SharePoint, FIPS Compliant and Local Security User Rights Assignment Settings

If you have an environment where all Windows servers are hardened to meet government standard then you might have little luck in installing SharePoint without getting waiver. As per requirements FIPS 140-2 cryptographic mode security control must be enabled on at OS level. SharePoint Server doesn’t support ” System cryptography: User FIPS compliant algorithms for encryption, hashing, and signing” group policy in Windows. SharePoint uses the MD5 hashing algorithm for certain non-cryptographic purposes (i.e. MS is not using it for security, encryption, etc.). That policy interferes with SharePoint usage of MD5, which prevents SharePoint from working correctly.

FIPS, the security requirements for cryptography states:

This Federal Information Processing Standard (140-2) specifies the security requirements that will be satisfied by a cryptographic module, providing four increasing, qualitative levels intended to cover a wide range of potential applications and environments. The areas covered, related to the secure design and implementation of a cryptographic module, include specification; ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks. [Supersedes FIPS 140-1 (January 11, 1994): http://www.nist.gov/manuscript-publication-search.cfm?pub_id=917970]

Get a waiver.
Exclude the SharePoint server  from GPO that applies FIPS 140-2 (cryptography module).Follow the my post  https://www.bomzan.com/2018/01/11/guide-to-exclude-single-user-or-computer-to-exclude-from-the-group-policy/

Service Accounts and local user rights:

NameDescriptionLocal User RightsDomain RightsSQL Permission
SPAdminUsed for installation and perform Product Configuration-Local Administrator on SP Server , Adjust Memory Quotas for a process, Impersonate a client after authentication,Log on as a batch job, Log on as a service, Restore files and directories, Take Ownership of files or other objectsDoman User Public, dbcreator and securityadmin SQL roles
SPFarmIt is used for the following tasks: Configure and manage the server farm, to run Microsoft SP Foundation Workflow Timer Service , Central Admin, User Profile Service-Local Admin on SP serer during UPS provisioning, local administrator (remove after complete configuration), Back up files and directories,Bypass traverse checking, Impersonate a client after authentication, Log on as a batch job, Log on as a service, Replace a process level, Generate Security AuditsDomain UserPublic, dbcreator and securityadmin SQL roles
SPWebAppsUsed to run web application poolsAdjust memory quotas for a process, Impersonate a client after authentication, Log on as a batch job, Log on as a serviceDomain Usernone
SPServiceAppsUsed to run service application polAdjust memory quotas for a process, Impersonate a client after authentication, Log on as a batch job, Log on as a serviceDomain Usernone
SPContentUsed as the default acounht by Search Service application to crawl contentImpersonate a client after authentication, Log on as a batch job, Log on as a serviceDomain UserNone
SPProfileUsed for User Profile Syncrhonization AcountnoneDomain User and Replicated Direcory Changes permission on the domainNone

NameDescriptionLocal User RightsDomain RightsSQL Permission
SQLInstallAccount to install SQLLocal Adminsitrator on the SQL serverDoman User Permission will be assigned when SQL server is being installed on the SQL Server
SQLUserThis account is for running the following SQL server services: MSSQLSERVER, SQLSERVERAGENTBypass Traverse Checking, Log on as a serviceDomain UserPermission will be assigned when SQL server is being installed on the SQL Server

Note: I referred to various blogs and particularly credit goes to https://absolute-sharepoint.com/2013/01/sharepoint-2013-service-accounts-best-practices-explained.html