MCT USE ONLY. STUDENT USE PROHIBITED
Designing a Security Plan 5-15
Documenting Security for Service Accounts

Key Points
Documenting your security plan is crucial. This will help you to manage the day-to-
day security of your SharePoint infrastructure, troubleshoot problems, and recover
from disaster. The service account configurations should be part of this
documentation.
You can use a worksheet to document your service account configuration. You
should include the following information:
• What is the account name?
• Which service or service application does the account support?
• Is this a managed account?


Note: Always update your documentation when you make changes to any accounts.
MCT USE ONLY. STUDENT USE PROHIBITED
5-16 Designing a Microsoft® SharePoint® 2010 Infrastructure
Best Practices for Service Accounts

Key Points
The following list describes best practices for working with service accounts:
• Use managed accounts. Active Directory now includes both fine-grained
password policies and managed service accounts. The former enables you to
require stronger, more complex, and more frequently changed passwords for
important accounts—including service accounts. The latter enables you to
change a password on a service account without reconfiguring the service itself
with the new password. SharePoint 2010 can use these Active Directory
features to automatically reset managed account passwords, but this
configuration is optional.

Prior to the implementation of the automatic password change feature,
updating passwords required resetting each account password in Active
Directory and then manually updating account passwords on all of the
services running on all the computers in the farm. To do this, you had to run
the Stsadm command-line tool or use the SharePoint Central Administration
Web application. Using the automatic password change feature, you can now
register managed accounts and enable SharePoint 2010 to control account
passwords, based on individually configured password reset schedules. You
MCT USE ONLY. STUDENT USE PROHIBITED
Designing a Security Plan 5-17
can configure accounts used exclusively by the SharePoint farm, such as the
SharePoint Farm account, SharePoint service accounts, and the application
pool accounts for SharePoint Web applications, to reset automatically.
Accounts that are also used by other applications, such as the SQL Service
account, should not be automatically reset.

• Create separate service accounts for specific service applications. Creating separate
service accounts for service applications that host sensitive data helps to secure
your SharePoint infrastructure. By using separate service accounts, you can
ensure that you do not assign the rights and permissions that these service
applications require to generic service accounts that do not require them.
• Create separate application pool accounts for specific Web applications. Creating
separate application pool accounts for service applications that host sensitive
data helps to secure your SharePoint infrastructure. By using separate service
accounts, you can isolate Web applications and their content to provide a
more secure environment.


MCT USE ONLY. STUDENT USE PROHIBITED
5-18 Designing a Microsoft® SharePoint® 2010 Infrastructure

Lesson 3
Planning Security for Users and Groups

Designing a permission structure for users and groups that is easy to maintain and
provides users with only the permissions that they require to perform their job
functions is key to the security of your data.
To design effective security, you must understand the structures that provide
access to content in SharePoint 2010. You must consider how to use permission
levels to apply permissions for sites and site collections, how best to group users,
and how to determine the most appropriate groups to use. You must also decide
whether to allow anonymous access and understand the impact of permission
policies.
Objectives
After completing this lesson, you will be able to:
• List the default permission levels for team sites and publishing sites.
• Describe site collections and site permissions.
• Plan permission assignment.
MCT USE ONLY. STUDENT USE PROHIBITED
Designing a Security Plan 5-19
• Plan access for authenticated users and anonymous users.
• Plan access policies.


MCT USE ONLY. STUDENT USE PROHIBITED
5-20 Designing a Microsoft® SharePoint® 2010 Infrastructure
Permission Levels

Key Points
A permission level is a predefined set of permissions that allows users to perform a
set of related tasks. For example, the Read permission level includes the View

Items, Open Items, View Pages, and View Versions permissions (among others), all
of which are required to read documents, items, and pages of a SharePoint site.
SharePoint 2010 includes five permission levels by default. To simplify the
administration of your security plan, you should use the default permission levels
whenever possible. However, you can customize the permissions in the default
permission levels, with the exception of the Limited Access and Full Control
permission levels. You can also create customized permission levels that contain
only the specific permissions that you require.
Although you cannot directly edit the Limited Access and Full Control permission
levels, you can make individual permissions unavailable for the entire Web
application. This removes these permissions from the Limited Access and Full
Control permission levels.
MCT USE ONLY. STUDENT USE PROHIBITED
Designing a Security Plan 5-21
The different SharePoint 2010 site templates have different default permission
levels. For example, the following table lists the default permission levels for Team
Sites in SharePoint 2010.
Permission level Description
Permissions included by
default
Limited Access

Allows access to shared resources in
the Web site so that users can
access an item in the site. Designed
to be combined with fine-grained
permissions to give users access to
a specific list, document library,
item, or document without giving
them access to the entire site.

