Abstract
This
paper explores SharePoint 2013 Service applications in depth along with
accounts recommended to configure them to reduce chances of security vulnerabilities.
The target audiences for this paper are SharePoint administrators and auditors unlike
the previous paper in this series which covered overall Security Framework in
SharePoint 2013. To secure the SharePoint environment, administrator must be
aware of infrastructure; system & software configurations and define robust
patch deployment strategies. This paper will explore here some of the most
important configuration aspects at farm level to avoid security breaches.
Keywords:
SharePoint Server 2013, Security, Service Applications, Service Accounts,
Monitoring, Health Analyzer, SharePoint Administration
Service Applications in SharePoint 2013
Hemant Kumar
This
paper gives an overview of all the available service applications in SharePoint
2013 which a SharePoint administrator and auditor must be aware of and covers
most important things to be followed to keep environment secure in this context.
This paper may be considered in continuation of “Security in SharePoint 2013” by Kumar (2016), where he addressed
general audiences who are the stakeholders at any level in hierarchy in an
organization, consuming SharePoint 2013. In contradiction to previous one, this
paper is helpful only for limited audiences who have knowledge in SharePoint
and Windows Server administration. Under SharePoint 2013, service applications
are shared amongst all the front end web applications and more often ignored
for security issues and practices to be followed, since they are not visible to
day-to-day users and owners in the front end web application. Only when
something goes wrong, these areas are revisited, but after potential business
loss. To avoid disastrous situations and to keep system secure, the author
explores mostly ignored topics in SharePoint farm administration here. It is
most important to mention here that, with the topics mentioned here in this
paper only, achieving certain level of compliance certifications may not be
possible. This study may be helpful to avoid only few of vulnerabilities in the
system at first place. This covers only a small part of the whole picture;
things like network defense/attacks, firewall, possible ways to attack the
system etc. are not covered here.
SharePoint
2013: Service Applications
Before
author explores biggest mistake administrator does while farm configuration,
which leads to major security breaches, names and purpose of each Service
application must be understood.
SharePoint
Server 20013 allows unique functionalities, for example search to be packaged
as a readymade service, which may be deployed on same server or different
server in the farm. This also means sharing the same service deployed amongst
multiple front end SharePoint web applications is possible, and in some cases
even outside the SharePoint farm. But configuring these services in the right
manner is mandatory to avoid security breaches and healthy life span of main
SharePoint web application whose features are dependent on the services
consumed. Here author covers the most important and mostly used SharePoint
Services.
Secure Store Service
As
mentioned by Kumar (2016), this service may be considered in most layman term
as an impersonation layer. Suppose there is particular module which may be
executed by a specific user, but sharing credentials of this user amongst the
group or to any other user is not possible for security reasons. A target
application may be defined in Secure Store Service, to serve such sceneries in
SharePoint. Audit logging of actions performed using Secure Store Service is
disabled by default, enabling it may help track unauthorized information flow.
Good
thing about Secure Store Service is that, it stores credentials of target user
encrypted in a separate database, which may be even made more secured by
deploying on separate server. Also, credentials fields supported are generic,
user name, password, personal identification number, key, windows username,
windows password, certificate and certificate password. Bad thing is, if Secure
Store Service is hacked, and there are multiple sources of secured information
configured to be accessed through this framework, the whole SharePoint farm is
most unsecured place to think of.
Search Service
As
mentioned by Kumar (2016), this service may be used to even crawl the external
content along with SharePoint website sin the SharePoint Farm. This module is
responsible for crawling information source, prepare and maintain indexes based
on crawled information, search queries analytics and usage, search
administration.
Administrator
need to make sure, all the content in the target application being crawled is
accessible to account with which crawling is being done, but it does not mean
giving full permission on the target. Read permissions are sufficient.
Sometimes, search services are configured to exist on front end server, where
content source web application resides and Windows server prohibits accessing
website on the same server by crawlers. Most prevalent solution is to “DisableLoopbackCheck”
on front end server level. But as per Kumar (2011), this is not the secure way
of implementing search in SharePoint. Another security concern with SharePoint
Search Service crawler is that, it relies on custom headers to identify that
target web application is SharePoint based. If administrator removes these
headers as explained by Kumar (2013), search crawlers are not able to crawl
fine grained objects like list item in SharePoint target, and if he doesn’t
removes these headers, hackers can easily identify that target is SharePoint
based.
