Tuesday, 9 December 2014

SharePoint 2010 New Feature: Managed Accounts

The following is an excerpt from the third issue of the SharePoint 2010 Beta series of USP Journal:
Another new feature of SharePoint 2010 is managed accounts. Consider having an application pool account, for example called DOMAIN\sp_user. You use that account for a large amount of web applications. Imagine the pain when changing the password for that account; you would need to go into each and every web application and reset the password after the change, not to mention that the applications you haven’t changed yet will stop working.
SharePoint 2010 introduces the managed account. In short, rather than specifying the user name and password on every occasion, you create a managed account and set the password there. Then, when you need to enter a user account you simply select which managed account to use and you don’t need to know the password.
This also allows farm administrators to set up the service accounts so that others do not need to know the password for the account.
Oh, but there’s more. Service accounts are usually left out of the password expiry policy for the very reasons stated above. However, this is a bad security practice, because the password for such service accounts is often weak or known by multiple people. Keeping a password unchanged for years also means that an attacker would have more time to break the password encryption.
So, SharePoint 2010 also introduces automatic password change. Simply set the managed account to change the password a number of days before the password expires, and SharePoint will keep and maintain the password for the service account without you having to do anything.
You can also set up alerts so that you are notified before the password expires, and what’s even better, SharePoint will automatically detect password expiration policies that are defined for you.

Reference:

http://blog.furuknap.net/sharepoint-2010-new-feature-managed-accounts

No comments:

Post a Comment