Rule Name: Accounts used by application pools or service identities are in the local machine Administrators group.
Summary: A user account that is used by application pools or services must have permissions of a domain user account and must not be a member of the Farm Administrators group or a member of the Administrators group on the local computer. Using highly privileged accounts for application pools or services poses a security risk to the farm, and could allow malicious code to execute.
Cause: Accounts that are used by application pools or services are members of the Administrators group on the local computer.
Resolution: Change the user account to a predefined account, or to a domain user account that is not a member of the Administrators group.
- Verify that the user account that is performing this procedure is a member of the Farm Administrators group.
- On the Central Administration home page, in the Security section, click Configure service accounts.
- On the Service Accounts page, in the Select the component to update list, click the application pool or service that uses the credentials of a member of the Administrators group on the local computer as its security account.
- In the Select an account list, click an appropriate account for this component — for example, the predefined account Network Service — or click Register new managed account, and then on the Register Managed Account page, specify the credentials and the password change settings that you want.
- Click OK.