The concept of security for accounts is very clear: to give only the rights required to accomplish a task and no more. This concept should apply to accounts of human users but also to service accounts.
SharePoint 2010 services accounts are no exception to that concept. This article describes the accounts required and what rights to assign them to optimize the security of a server farm in SharePoint 2010.
The Setup Account
The first account to be created is the one that allow the installation of SharePoint. We'll call it spAdmin in the article. This account must be a domain account and must be added to the group Administrators on each local SharePoint server of the farm.
You do not have to install SharePoint with your administrative account, spAdmin must be the owner of the SharepPoint farm and configuration's databases. There are many places where the account that installs and configures the product is integrated, so it is important to have an account dedicated (and linked) to the farm and that it does not correspond to a unique user. And because this account is not linked to a specific user, it should have no rights outside of the SharePoint farm.
spAdmin should have no administrative rights on the SQL server if it's located on a separated machine (physical or virutal). Despite this, he must have access rights because during the installation and configuration, the process uses the account information of the running account, spAdmin, to create the database and SQL logins. Therefore, prior to configuring SharePoint, assign roles dbcreator and securityadmin to the spAdmin account on the SQL Server.
The SQL Server service account
This second account will be used by the SQL services, called spSQL in the article, it will be used to run services SQL Server and SQL Server Agent. As for the spAdmin, the account spSQL must be a domain account so that its management is centralized. In any case, spSQL must not have specific permissions at the domain level, necessary rights will be assigned locally to the SQL server during installation of SQL Server.
The farm administrator account
This account is designed to give you access data from servers of the SharePoint farm but also with the account that will run the process of the SharePoint farm. We will call this account spFarm for more. Of course, spFarm must be a domain account. This account must be specified when configuring SharePoint, obtain ownership of the database configuration through the account that handles the installation spAdmin. The wizard also configures many Windows services with that account as the service Timer and the Central Administration. This means that everything will be done in the Central Administration will be under the account spFarm. This also means that the account spFarm must have administrative privileges.
spFarm must be part of the local Administrators group to each server in the farm, this addition must be done manually before installing SharePoint on the server. All other privileges required by the account spFarm are automatically assigned by the configuration wizard including the role assignment dbcreator on the SQL Server to enable the future creation of databases of content Web applications. Indeed it is the account that runs the application pool of the Central Administration, ie spFarm, which makes the creation of databases at the creation of Web applications. The role securityadmin is also granted spFarm on the SQL server so that it can create accounts in SQL during the allocation of specific accounts for application pool of Web applications. The latter role assigned to the SQL server is db_owner for all databases in the SharePoint farm which makes spFarm the real owner, non-human, of the SharePoint farm.