User Profile Service
User
profile service is used to keep data related to people in an organization. This
may have been coming from Active Directory (AD) in parts or some other custom
sources. SharePoint features like setting up audiences, my site for end users
and social features are directly dependent on this service.
User
profile database, synchronization database and social tagging database are
created when this service is configured. A healthy and fully functional User
Profile Service is dependent on Managed Metadata Service, Search Service and
Business Connectivity Service to deliver full range of social features in
SharePoint 2013.
Managed Metadata Service
This
SharePoint service is responsible for sharing managed keywords and term sets
across the multiple site collections across the boundaries. One of the most
important use of defining taxonomies and term sets at single place is better
and more organized search results. This makes information more meaningful to
the end user.
Business Data Connectivity Service
As
mentioned by Kumar (2016), content types are the ways to define information in
consistent way across the SharePoint site collection. This service is used to
define external Content Types to consume data from external line of business.
The way this service is configured, is highly dependent on what type of
existing or future external to SharePoint solutions and organization consumes
and what will be the business flow.
Word Automation Services
This
service is responsible for server side conversions of Word documents. This
service is able to cater both synchronous and asynchronous operations on
documents in SharePoint 2013. For asynchronous operations, this service is
dependent on SharePoint Timer Jobs.
User Profile Synchronization Service
This
service supplements User Profile Service described above, to facilitate user
information import from other systems. These systems may be Active Directory
Domain Service, SAP, SQL Server or else.
Machine Translation Service
This
service is used to automatically translate content in SharePoint with help of
Microsoft Online Translator Tool. This is the most helpful feature in
multilingual scenarios in SharePoint 2013.
Work Management Service
This
service is responsible for task aggregation at central location. My site and
new feed experience are the examples. Be it Exchange, Project Server or to-do
and tasks in SharePoint, with help of Search Service and User Profile Service,
and user may get everything at one place.
Visio Graphics Service
Visio
diagrams may be rendered in SharePoint 2013, with help of this service. This
service is dependent on State Service for its normal operation.
State Service
This
service is responsible for storing temporary data across related requests over
http. Many services and functionalities like Visio Graphics Services,
SharePoint Health Reports and many more won’t work without this being
configured.
Microsoft SharePoint Foundation Sandboxed Code Service
Traditional
custom solutions and webParts used to run under w3wp process earlier, with help
of these new service; administrators may actually limit the resources per
application basis and they run under a different process altogether to give
better security and isolation. The new model available is based on this
service.
Access Database Service 2010 and Access Services
In
SharePoint 2013, under new app model, for each Access app created a new SQL DB
is generated by Access Services. This is a very fast and user friendly way for
user to create and publish relational database and content in a web user
friendly way. Access Services are responsible for creating and customizing Access
apps. Access Database Service 2010 is provided for backward compatibility.
App Management & Microsoft SharePoint Foundation
Subscription Settings Service
Providing
this feature and service in SharePoint 2013 is a step towards Google Play store
and Apple Play Store like mythology from Microsoft in SharePoint, where publishing
and buying apps online is facilitated. App Management Service works in
conjunction with Microsoft SharePoint Foundation Subscription Settings Service
is the backend engine to support this feature
Central Administration Service
Stopping
this service on all servers in farm sufficient to screw up a SharePoint 2013
whole farm, an administrator without knowledge in PowerShell may be stuck
without this service running.
Claims to Windows Token Service
As
the name suggests it’s a part of Windows Identity Foundation on the server.
This service is responsible for impersonations required for accessing backend
resources by SharePoint and other products.
Distributed Cache Service
This
service is required by many services to operate or give better performance for
others, few examples of features depending on this services are OneNote,
security trimming, news feeds, social features, page load performance and so
on.
Document Conversions Launcher and Document Conversions Load
Balancer Service
Document
Conversions Launcher Service schedules and initiates the document conversions.
