Share via


Identity Manager (FIM/MIM): Planning security setup for accounts, groups and services - Part 4. Detailed Description

https://msdnshared.blob.core.windows.net/media/2016/08/7827.NinjaAwardTinyBronze.pngBronze Award Winner


Return to Table of Contents of this article series

 

Back to top


Pre-installation: Securing the FIM backend infrastructure

SQL Server

Although FIM and MIM heavily rely on SQL Server, SQL security configuration is out of scope for FIM configuration. Nevertheless, proper configuration of these accounts is key and it should be handled in cooperation with an SQL expert.

References

Please check the reference below to properly secure your SQL infrastructure you use to support FIM.

 

The Section “Service Account selection and management”, says:

"/../The Local System account is not only an account with too many privileges, but it is a shared account and might be used by other services on the same server. Any other service that uses this account has the same set up privileges as the SQL Server service that uses the account.

Although Network Service has network access and is not a Windows superuser account, it is a shareable account. This account is useable as a SQL Server service account only if you can ensure that no other services that use this account are installed on the server.

Using a local user or domain user that is not a Windows administrator is the best choice.

If the server that is running SQL Server is part of a domain and must access domain resources such as file shares or uses linked server connections to other computers running SQL Server, a domain account is the best choice.

If the server is not part of a domain (for example, a server running in the perimeter network (also known as the DMZ) in a Web application) or does not need to access domain resources, a local user that is not a Windows administrator is preferred.

Creating the user account that will be used as a SQL Server service account is easier in SQL Server 2005 than in previous versions. When SQL Server 2005 is installed, a Windows group is created for each SQL Server service, and the service account is placed in the appropriate group. To create a user that will serve as a SQL Server service account, simply create an "ordinary" account that is either a member of the Users group (non-domain user) or Domain Users group (domain user). During installation, the user is automatically placed in the SQL Server service group and the group is granted exactly the privileges that are needed.

If the service account needs additional privileges, the privilege should be granted to the appropriate Windows group, rather than granted directly to the service user account. This is consistent with the way access control lists are best managed in Windows in general. /../"

The FIM 2010 deployment guide also discusses the SQL security requirements.

Source: [12.] Before You Begin

 

Before you install the FIM Service, certain tasks should be completed and verified on the server that is running SQL Server.

If you are using FIM Reporting, you will need to create two additional service accounts:

  • SQL Reporting Service Account
  • SQL Analysis Service Account

Ensure that the service accounts used by SQL Server Database and SQL Server Agent are either domain accounts or built-in service accounts (for example, Network Service). You cannot use local computer accounts.

When you configure the service accounts for SQL Server, consult the following articles:

 

Important
The SQL Server service account should not be a local computer account. A local account cannot impersonate domain accounts and the FIM Service will not behave as expected.

 

Back to top

IIS

References

Please check full details in the reference below to properly secure your IIS infrastructure you use to support FIM.

Action items

Please find below a list of configuration items relevant to FIM, but do remember the complete list has more actions to achieve an IIS lock down.

Items Action
Installation and Configuration Install only the IIS modules you need.
Web Application Isolation Isolate web applications.

Separate different applications into different sites with different application pools.

Web Application Isolation

Implement the principle of least privilege.

Run your worker process as a low privileged identity (virtual application pool identity) that is unique per site.

Authentication Disable anonymous access to server directories and resources.
Application Pool Identities Don’t use the built-in service identities (such as Network Service, Local Service, or Local System).

For maximum security, application pools should run under the application pool identity that is generated when the application pool is created. The accounts that are built in to IIS are ApplicationPoolIdentity, NetworkService, LocalService, and LocalSystem. The default (recommended) and most secure is ApplicationPoolIdentity.

Application Pool Identities Using a custom identity account is acceptable, but be sure to use a different account for each application pool.

 

Exception

Reference:

  • [32.] To allow SSPR for users that forgot their password you must allow anonymous access to the password reset portal.

 

Back to top

SharePoint

Essentially the SharePoint configuration is out-of-scope for this document, but proper configuration of the SharePoint environment is essential. Please work with a SharePoint expert to secure your environment.

This section only has informational purposes, but has been added as a reminder to secure the FIM Portal back-end services.

References

Please check the reference below to properly secure your SQL infrastructure you use to support FIM.7

 

Important
We recommend that you install SharePoint Server 2010 by using least-privilege administration.

  

Accounts

Account Purpose Requirements
SQL Server service account

The SQL Server service account is used to run SQL Server. It is the service account for the following SQL Server services:

  • MSSQLSERVER
  • SQLSERVERAGENT

If you do not use the default SQL Server instance, in the Windows Services console, these services will be shown as the following:

  • MSSQL$InstanceName
  • SQLAgent$InstanceName

Use either a Local System account or a domain user account.

