I have received the following health analyzer warning:
Using highly-privileged accounts as application pool or as service identities poses a security risk to the farm, and could allow malicious code to execute. The following services are currently running as accounts in the machine Administrators group:
SharePoint Central Administration v4 (Application Pool)
FIMSynchronizationService(Windows Service)
SPTimerV4(Windows Service)
WebAnalyticsService(Windows Service)
The farm has three servers - 1 WFE, 1 App, 1 SQL. SharePoint Server 2010 SP2 (build 14.0.7015.1000). I am receiving this alert for only the application server.
I have implemented service accounts using least permissions. The farm service account is not a local administrator on any server in the farm. Here is a listing from whoami /groups for the farm service account:
GROUP INFORMATION ----------------- Group Name Type SID Attributes ====================================== ================ ============================================== ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group SPAPP\WSS_ADMIN_WPG Alias S-1-5-21-1939514615-3554586029-2503448826-1009 Mandatory group, Enabled by default, Enabled group SPAPP\WSS_RESTRICTED_WPG_V4 Alias S-1-5-21-1939514615-3554586029-2503448826-1010 Mandatory group, Enabled by default, Enabled group SPAPP\WSS_WPG Alias S-1-5-21-1939514615-3554586029-2503448826-1011 Mandatory group, Enabled by default, Enabled group BUILTIN\IIS_IUSRS Alias S-1-5-32-568 Mandatory group, Enabled by default, Enabled group BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group BUILTIN\Performance Monitor Users Alias S-1-5-32-558 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group DOMAIN\Intranet Members Group S-1-5-21-3665152110-4005653958-1721397271-1216 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192 Mandatory group, Enabled by default, Enabled group
Further curiosity: The web analytics service uses a dedicated service account account which I can confirm with from the service account page in Central Administrator and with PowerShell:
PS > $webanalytics = (Get-SPFarm).Services | where {$_.Name -eq "WebAnalyticsService"}
PS > $webanalytics.ProcessIdentity.Username
DOMAIN\sp-wa-dpI'm at a loss for what else I could check, considering the farm service account is not a local administrator.
Any ideas?