When SharePoint Foundation passes a document conversion request to the document
conversion launcher service, the service must call the appropriate document
converter. The load balancing of incoming requests is taken care of by Document
Conversions Load Balancer Service.
Excel Calculation Service
Excel
calculation Service in SharePoint 2013 may be taken as more of business
intelligence tool to share and render workbooks as a web page content directly.
Lotus Notes Connector Service
Since
for Lotus notes the platform of development and terminology is different, to
support big name sin market, Microsoft altogether built a connector in
SharePoint 2013 for functionalities like crawl the content inside Lotus notes.
Microsoft SharePoint Foundation Incoming E-Mail Service
Suppose
end user wants to use SharePoint as a dropbox where he could email content and
get it follow the further publishing work flow, yes it is possible with help of
this service only.
Microsoft SharePoint Foundation Web Application Service
This
service provides connect between SharePoint and IIS. Without this service
running, not even a web application could be created.
Microsoft SharePoint Foundation Workflow Timer Service
This
service is responsible for timed events and workflows related to list and
documents in the site collections.
PerformancePoint Service
This
service is responsible for monitoring and related data analysis including rich
dashboards and tools to consume this information.
PowerPoint Conversion Service
This
service is responsible for server side conversions of PowerPoint slides to
different formats.
Request Management Service
This
service is only configured through PowerShell, and is responsible for request
routing based on the type of request, to the right server in the farm.
Farm
Level Accounts
The
most common flaw in SharePoint Service application configuration observed is
using single account for all the operations. Think of the situation, this
single account is compromised.
SQL Server Service Account
This
is the account is used for setting up Windows Services (named MSSQLSERVER,
SQLSERVERAGENT) running on SQL server. Request Manager is functionality in
SharePoint Server 2013 that enables administrators to manage incoming requests
and determine how SharePoint Server 2013 routes these requests. If this account
is not configured correctly, backup and restores from external resources are
affected. This is preferred to be domain account, but not a requirement.
Setup User Account
This
is the account is used for initial setups and initial configuration wizards
execution. This account must be in administrative group on all the servers and
part of securityadmin & dbcreator server roles on SQL box. If the
administrator plans to run PowerShell scripts which directly affects this is
supposed to be db_owner on the target.
This must be a domain account.
Server Farm Account
This
is important to understand that, the moment a server is added to SharePoint
farm, this account gets additional privileges over the server resources. This
account is responsible to configure and mange server farms in future, acts as
application pool identity on IIS for central administrative web application and
configured to run SharePoint Foundation Workflow Timer Service right from the
beginning. The importance and of this account in security may be estimated by
the fact that this account is having dbcreator, securityadmin and db_owner
roles on all SQL server where all the database and underlying configuration of
SharePoint exist. If credentials of this account are leaked, nothing is left to
protect anymore. This must be a domain user account.
Service
Application Accounts
Above
mentioned three accounts are required before even starting deploying SharePoint
on a fresh environment. The most common mistake, as described previously in
this paper, administrator does is, they don’t go further and setup additional
accounts mentioned below: Here the author explores service accounts in terms of
application pools and account for unattended services. Say, administrator is
having single server to run all the services, single server may have multiple
Application Pools on the same server, or in case, multiple servers are
provided, each group of services under same application pool may be shifted, or
even divided. The purpose is to get basic idea, which services may reside together
and share resources without breaching security and which one requires domain
account for normal operations to be achieved.
Service Application Account for Application Pool 1
Unless
there is a specific security reason, justified per business needs, a single
application pool in IIS may host end point for Access Services, Word Automation
Services, Usage and Health Data Collection Service, Secure Store Service,
Business Data Connectivity service, User Profile Service and Visio Graphics
Service. Being under same Application Identity pool means these services are
sharing resources. The account being used to run this category may be a local
account. They are grouped together here because they don’t mandate the use of a
domain account and they may reside together. But administrator is allowed to
use a unique domain account if need be.
Service Application Account for Application Pool 2
Excel
Services, Managed Metadata Service, PerformancePoint Service and Search Service
endpoints may reside together on a single application pool identity, but that
must be running with a domain account. Unless, there is a need due to business
rules or performance constraint, these services may share single application
pool in IIS.
