If you have an environment where all Windows servers are hardened to meet government standard then you might have little luck in installing SharePoint without getting waiver. As per requirements FIPS 140-2 cryptographic mode security control must be enabled on at OS level. SharePoint Server doesn’t support ” System cryptography: User FIPS compliant algorithms for encryption, hashing, and signing” group policy in Windows. SharePoint uses the MD5 hashing algorithm for certain non-cryptographic purposes (i.e. MS is not using it for security, encryption, etc.). That policy interferes with SharePoint usage of MD5, which prevents SharePoint from working correctly.
FIPS, the security requirements for cryptography states:
This Federal Information Processing Standard (140-2) specifies the security requirements that will be satisfied by a cryptographic module, providing four increasing, qualitative levels intended to cover a wide range of potential applications and environments. The areas covered, related to the secure design and implementation of a cryptographic module, include specification; ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks. [Supersedes FIPS 140-1 (January 11, 1994): http://www.nist.gov/manuscript-publication-search.cfm?pub_id=917970]
Get a waiver.
Exclude the SharePoint server from GPO that applies FIPS 140-2 (cryptography module).Follow the my post https://www.bomzan.com/2018/01/11/guide-to-exclude-single-user-or-computer-to-exclude-from-the-group-policy/
Service Accounts and local user rights:
Name | Description | Local User Rights | Domain Rights | SQL Permission |
---|---|---|---|---|
SPAdmin | Used for installation and perform Product Configuration | -Local Administrator on SP Server , Adjust Memory Quotas for a process, Impersonate a client after authentication,Log on as a batch job, Log on as a service, Restore files and directories, Take Ownership of files or other objects | Doman User | Public, dbcreator and securityadmin SQL roles |
SPFarm | It is used for the following tasks: Configure and manage the server farm, to run Microsoft SP Foundation Workflow Timer Service , Central Admin, User Profile Service | -Local Admin on SP serer during UPS provisioning, local administrator (remove after complete configuration), Back up files and directories,Bypass traverse checking, Impersonate a client after authentication, Log on as a batch job, Log on as a service, Replace a process level, Generate Security Audits | Domain User | Public, dbcreator and securityadmin SQL roles |
SPWebApps | Used to run web application pools | Adjust memory quotas for a process, Impersonate a client after authentication, Log on as a batch job, Log on as a service | Domain User | none |
SPServiceApps | Used to run service application pol | Adjust memory quotas for a process, Impersonate a client after authentication, Log on as a batch job, Log on as a service | Domain User | none |
SPContent | Used as the default acounht by Search Service application to crawl content | Impersonate a client after authentication, Log on as a batch job, Log on as a service | Domain User | None |
SPProfile | Used for User Profile Syncrhonization Acount | none | Domain User and Replicated Direcory Changes permission on the domain | None |
Name | Description | Local User Rights | Domain Rights | SQL Permission |
---|---|---|---|---|
SQLInstall | Account to install SQL | Local Adminsitrator on the SQL server | Doman User | Permission will be assigned when SQL server is being installed on the SQL Server |
SQLUser | This account is for running the following SQL server services: MSSQLSERVER, SQLSERVERAGENT | Bypass Traverse Checking, Log on as a service | Domain User | Permission will be assigned when SQL server is being installed on the SQL Server |
Note: I referred to various blogs and particularly credit goes to https://absolute-sharepoint.com/2013/01/sharepoint-2013-service-accounts-best-practices-explained.html