If you plan to back up to or restore from an external resource, permissions to the external resource must be granted to the appropriate account. If you use a domain user account for the SQL Server service account, grant permissions to that domain user account. However, if you use the Network Service or the Local System account, grant permissions to the external resource to the machine account (domain_name\SQL_hostname$).

The instance name is arbitrary and was created when Microsoft SQL Server was installed.

(Sharepoint)

Setup user account

The Setup user account is used to run the following:

  • Setup
  • SharePoint Products Configuration Wizard
  • Domain user account.
  • Member of the Administrators group on each server on which Setup is run.
  • SQL Server login on the computer that runs SQL Server.
  • Member of the following SQL Server security roles:
  • securityadmin fixed server role
  • dbcreator fixed server role

If you run Windows PowerShell cmdlets that affect a database, this account must be a member of the db_owner fixed database role for the database.

Server farm account or database access account The server farm account is used to perform the following tasks:
  • Configure and manage the server farm.
  • Act as the application pool identity for the SharePoint Central Administration Web site.
  • Run the Microsoft SharePoint Foundation Workflow Timer Service.
  • Domain user account.

Additional permissions are automatically granted for the server farm account on Web servers and application servers that are joined to a server farm.

The server farm account is automatically added as a SQL Server login on the computer that runs SQL Server. The account is added to the following SQL Server security roles:

  • dbcreator fixed server role
  • securityadmin fixed server role
  • db_owner fixed database role for all SharePoint databases in the server farm

 

Back to top


Pre-installation: Securing FIM Components

FIM general

SPN

References

Please check the reference below to properly secure the require SPN entries.

 

Please refer to the references section at the end of the guide, for more details on Kerberos settings.

Description

From: [16.] FIM 2010 R2 Kerberos Settings (SPN Configuration):

”/../ Service principal names (SPNs) are unique identifiers for services running on servers. Every service that uses Kerberos authentication needs to have an SPN set for it so that clients can identify the service on the network. If an SPN is not set for a service, clients have no way of locating that service. Without correctly set SPNs, Kerberos authentication is not possible.

* *

An SPN is registered in Active Directory under a user account as an attribute called Service-Principal-Name. The SPN is assigned to the account under which the service the SPN identifies is running. Any service can look up the SPN for another service. When a service wants to authenticate to another service, it uses that service's SPN to differentiate it from all of the other services running on that computer.

* *

Because multiple services can run simultaneously under the same account, setting an SPN requires four unique pieces of information. These four pieces of information uniquely identify any service running on a network and can be used to mutually authenticate to any service.

* *

For each SPN that is set, the following information is required:

1. The type of service, formally called a service class. This enables you to differentiate between multiple services running under the same account.

2. The account under which the service is running.

3. * The computer on which the service is running, including any aliases that point to that computer.*

4. The port on which the service is running (optional if the default port for the service of that type is used such as port 80 for HTTP).

FIM SPN Configuration

From: [16.] FIM 2010 R2 Kerberos Settings (SPN Configuration):

Syntax configuration examples have been omitted in this guide.

SPN Account Description
MSSQLsvc/<SQLDatabase Server> SQL Database Account SPN required for the FIM Service database. Allows clients the ability to locate an instance of SQL.
FIMService/<FIM Service Server> FIM Service Account SPN required for the FIM Service. Allows clients the ability to locate an instance of the FIM Service.
HTTP/<FIM Portal Alias> SharePoint Service Account

This is a requirement because SharePoint runs as a "farm" - even in single-server configurations - you have to run the site and authentication under the app pool account... AND still set up your SPN's.

HTTP/<passwordregistration portal server> Password Registration Server Account The SSPR portals use IIS 7.0/7.5. IIS 7.0/7.5 has an authentication feature - 'Enable Kernel Mode Authentication'. With this feature the Kerberos ticket for the requested service is decrypted using Machine account (Local system) of the IIS server. It no longer depends upon the application pool Identity for this purpose. The following assumes that the password registration and reset portals are being accessed through a custom host header. In this instance the SPN is required only for the IIS machine account and not for our FIM Password Service account.
HTTP/<passwordreset portal server> Password Reset Server Account The SSPR portals use IIS 7.0/7.5. IIS 7.0/7.5 has an authentication feature - 'Enable Kernel Mode Authentication'. With this feature the Kerberos ticket for the requested service is decrypted using Machine account (Local system) of the IIS server. It no longer depends upon the application pool Identity for this purpose. The following assumes that the password registration and reset portals are being accessed through a custom host header. In this instance the SPN is required only for the IIS machine account and not for our FIM Password Service account.
HTTP/<FIM CM Server> FIM CM Web Pool Agent Account This is a special case even though we are running on IIS 7.0/7.5. In this instance you must ensure that useAppPoolCredentials is set to true. This will force IIS to use the appPoolCredentials to decrypt the ticket. KernelModeAuthentication is still enabled in this instance.