Service Application Account for Application Pool 3
Security
Token Service, Application Discovery and Load Balancer Service endpoints may
reside together on a single application pool identity. This account must be the
Farm Service Account and the SharePoint Products Configuration Wizard
automatically creates this application pool. This need not be a domain account.
Unattended Service Account 1
Under
Excel Services, this account is must to perform actions like refreshing
worksheet data when authentication type specified is none or non-Window
credentials are input. This must be a domain user account.
Unattended Service Account 2
Under
PerformancePoint Services, this account is used to authenticate with data
sources. This must be a domain user account.
Unattended Service Account 3
Under
Visio Graphics Services, this account is used to refresh data from
non-SharePoint data sources. This need not be a domain user account but this
decision is dependent upon which type of data source application uses.
Content Access Account for Search
This
account is used by SharePoint Search to crawl content from different sources.
The source may be an external content or inside the local farm. This account
has read permission on all the content to crawled, no matter what type of
account it may be. But as mentioned by Catrinescu (2013), this should be a
domain user account. This must not be part of farm administrator group. This
issue is caught very common in security audits.
Search Service Account
Please
note, this account is different from Content Access Account for Search and
Service Application Account for Application Pool 2 described above. This is
used to run actual Search Service Engine. This must be a domain user account.
This must not be part of farm administrator group. This issue is caught very
common in security audits.
User Profile Synchronization Account
Please
note, this account is different from Service Application Account for
Application Pool 1 which is used to run web application end point hosting User
Profile Service. Unlike the App pool 1 account; this must be a domain user
account as per Catrinescu (2013). Also, it should have “log on locally”
permission on the computer running the instance of the User Profile
Synchronization Service.
User Profile Connection Account
Please
note, this account is different from Service Application Account for
Application Pool 1 which is used to run web application end point hosting User
Profile Service and User Profile Synchronization Account which is used run Synchronization
Service. This must be a domain user account as per Catrinescu (2013). There may
be the case, for each connection established with remote directory service;
there is a different connection account. This account must have replicate
directory changes permission on the domains under consideration.
App Management Service Account
Type
of this account depends on SharePoint Catalog and SharePoint Store being
consumed to install apps in local farm. This account is responsible for App
management in SharePoint.
PowerPoint Conversion Account
This
account is responsible for Microsoft PowerPoint presentations conversion to
different formats using PowerPoint conversion service engine. There is no
specific requirement for this to be domain account unless required by
organization specific architecture.
Machine Translation Account
This
account is responsible for automatic translations in SharePoint. There is no
specific requirement for this to be domain account unless required by
organization specific architecture.
Distributed Cache Account
This
account is used to run Distributed cache service responsible for catering
in-memory to various features like authentication, security trimming by other
services e.g. search results, page load performance, newsfeed and so on. There
is no specific requirement for this to be domain account unless required by
organization specific architecture.
Work Management Account
All
the task aggregations by work management service are performed using this
account sources being SharePoint products, Microsoft Exchange Server, Microsoft
Project Server and so on. The type of account used greatly depends upon the
sources consumed.
Access Services 2013 Account
This
account is responsible for views, edits and all kind of interactions with
Access 2013 database in browser using SharePoint 2013. There is no specific
requirement for this to be domain account unless required by organization
specific architecture.
SharePoint
Health Analyzer
While
auditing any SharePoint 2013 environment for security and other issues, this
may be the best place to start with. The reports available under this section
in central administration are based on 63 automated rules defined by Microsoft.
All the rules may be disabled, if done so by administrator, this must be
reported in audits and cross questioned with administrators. For example, the default rule, “Accounts used by application pools or
service identities are in the local machine Administrators group” as per
Microsoft (2013), available under “SharePoint
Health Analyzer rules reference”, if disabled may open gateways to attack.
Under
Central administration, administrator may visit Monitoring > Health Analyzer
> Review problems and solutions, to figure out what is going wrong. Since
this data comes from a SharePoint List present in Central administration, even
he can enable email alerts on item created in this SharePoint List, if paid
monitoring tools are not available.
