SharePoint - Sharepoint Foundation 2010

I received a critical issue from the Sharepoint Health Analyzer as
below.  Other than this alert, everything appears working just fine.

Should I resolve this by changing the server farm account, or changing
the accounts for  SharePoint - 80 (Application Pool) and
SPUserCodeV4(Windows Service) ?


*****************************************
Title: The server farm account should not be used for other services.

Severity: 1 - Error

Category: Security

Explanation: NT AUTHORITY\NETWORK SERVICE, the account used for the
SharePoint timer service and the central administration site, is
highly privileged and should not be used for any other services on any
machines in the server farm.  The following services were found to use
this account: SharePoint - 80 (Application Pool)
SPUserCodeV4(Windows Service)

Remedy: Browse to http://{server_name}:{port}/_admin/FarmCredentialManagement.aspx
and change the account used for the services listed in the
explanation. For more information about this rule, see "http://
go.microsoft.com/fwlink/?LinkID=142685".

Failing Services: SPTimerService (SPTimerV4)
*****************************************

Why I found this conflict is because according to this page:
http://technet.microsoft.com/en-us/library/ee662519(printer).aspx

********************************
The server farm account is used to perform the following tasks:

- Configure and manage the server farm.
- Act as the application pool identity for the SharePoint Central
Administration Web site.
- Run the Microsoft SharePoint Foundation Workflow Timer Service.
********************************

The second one above (Application Pool) obviously is what the alert
told me having problem.  If the server farm was meant to do that, why
does it complain?

Looking at the error above, I would say the issue is that you are
using the network service account for your content Web apps.

The server farm account is "meant" to act as the app pool identity for
central administration - not your SharePoint portals.

If this is just a development environment (e.g. a VPC) you should be
fine. If this is a production environment that needs to be secure then
you should definitely consider using a separate account for your
content application pool.

HTH.

Benjamin Athawes
T: @benjaminathawes
W: http://mossblogger.blogspot.com

Ben,

Thank you for the reply.  This is a production environment, I have no
problem changing the SharePoint - 80 (Application Pool) account.  Two
more questions:

1. Could I change it to "Local Service", or I need to register a new
local / domain account to do that?  When I tried changing it to the
Local Service account, there is a pop-up windows saying:

*****************************************************************************
To ensure that all credential caches in IIS have updated, you must
run the command "IISRESET /NOFORCE" on all servers in the farm.
This should be done after all credential updates have been completed.
*****************************************************************************

Not knowing exactly what it might do, I did not confirm the change.

2. How about SPUserCodeV4 windows service?  Do I just change the "Log
on as" account to Local System?

It would be very helpful to know whether this is a single server or
farm installation - I will assume you are referring to a single server
deployment.

Either way you should use a separate domain user account per
application pool (I would steer clear of the local service account).
This account should NOT be a member of the Administrators group on any
computer in the server farm. These recommendations are there to allow
you to stick to the security principle of least privilege
administration.

The pop-up above is normal - just open up a command prompt and type
operation in that all sessions to the Web server will be terminated
and your sites will effectively be unavailable for a few minutes while
your application pools are recycled. As you have said this is a live
environment this sounds like an out of hours job as it will definitely
render the service temporarily unavailable.

As regards to your SPUserCodeV4 query, I do not feel qualified to
answer that one given my current limited experience with SharePoint
2010. The service itself is the Sandbox Code Service that provides
sandboxed (isolated) user code that helps provide a highly available
environment if utilised correctly.

HTH.
Benjamin Athawes
T: @benjaminathawes
W: http://mossblogger.blogspot.com

If it is a standalone server, you can also use a local user account,
rather than a domain account (you know, if you do not have a domain).

-callahan