 

SPN Delegation

“In a deployment with multiple FIMServices, ensure that each FIMService has constrained delegation configured so that each FIMService can successfully communicate to each other in order for Workflow Approvals to work properly. Approval Responses from users can come from any Portal or if Exchange is enabled from the FIMService that is polling. In all cases, the Approval Response will be directed to the FIMService machine that processed the original Request so cross-server communication: FIMPortal -> FIMService AND FIMService -> FIMService must work properly.”

Changing FIM Service account

References

Source: [11.] Change the Forefront Identity Manager 2010 R2 Synchronization Service Account

The procedure is described in detail in the reference TechNet page.

Before you change the account of any of the FIM Services, make sure you can roll-back, so you need to have a DRP plan in place (and a working backup-restore…)

Required settings
Items Ref. Description
Account Security [11.] To complete this procedure, you must be logged on as a member of the FIMSyncAdmins security group.
Account Security [11.]

See the Account security requirement of the FIM Sync service account, section below.

Backup [11.] Back up the encryption key set by running MIISkmu.exe.
Installation [11.] Run Setup from the FIM installation CD in maintenance mode and change the Microsoft Forefront Identity Manager 2010 R2 service account credentials from the old account to the new one. During the setup process, you are prompted for the encryption key set

 

Risks
Items Ref. Description
Attacks [11.] To prevent attacks to the registry and system files by malicious users, it is strongly recommended that you do not add the Microsoft Forefront Identity Manager 2010 R2 service account to the local administrators group.
Account Lock down [11.]

Local Security Policy

  • - Deny logon locally
  • - Deny access to this computer from the network
  • - Deny logon as a batch job
  • Deny log on through Terminal Services.

No additional lock-down procedures are needed to secure the Microsoft Forefront Identity Manager 2010 R2 service account in a domain. By default, you cannot log on locally with the Microsoft Forefront Identity Manager 2010 R2 service account.

 

Back to top

FIM Setup

FIM setup account – functional account

References
Required settings
Items Ref. Description
Account type: domain account [18.]

You must create a user account to run installation of the FIM components.

This installer account must be a domain user account.

The most important reason is that the FIM installer account is assigned root administrator in the FIM service and portal, during the installation you need SQL sysadmin (SA) rights, which is by preference a domain joined SQL server with Windows authentication.

Account Security: SQL [18.] ONLY DURING INSTALLATION

To be able to install FIM Synchronization Service or FIM Service, the account must be a SQL sysadmin.

The account that you use does not have to be a SQL sysadmin after the installation is complete.

The user account used to install the FIM Service must be granted the sysadmin role in SQL Server.

By default, members of the Local Administrators group do not have the necessary permissions.

Unless the user account is either the built-in administrator account, or the user account used to install SQL Server, then the user account must be granted the sysadmin role in SQL Server.

Account Security: Sharepiont [18.] To be able to install the FIM Portal, the account must be a SharePoint administrator.

To be able to install the FIM Portal, it is assumed that SharePoint is installed with the default settings, that the default SharePoint site can be reached using the address specified in the user interface, and that the user who is installing the FIM Portal is authorized as an administrator of that SharePoint site.

Account Security [18.] ONLY DURING INSTALLATION

This account should be a local administrator account.

Account Security [18.] ONLY DURING INSTALLATION

The FIM installer accounts should be member of the local administrators group.

Account Security [18.] The FIM installer account should only be a member of the security group FIMSyncAdmins.
Account security [18.] Use the following restrictions on the FIM installer account:
  • Deny logon as a batch job
  • Deny run as a service
Account separation [5.] Due to the fact that the FIM installer account is only used to install FIM component, during initial setup or during application of an hotfix, do not use this account for other purposes.

DO NOT

  • use the FIM Installer account for operational, day-to-day management.
  • Use the FIM installer account as service account

As other services require other privileges, the PoLP demands to use separate accounts.

 

Risks
Items Ref. Description
Same account [18.]

The FIM Sync Service account has HPA access to the FIM Sync Service operations, using the same account bestows too many unneeded privileges to the FIM Sync service account

 

FIM Synchronization Service – service account

References
  • [22.] FIM 2010 R2: Same Account being used for FIM Synchronization Service and FIM MA
  • [23.] FIM 2010 R2: FIM Service or the FIM Synchronization Service Account does not have Deny Logon As Batch Job set
  • [12.] Before you begin
  • [17.] Considerations for New Installation of FIM 2010 R2
Required settings
Items Ref. Description
Account type: domain account [12.]

