance\Disable Performance Counters, has the value of 0, the User Code Host service would be disabled which would cause sandboxed solutions to stop working.

另請參閱See also

其他資源Other Resources

適用於包含 SharePoint 2013 之工作流程管理員的最低權限設定Least Privilege Configuration for Workflow Manager with SharePoint 2013