Cannot be customized or deleted.
Browse User Information
Use Client Integration
Features
Open

Read

Allows read-only access to the Web
site.

View Items
Open Items
View Versions
Create Alerts
View Application Pages
Use Self-Service Site
Creation
View Pages
Browse User Information
Use Remote Interfaces
Use Client Integration
Features
Open
Contribute

Create and edit items in the
existing lists and document
libraries.
Read permissions, plus:

Manage Unsafe Content
Design

Create lists and document libraries
and edit pages in the Web site.

Approve permissions, plus:
Manage Lists
Add and Customize Pages
Apply Themes and Borders
Apply Style Sheets
Full Control Allows full control of the scope. All permissions
MCT USE ONLY. STUDENT USE PROHIBITED
5-22 Designing a Microsoft® SharePoint® 2010 Infrastructure
If you use a site template other than the Team Site template, you will see a different
list of default SharePoint groups. For example, the following table shows
additional permission levels that are provided with the Publishing template.
Permission level Description
Permissions included by
default
Restricted Read

View pages and documents.
For publishing sites only.

View Items
Open Items
View Pages
Open
View Only


View pages, list items, and
documents. If the
document has a server-side
file handler available, users
can only view the
document by using this file
handler.

Limited Access permissions,
plus:
View Items
View Versions
Create Alerts
Create Mobile Alerts
View Application Pages
Approve

Edit and approve pages, list
items, and documents. For
publishing sites only.

Contribute permissions,
plus:
Override Checkout
Approve Items
Manage Hierarchy

Create sites and edit pages,
list items, and documents.

For publishing sites only.

Design permissions (minus
the Approve Items
permission), plus:
Manage Permissions
View Usage Data
Create Subsites
Manage Web Site
Manage Alerts

Additional Reading
For more information about how to determine permission levels and groups for
SharePoint 2010, see


MCT USE ONLY. STUDENT USE PROHIBITED
Designing a Security Plan 5-23
Site Collections and Site Permissions

Key Points
By using permission levels, you can apply permissions at all levels in your
SharePoint hierarchy to control access to content. You can give permissions for a
specific site collection, site, list or library, folder, document, or item to users and
groups.
Consider how tightly you want to control permissions for the site or site content.
For example, you may want to control access at the site level, or you may require
more restrictive security settings for a specific list, folder, or item. Your security
plan should include this information and the rationale behind it. For sites that
have a definite security model and structure—such as Human Resources,

Communications, Portal, or Document Center—your plan should cover the
permissions structure in detail. For team and project sites, you should include
general security practices and guidelines in the security plan.
If your design requires local or departmental administrators to manage site
collections, you can make them site collection administrators. Site collection
administrators have the Full Control permission level on all Web sites in a site
MCT USE ONLY. STUDENT USE PROHIBITED
5-24 Designing a Microsoft® SharePoint® 2010 Infrastructure
collection. Site collection administrators have access to content in all sites in that
site collection, even if they do not have explicit permissions on that site.
Users who create sites automatically become site owners. They can perform
administration tasks for the site and for any list or library in that site. Site owners
receive e-mail notifications for events, such as the pending automatic deletion of
inactive sites and requests for site access. If you require users to administer sites
that they did not create, you can add them to the relevant site owners group.
Default Site Permissions
When a site collection is created, default groups are also created that receive
specific permission levels for sites in the site collection. You should plan to use
these defaults whenever possible to simplify your security plan.
The groups that SharePoint creates vary depending on the template that is used.
The following table describes these groups and the permission levels that
SharePoint grants for team sites.
Group name Default permission level Description
Owners Full Control Administrator access.
Designers Design Create lists and document
libraries, edit pages, and
apply themes, borders, and
style sheets.
Members Contribute Add, edit, and delete items
in existing lists and

document libraries.
Visitors Read Read-only access.
Viewers View Only View pages, list items, and
documents.

Additional Reading
For more information about how to plan site permissions for SharePoint 2010, see