You must create a service account to run the FIM Synchronization Service.

This service account must be a domain service account.

Account Security [12.] This account should not be a local administrator account.
Account Security [12.] The service accounts should not be members of the local administrators group.
Account Security [12.] The FIM Synchronization Service SVCA should not be a member of the security groups that are used to control access to FIM Synchronization Service (groups starting with FIMSync, for example, FIMSyncAdmins).
Account security [12.] On the server running the FIM Synchronization Service, you must restrict only the FIM Synchronization Service service account and not the FIM Service service account.

On the server running the FIM Service, you must only restrict the FIM Service service account, and not the FIM Synchronization Service service account.

Use the following restrictions on the service accounts:

  • Deny logon as a batch job
  • Deny logon locally
  • Deny access to this computer from the network
Account separation [12.], [17.] Due to the fact that the FIM Synchronization account is only used to run the FIM Synchronization services, do not use this account for other purposes.

As other services require other privileges, the PoLP demands to use separate accounts.

Account Separation [12.], [17.] The FIM Sync service SVCA must not be part of the FIM Sync Security Groups

The FIM Service SVCA must be part of the FIM Sync Admins security group. (See Ref. 4)

This requirement excludes the use of 1 single account for both the FIM Service and the FIM Synchronization service.

 

Exceptions
Items Ref. Description
Password reset [12.]

If you are deploying password reset, do not use the Deny access to this computer from the network restriction option.

 

Risks
Items Ref. Description
Same account [12.] Due to the fact that the FIM Synchronization account is only used to run the FIM Synchronization services, do not use this account for other purposes.

As other services require other privileges, the PoLP demands to use separate accounts.

Same account [12.]

If you choose to use the same account for both service accounts and you separate the FIM Service and the FIM Synchronization Service, you cannot set Deny access to this computer from the network on the FIM Synchronization Service server.

If access is denied, that action prohibits the FIM Service from contacting the FIM Synchronization Service to change configuration and manage passwords.

Same account [12.] The FIM Sync Service account has HPA access to the FIM Sync Service operations, using the same account bestows too many unneeded privileges to the FIM Sync service account

 

FIM Administrative Security Groups

References
Purpose

During installation/reconfiguration FIM will need 5 groups to manage security in FIM Sync.

3 Groups are used to control which tasks that users can perform in Synchronization Service Manager.

Items Ref. Description
FIMSyncAdmins [13.] Members of this group have full access to everything in Synchronization Service Manager GUI.
FIMSyncOperators [13.]

Members of this group have access to Operations in the Synchronization Service Manager only.

FIMSyncOperators can run management agents, view synchronization statistics for each run, and save the run histories to a file. Members of the FIMSyncOperators group must also be members of the FIMSyncBrowse group to open links in synchronization statistics.

FIMSyncJoiners [13.] Members of this group have access to Joiner and Metaverse Search in Synchronization Service Manager. FIMSyncJoiners can join or project disconnectors by using Joiner, and they can use Metaverse Search to view object properties and disconnect objects from the metaverse.

 

FIM also needs 2 security groups for authentication during password management operations, these do not have access to Synchronization Service Manager:

Items Ref. Description
FIMSyncBrowse [13.]

Can gather information about a user's lineage when resetting passwords by using Windows Management Instrumentation (WMI) queries.

FIMSyncPasswordSet [13.] Members of this group have permission to perform all operations by using the password management interfaces with WMI. Members in this group inherit all FIMSyncBrowse permissions.

For more information about setting passwords by using WMI, see the FIM Developer Reference.

 

Required configuration
Items Ref. Description
Account type: domain local groups [13.]

By default, FIM setup creates these groups as local computer groups, rather than domain local groups.

But local computer groups are known only to that server, whereas domain local groups can be recognized throughout the domain.

There might be cases where you need to use domain local groups for these roles. For example:

  • If the FIM configuration needs to be moved from one server to another, using domain local groups enables you manage access from a single location.
  • If you plan to have two servers running FIM share a database for the purposes of redundancy, it is recommended that the same users be members of the security groups that you create, and that they be recognized as such by FIM. You can accomplish this by using domain local groups.
  • And also:
  • Disaster recovery
  • Server fail over
  • Server migration
Account creation [13.] If you plan to use domain local groups, create the groups before installing FIM.
Account creation [13.] Add the FIM setup account to the domain group FIM Sync admins

 

Risk
Items Ref. Description
Group creation by wizard [13.] During installation and setup, FIM adds the user account that is running the installation to the FIMSyncAdmins group, but only if the FIMSyncAdmins group is also created during setup.