Definitely,
this Health Analyzer does not cover everything, but help to detect a lot more
than what administrator could achieve manually.
Conclusions
and Future Study
This
paper covers only SharePoint Service Applications, accounts categories
recommended to be used in configuring these service applications &
application pools in IIS and brief overview of Health Analyzer. But this does
not cover all the vulnerabilities that might be present in the system. For
example, there might be many Windows Services and components running on the
servers in farm, (with current features required by the organization,) may not
be required, and so must be stopped to reduce the attack vectors. SQL Server
may be exposed on default ports and many firewall rules may not have been even
thought of by the administrator. And so
on.
All
in all, this paper covers much, but to secure the SharePoint environment as a
whole, one more research on the whole infrastructure is highly recommended.
References
Catrinescu, V. (2013,
January 07). SharePoint 2013 Service Accounts Best Practices. Retrieved May 08,
2016, from https://absolute-sharepoint.com/2013/01/sharepoint-2013-service-accounts-best-practices-explained.html
Cleary, L. (2016, May
02). Penetration Testing SharePoint. Retrieved May 08, 2016, from https://www.pluralsight.com/courses/penetration-testing-sharepoint
Collins, J. (2016,
April 14). SharePoint Environment Auditing. Retrieved May 08, 2016, from
https://www.pluralsight.com/courses/sharepoint-environment-auditing
Ehrenberg, J. (2015,
April 01). SharePoint Health Analyzer rules reference (SharePoint 2013).
Retrieved May 08, 2016, from
https://jimehrenberg.wordpress.com/2015/04/01/sharepoint-health-analyzer-rules-reference-sharepoint-2013/
Fakos, A., &
Philipp, J. (2013, November 28). Getting a handle on SharePoint security
complexity. Retrieved May 08, 2016, from https://www.owasp.org/images/0/09/OWASP_BeNeLux-SharePoint-Comprehensive_Security_model_v1.0.pdf
Kumar, H. (2011, June
14). SharePoint disable loopback check | Specify Host Names. Retrieved May 08,
2016, from https://hemantrohtak.blogspot.com/2011/06/sharepoint-disable-loopback-check.html
Kumar, H. (2013,
January 07). SharePoint 2010 Enterprise Search | SharePoint Crawl Exceptional
Behaviour. Retrieved May 08, 2016, from
https://hemantrohtak.blogspot.com/2013/01/sharepoint-2010-enterprise-search.html
Kumar, H. (2016, March 11). Security in
SharePoint 2013. Retrieved May 08, 2016, from https://hemantrohtak.blogspot.com/2016/03/security-in-sharepoint-2013.html
Lozzi, D. (2013, April 03). Overview of
SharePoint 2013’s Services. Retrieved May 08, 2016, from https://davidlozzi.com/2013/04/03/overview-of-sharepoint-2013s-services/
Matthews, P. (2015,
January 21). Setting up Word Automation Service for SharePoint 2013. Retrieved
May 08, 2016, from https://cann0nf0dder.wordpress.com/2015/01/21/setting-up-word-automation-service-for-sharepoint-2013/
Microsoft. (2013,
December 18). SharePoint Health Analyzer rules reference (SharePoint 2013).
Retrieved May 08, 2016, from https://technet.microsoft.com/en-us/library/ff686816.aspx
Microsoft. (2013,
December 18). Overview of managed metadata service applications in SharePoint
Server 2013. Retrieved May 08, 2016, from
https://technet.microsoft.com/en-us/library/ee424403.aspx
Microsoft. (2013,
December 18). Manage service applications in SharePoint 2013. Retrieved May 08,
2016, from https://technet.microsoft.com/en-us/library/ee704544.aspx
Microsoft. (2014,
March 11). Share service applications across farms in SharePoint 2013. Retrieved
May 08, 2016, from https://technet.microsoft.com/en-us/library/ff621100.aspx
Microsoft. (2014,
August 26). Plan for administrative and service accounts in SharePoint 2013.
Retrieved May 08, 2016, from https://technet.microsoft.com/en-us/library/cc263445.aspx
