If your organization's policy restricts you from using administrator credentials or if you do not want to use them for other reasons, you can create a customized normal domain user account with the least SQL permissions.
Active directory
1 Create new domain user account in Active Directory. (For example: MSMSDBAccnt).
2 Assign the account with privileges equivalent to the members of the Users group.
3 Product installer prompts to type the account credentials while configuring the database access account for remote SQL connection.
SQL server
1 SQL server administrator rights are required to make group updates. Make these changes under SQL server security:
a Add the custom user account (for example: MSMSDBAccnt) to be used for McAfee Security for Microsoft SharePoint database access account. Provide the public permissions to the user.
b Under user mapping, select:
• All SharePoint content databases corresponding to web applications.
• Content database corresponding to your administrator web application.
• SharePoint configuration database.
2 Grant these permissions.
• Assign the following securables with Execute rights for SharePoint configuration database (The exact list might be slightly different)
Securables
proc_getObjectsByBaseClass proc_getSiteMap
proc_getSiteSubset proc_getObjectsByClass
proc_getSiteMapById proc_getSiteNames
proc_getSiteCount
• For each web content database and administrator content database, assign the following securables with execute rights. (The exact list may be slightly different based on the
environment and applications deployed in SharePoint farm. Please monitor the event viewer regularly to fine tune this list).
Securables proc_GenerateNextId UserData ( Under Views Section)
proc_GetWebMetainfo
• For each web content database and administrator content database, assign the execute rights on the fn_GetFullUrl object (Step: Go to Programmability | Functions | Scalar-Valued Functions for each db).
3 No requirement for local administrator group membership.
SharePoint server
1 No requirement for local administrator group membership by the domain user account (For example: MSMSDBAccnt) used by McAfee Security for Microsoft SharePoint.
2 No requirement for interactive login.
3 No requirement for Site Collection administrator.
4 Create a new Permission Policy Level (For example: MSMS-Permissions) and grant the following permissions. These permissions are the minimal set for McAfee Security for Microsoft SharePoint to work with the SharePoint Object model and iterate over the SharePoint store to do scan and clean.
(SharePoint Farm administrator rights are required to make this change).
a Under Site collection Permissions grant Site Collection Auditor permission. Site collection auditors have Full Read access for the entire site collection including reading permissions and configuration data. McAfee Security for Microsoft SharePoint requires this as it monitors the SharePoint anti-virus settings to determine whether real-time scan is enabled or disabled.
b In List permissions section, grant these permissions:
• Manage List — Required for replacing/deleting infected content added as an attachment under items in Discussions.
• Override Check Out — Required to forcefully check in a document detected as infected and perform the action as per policy.
A
Creating a customized domain user account with the least SQL permissions• Add Items — Required for replacing the infected file with a file containing replacement alert message.
• Edit Items — Required for updating the checked out documents while forcefully checking in with a check in comment.
• Delete Items — Required for removing an infected list item (document).
• View Items — Required for the target picker while defining a scan target.
c Under Site Permissions, grant View Pages - View pages in a website permission. Without this, McAfee Security for Microsoft SharePoint is unable to iterate over the site in on-demand scan tasks.
d Save the newly created permission policy level.
5 For each Web application created in the SharePoint Farm:
a Update the Web application policy for the respective web application to add the product database access account (For example: MSMSDBAccnt) with Permission Policy Level created earlier (For example: MSMS-Permissions).
b Update the Web application policy to cover any web applications that are added in future.
This will not cover the Central Admin application - which will not be scanned unless Option1 above is chosen. Alternatively, we can add the product database access account (For example:
MSMSDBAccnt) as a secondary site collection administrator account on the Central Admin web application alone.
6 Manual steps may be possible for scripting. Local administrator rights or GPOs are required to make these group updates. Update the IIS and SharePoint user groups ( IIS_WPG (for IIS 6) and IIS_IUSRS (IIS7) or WSS_WPG ) on each SharePoint Server by adding the McAfee Security for Microsoft SharePoint database access account (For example: MSMSDBAccnt).
7 Add Modify permission allowing the product database access account (For example: MSMSDBAccnt) read/ delete access to the McAfee Security for Microsoft SharePoint bin folder. (<Product Install Location>\Bin). (Manual steps may be possible for scripting. Local admin permission or GPOs are required to make the changes). This folder is specific to McAfee Security for Microsoft SharePoint.
For example: For default installation, the bin folder path will be C:\Program Files\McAfee\McAfee PortalShield\Bin
• This permission is required if on-demand scans are scheduled via ePolicy Orchestrator.
During runtime, ePolicy Orchestrator passes the configuration details needed for the on-demand scan to the McAfee agent plug-in, which will place the configuration details in a file in the product bin folder with a .tmp extension. The on-demand process (RunScheduled.exe) reads the configuration from this file and then deletes it.
• If using a regular domain account (For example: MSMSDBAccnt), the account will not have read/delete access for the bin folder. Hence Modify access needs to be added for the product database access account (For example: MSMSDBAccnt) on the bin folder.
This can be done after installation or via GPOs (Group Policy Objects).
Creating a customized domain user account with the least SQL permissions