If you specify a preexisting group during setup, the user account that is running the installation will not be added to the preexisting group.

Local groups [13.]

If you do not create the groups in advance, FIM setup will suggest to create these groups as local computer groups, rather than domain local groups.

There might be cases where you need to use domain local groups for these roles. For example:

  • Two servers running FIM wiht a shared database for the purposes of redundancy
  • FIM management is distributed across the organization, using domain local groups grant access to the appropriate people within your organization.
  • When the FIM configuration must be moved from one server to another
  • Centralised or remote log management, you can use domain local groups to control access remote servers.
  • If you are enabling password synchronization on FIM, you must use a domain account for the FIM Synchronization Service service account.

 

 

Group type selection

Source: [13.] Using Security Groups

 

There might be cases where you need to use domain local groups for these roles. For example:

  • Two servers running FIM wiht a shared database for the purposes of redundancy
  • FIM management is distributed across the organization, using domain local groups grant access to the appropriate people within your organization.
  • When the FIM configuration must be moved from one server to another
  • Centralised or remote log management, you can use domain local groups to control access remote servers.
  • If you are enabling password synchronization on FIM, you must use a domain account for the FIM Synchronization Service service account.

 

Important

If you plan to use domain local groups, create the groups before installing FIM.

 

* FIM task scheduler – technical account*
Required settings
Items Ref. Description
Account type: domain account  

You must create a service account to execute the FIM Task scheduler jobs.

Due to the fact the FIM Security groups should be hosted on AD, this service account must be a domain user account.

Account Security   This account should not be a local administrator account.
Account Security   The service accounts should not be members of the local administrators group.
Account Security   The FIM task scheduler account must be a member of the security group FIMSyncAdmins, to allow for cleaning the run history
Account security   On the server running the FIM Synchronization Service, you must allow the FIM Task scheduler account
  • Allow logon as a batch job

 

Use the following restrictions on the FIM task scheduler account:

  • Deny Logon as a service
  • Deny access to this computer from the network
  • Deny logon on through Remote Desktop services
Account Security – Folder access   The FIM task scheduler account might need specific access on files and folders on the server to
  • Run scripts
  • Create log files
Account separation   Due to the fact that the FIM Task scheduler account is only used to execute the tasks, do not use this account for other purposes.

As other services require other privileges, the PoLP demands to use separate accounts.

 

PCNS

<To be completed>

Back to top

FIM Service

FIM Service – service account

References
  • [23.] FIM 2010 R2: FIM Service or the FIM Synchronization Service Account does not have Deny Logon As Batch Job set
  • [12.] Before you begin
  • [17.] Considerations for New Installation of FIM 2010 R2
  • [18.] Installing the FIM 2010 R2 Server Components
Required settings
Items Ref. Description
Account type: domain account [12.] To run the FIM Service component, you must have a dedicated domain service account
Account type: mail enabled [12.] To be able to use the Office Outlook integration feature, an Exchange Server mailbox must also be created for this account. To use the FIM 2010 R2 Add-in for Outlook feature, you must set up the domain service e-mail account on a server that hosts Exchange Server 2007 or Exchange Server 2010. If you plan to use SMTP for notifications rather than Exchange Server, ensure that this service account has the required permissions on the SMTP gateway.
Account Security [23.] This account should not be a local administrator account.
Account Security [12.]

The service accounts should not be members of the local administrators group.

Account Security [17.] The FIM Service Service SVCA must be member of the security groups:
  • FIMSyncAdmins

For SSPR

  • FIMSyncBrowse and FIMSyncPasswordSet
Account security [23.] On the server running the FIM Synchronization Service, you must restrict only the FIM Synchronization Service service account and not the FIM Service service account.

On the server running the FIM Service, you must only restrict the FIM Service service account, and not the FIM Synchronization Service service account.

Use the following restrictions on the service accounts:

  • Deny logon as a batch job
  • Deny logon locally
  • Deny access to this computer from the network

For SSPR

  • WMI and DCOM permissions for SSPR
Account separation [12.], [17.] Due to the fact that the FIM Service account is only used to run the FIM Service service, do not use this account for other purposes.

As other services require other privileges, the PoLP demands to use separate accounts.

Account Separation [12.], [17.] The FIM Service SVCA must be part of the FIM Sync Admins security group. (See Ref. 4)

The FIM Sync service SVCA must not be part of the FIM Sync Security Groups

This requirement excludes the use of 1 single account for both the FIM Service and the FIM Synchronization service.

Account Separation [12.] You must reserve the domain service e-mail account for the exclusive use of the FIM Service. If e-mail messages are being processed by other applications, such as Office Outlook 2007, the functionality of FIM Service might be affected.
Account settings: mail [18.] See page 50, par. 9.1, post-installation FIM Service

 

Risks
Items Ref. Description
Same account [17.] Due to the fact that the FIM Synchronization account is only used to run the FIM Synchronization services, do not use this account for other purposes.

As other services require other privileges, the PoLP demands to use separate accounts.

Same account [17.] If you choose to use the same account for both service accounts and you separate the FIM Service and the FIM Synchronization Service, you cannot set Deny access to this computer from the network on the FIM Synchronization Service server.

If access is denied, that action prohibits the FIM Service from contacting the FIM Synchronization Service to change configuration and manage passwords.

Same account [17.]

The FIM Service account has HPA access to the FIM Service operations, using the same account bestows too many unneeded privileges to the FIM Sync service account

 

IMPORTANT
You must reserve the domain service e-mail account for the exclusive use of the FIM Service. If e-mail messages are being processed by other applications, such as Office Outlook 2007, the functionality of FIM Service might be affected.

 

FIM MA account

References
Required settings
Items Ref. Description
Configuring the Service Accounts Running the FIM 2010 R2 Server Components in a Secure Manner [12.]

There are three service accounts that are used to run the FIM server components. They are called the FIM Service service account, the FIM Synchronization Service service account, and the FIM Password service account in this guide.

The FIM MA account is not considered a service account, and it should be a regular user account.

For the FIM Synchronization Service service account to be able to impersonate the FIM MA account, the FIM MA must be able to log on locally.

Account type [12.] You must create a domain account that is reserved for the exclusive use of the FIM Service management agent (FIM MA) used by the FIM Synchronization Service to communicate with the FIM Service.
Account Security [12.] The FIM Service has to know the name of the account that the FIM MA is using so that during setup it can give the account the required permissions. This account should not be a local administrator account.

 

Understanding the Purpose of the FIM Service Management Agent Account

The purpose of this account is to make it possible for the FIM Service to be able to identify the FIM Synchronization Service when it is exporting to the FIM Service through the Web services. When the FIM Synchronization Service engine is exporting, all authentication (AuthN) and authorization (AuthZ) workflows are ignored and only action workflows run.

Risk

Items Ref. Description
Portal logon with trusted account [12.] The account that you use for the FIM MA should be considered a trusted account. You should not use it to access the FIM Portal. If you do, all requests that are made through the FIM Portal with this account will skip AuthN and AuthZ.
Account Change [12.]

If you later change this account in the FIM Synchronization Service, you must also run a change install on the FIM Service to update the service with the new account information.

 

Back to top

FIM SSPR – Registration & Reset portals

Due to the fact that the SSPR portals for the Password registration and Password Reset are hosted on IIS, the security mainly focusses on IIS.

The FIM configuration part is rather applying on the installation or reconfiguration.

 

IIS

Reference: [54.]: Security Best Practices for IIS 8

Back to top

Management agents

General

General: http://aka.ms/FIM_PortsRightsPersmissions

 

FIM MA

FIM MA Acocunt security

ADMA

How to grant the"Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account: hhttp://support.microsoft.com/kb/303972

  • For Exchange permission, incl. executing remote Exchange PowerShell, see below.

 

Exchange 2010 / 2013

 See:

 

Back to top


GALSync

 

SQL MA

Other MAs

 

Back to top

FIM Certificate Management

 References

“The following table summarizes the accounts and permissions required by FIM CM. You can allow the FIM CM create the following accounts automatically, or you can create them prior to installation. The actual account names can be changed. If you do create the accounts yourself, consider naming the user accounts in such a way that it is easy to match the user account name to its function.”

FIM CM Agent

Provides the following services:

  • Retrieves encrypted private keys from the CA.
  • Protects smart card PIN information in the FIM CM database.
  • Protects communication between FIM CM and the CA.
Items Ref. Description
Account Type [36.]

Domain account

Account Security [36.]
  • Allow logon locally user right.
  • Issue and Manage Certificates user right.
  • Read and Write permission on the system Temp folder at the following location: %WINDIR%\Temp.
  • A digital signature and encryption certificate issued and installed in the user store.

 

FIM CM Key Recovery Agent

Provides the following services:

  • Recovers archived private keys from the CA.
Items Ref. Description
Account Type [36.] Domain account
Account Security: Local permissions [36.]
  • Allow logon locally user right.
  • Membership in the local Administrators group.
Account Security: Certificates [36.]
  • Key Recovery Agent certificate is issued and installed in the user store. The certificate must be added to the list of the key recovery agents on the CA.
Account Security: Folder Security [36.]
  • Read permission and Write permission on the system Temp folder at the following location: %WINDIR%\Temp.

 

FIM CM Authorization Agent

Provides the following services:

  • Determines user rights and permissions for users and groups.
Items Ref. Description
Account Type [36.] Domain account
Account Security: [36.]
  • Membership in the Pre-Windows 2000 Compatible Access domain group.
  • Granted the Generate security audits user right.

 

FIM CM CA Manager Agent

Provides the following services:

  • Performs CA management activities.
Items Ref.

Description

Account Type [36.] Domain account
Account Security: PKI [36.]
  • This user must be assigned the Manage CA permission.

 

 

FIM CM Web Pool Agent

Provides the following services:

  • Provides the identity for the IIS application pool. FIM CM runs within a Microsoft Win32® application programming interface process that uses this user’s credentials.
Items Ref.

Description

Account Type [36.] Domain account
Account Security: Local permissions [36.]
  • Membership in the local IIS_WPG group.
  • Membership in the local Administrators group.
Account Security: Audit [36.]
  • Granted the Generate security audits user right.
Account Security: Special Rights  
  • Granted the Act as part of the operating system user right.
  • Granted the Replace process level token user right.
Account Security: IIS [36.]
  • Assigned as the identity of the IIS application pool, CLMAppPool.
Account Security: Registry [36.]
  • Granted Read permission on the HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\CLM\v1.0\Server\WebUser registry key.
Account Security: AD Special Rights [36.]
  • This account must also be trusted for delegation.

  

FIM CM Enrollment Agent

Provides the following services:

  • Performs enrollment on behalf of a user.
Items Ref. Description
Account Type [36.] Domain account
Account Security: PKI [36.]
  • An Enrollment Agent certificate that is issued and installed in the user store.
  • Enroll permission on the Enrollment Agent certificate template (or the custom template, if one is used).
Account Security: Special Rights [36.]
  • Allow logon locally user right.

 

Back to top

FIM Reporting (SCSM)

Reference

SCSM Installer Account

Items Ref. Description
Account Type [36.] Domain account

Account Security: Local Rights

[36.]
  • Local admin on the SCSM and SCSMDW server.
  • member of the local Administrators group on the SQL Server.
Account Security: SQL Rights [36.] rights in SQL to create databases and assign security roles.

 

 

Important

After installation, the account access can be lowered or the account can be disabled and re-enabled if updates need to be installed.

 

SCSM Administrators Group

Items Ref. Description
Account Type [36.] Security group in AD
Account Security: Rights [36.] The Installer account is added automatically.
Account Security: Rights [36.]

· The group is added to the Service Manager Administrators role automatically.

· The group is added to the Data Warehouse Administrators role automatically.

 

Service Manager Service Account

Items Ref. Description
Account Type [36.] Domain account
Account Security: Local Rights [36.] Local admin on the SCSM and SCSMDW server.
Account Security [36.]

After installation becomes the Operational System Account, is assigned to logon account for both System Center Data Access Service and System Center Management Configuration Service 

After installation, becomes the data warehouse run as account, is assigned to the Service Manager SDK account and Service Manager Config account.

Account Security: SQL   In SQL, it is added to the sdk_users and configsvc_users database roles on the SCSM and SCSMDW databases becomes a member of the db_datareader role for the DWRepository database.

 

Workflow Account

Items Ref. Description
Account Type [36.] Domain account
Account Security: Local Rights [36.]

Member of the local Users security group.

 

Account Security: Local Rights [36.] If email notifications are required, this account must be mail enabled.

 

Reporting Account

Items Ref. Description
Account Type [36.] Domain account
Account Security: SQL [36.]
  • Used by SSRS to access the DWDataMart data
  • In SQL, it is added to the db_datareader and reportuser roles on the DWDataMart database.

 

Back to top

BHOLD

References

See: [38.] FIM 2010: Quick Guide to installing BHOLD Core

BHOLDApplicationGroup

Items

Ref. Description
Account Type [38.] Domain group

 

BHOLD Core Service Account

Items Ref. Description
Account Type [38.] Domain user
Account Security [38.] Log on as a Service
Account Security [38.]

Password never expires

Account Security [38.]
  • Add this user to the following groups:
  • IIS_IUSRS
  • II. ii. BHOLDApplicationGroup

 

Back to top


Security during Installation

Back to top

FIM setup account – functional account

References
Required settings
Items Ref. Description
Account type: domain account [18.] You must create a user account to run installation of the FIM components.

This installer account must be a domain user account.

The most important reason is that the FIM installer account is assigned root administrator in the FIM service and portal, during the installation you need SQL sysadmin (SA) rights, which is by preference a domain joined SQL server with Windows authentication.

Account Security: SQL [18.] ONLY DURING INSTALLATION

To be able to install FIM Synchronization Service or FIM Service, the account must be a SQL sysadmin.

The account that you use does not have to be a SQL sysadmin after the installation is complete.

The user account used to install the FIM Service must be granted the sysadmin role in SQL Server.

By default, members of the Local Administrators group do not have the necessary permissions.

Unless the user account is either the built-in administrator account, or the user account used to install SQL Server, then the user account must be granted the sysadmin role in SQL Server.

Account Security: Sharepiont [18.] To be able to install the FIM Portal, the account must be a SharePoint administrator.

To be able to install the FIM Portal, it is assumed that SharePoint is installed with the default settings, that the default SharePoint site can be reached using the address specified in the user interface, and that the user who is installing the FIM Portal is authorized as an administrator of that SharePoint site.

Account Security [18.] ONLY DURING INSTALLATION

This account should be a local administrator account.

Account Security [18.] ONLY DURING INSTALLATION

The FIM installer accounts should be member of the local administrators group.

Account Security [18.] The FIM installer account should only be a member of the security group FIMSyncAdmins.
Account security [18.]

Use the following restrictions on the FIM installer account:

  • Deny logon as a batch job
  • Deny run as a service
Account separation [5.]

Due to the fact that the FIM installer account is only used to install FIM component, during initial setup or during application of an hotfix, do not use this account for other purposes.

DO NOT

  • use the FIM Installer account for operational, day-to-day management.
  • Use the FIM installer account as service account

As other services require other privileges, the PoLP demands to use separate accounts.

 

Risks
Items Ref. Description
Same account [18.]

The FIM Sync Service account has HPA access to the FIM Sync Service operations, using the same account bestows too many unneeded privileges to the FIM Sync service account

 

Back to top

FIM SSPR – Registration & Reset portals

Due to the fact that the SSPR portals for the Password registration and Password Reset are hosted on IIS, the security mainly focusses on IIS.

The FIM configuration part is rather applying on the installation or reconfiguration of the FIM SSPR portals for assword registration or password reset.

Change mode install

Reference

From: [34.] Password Registration and Reset Portal Deployment

Procedure

“The following is a note on doing a change mode install.

If you do a change mode install to change the account that runs the FIM Password Registration and Password Reset portals you must also run a change mode install on the server that is running the FIM Service and specify the application pool account or accounts.

This should be done first.

That is, prior to running the change mode install on the Registration and Reset portal server, run a change mode install on the server that is running the FIM Service and associate it with the new application pool account or accounts.”

 

Back to top


Post-installation: Securing FIM

Back to top

FIM Service

References
Required settings
Items Ref. Description

Account type: domain account

[18.]

Configuring the FIM Service Service Exchange mailbox

  1. 1. Configure the service account so that it can accept mail only from internal e-mail addresses
  2. 2. Configure the service account so that it rejects mail messages with sizes greater
  3. 3. Configure the service account so that it has a mailbox storage quota of 5 gigabytes (GB). than 1 MB.

 

 

Back to top

FIM Portal (SharePoint)

Reference

 

Items Ref. Description
Account type [15.]

Change the SharePoint Application Pool Account to Use CORP\SPService

 

SharePoint in depth

See, page 57, paragraph 12.4, SharePoint .

Back to top

Portal Security

User Account login 

There are different ways of creating accounts in the FIM portal:

Administrator account / installation account

The account that installs the FIM Service / FIM portal will be assigned as primary portal administrator, as it will be added to the Administrators set in the FIM Portal.

Items Ref. Description
Additional administrators  

Additional administrators must be added to the 'Administrators' set 

  

Back to top


Post-installation: Securing FIM Backend

Back to top

Portal Security

User Account login

  • To logon to the portal these administrators must have an account in the portal, with the following attributes matched to an AD user account
  • logon name = corresponding AD sAMAccountName
  • Domain = logondomain (NetBIOS) of domain user is logging on to
  • objecSid = objectSid of user account

There are different ways of creating accounts in the FIM portal:

  • synchronizing the accounts into the portal from AD, via the FIM Sync engine
  • creating the accounts in the portal and setting the objectSID attribute by PowerShell script

For more information see: How to Use PowerShell to Fix an ObjectSID on an FIM Portal Object

Primary Administrator account / setup account

The account that installs the FIM Service / FIM portal will be assigned as primary portal administrator, as it will be added to the Administrators set in the FIM Portal

Secondary / personal administrator accounts

Additional administrators must be added to the 'Administrators' set

Back to top


Download

Download the entire guide at once, in PDF version from Technet Gallery .

This document has some additional content, which is not available online.

 

Back to top


 

Return to Table of Contents of the article series

Back to top