Identity Manager (FIM/MIM): Planning security setup for accounts, groups and services - Part 3. Compact Checklist
Compact Check list
Legend
Check boxes
| Icon | Explanation |
| ¨ | Open configuration item |
| þ | Checked, fixed, installed, action applied |
| ý (+ Reason) | Declined, blocked, not applicable (N/A), not used, excluded from configuration |
Account types
See paragraph 2.4 Account types for detailed explanation.
According the use of these accounts we’ll use 4 account types
- Service account (SVCA)
- Technical account (TA)
- Functional account (FA)
- Personal account (PA)
Location (LOC)
| Code | Explanation |
| D | Domain |
| L | Local, on server |
Important (SEV)
The indication of importance is related to the risk profile of the account.
This setting provides a basic assessment of the impact & risk of not-installing or using this account.
| SEV | Countermeasure | Impact & risk | Explanation (examples) |
HIGH (RED)
|
Configuration Required |
Direct, high Impact
Critical risk on FIM systems, linked systems & general infrastructure Real & proven danger High impact on recovery
Impact of risk is critically higher than operational burden |
High business impact
Risk of setting up a configuration that cannot be recovered using a normal DRP planning. Critical impact on security, violation of common security best practices Critical impact on linked systems like HR, AD, O365
|
MEDIUM (ORANGE)
|
Strongly advised to follow best practice |
Possible, Realistic danger
Significant impact on FIM systems, linked systems & general infrastructure
Impact of risk is significantly higher than operational burden |
Important recovery needed, exceeding normal operational mode or SLA agreements
|
LOW (YELLOW) |
Advised to follow best practice |
Indirect impact
Low risk Theoretical, low frequency Easy to recover
Impact of risk is higher or equal than operational burden |
Important recovery needed but within normal operational mode or SLA agreement
|
OPTIONAL (GREEN) |
Suggestion to follow best practice |
Optimization, additional security layer.
Impact of risk is equal or lower than operational burden |
Limited to no business impact
|
Pre-installation: Backend configuration
SPN
| Importance | LOC | Acct. Type | Account Reference | Name (to fill) | ||
| ¨ | HIGH |
D | SPN | MSSQLsvc/<SQLDatabase Server> | SQL Database Account | |
| ¨ | HIGH |
D | SPN | FIMService/<FIM Service Server> | FIM Service Account |
|
| ¨ | HIGH |
D | SPN | HTTP/<FIM Portal Alias> | SharePoint Service Account |
|
| ¨ | HIGH |
D | SPN | HTTP/<pwd registration portal server> | Pwd Registration Server Account |
|
| ¨ | HIGH |
D | SPN | HTTP/<passwordreset portal server> | Password Reset Server Account |
|
| ¨ | HIGH |
D | SPN | HTTP/<FIM CM Server> | FIM CM Web Pool Agent Account |
|
Pre-installation: Account creation
Back End
SQL
Reference:
This section only has informational purposes, but has been added as a reminder to secure the FIM Back end services.
From: Server Configuration - Service Accounts :
“If you configure services to use domain accounts, Microsoft recommends that you configure service accounts individually to provide least privileges for each service, where SQL Server services are granted the minimum permissions they need to complete their tasks.”
| Importance | LOC | Acct. Type | Account Reference | Name (to fill) | |
| ¨ | HIGH |
D | Service | SQL Server Database engine acct. | <domain>\<account> |
| ¨ | HIGH |
D | Service | SQL Server Agent service* acct. | <domain>\<account> |
| ¨ | HIGH |
D | Service | SQL Server Analysis Services acct. | <domain>\<account> |
| ¨ | HIGH |
D | Service | SQL Server Reporting Services acct. | <domain>\<account> |
| ¨ | HIGH |
D | Service | SQL Server Browser acct. | <domain>\<account> |
There are 4 more accounts for the core SQL services, but this is outside the scope of this document.
Full details are available in the SQL Server whitepaper: SQL Server 2012 Security Best Practices - Operational and Administrative Tasks .
From the white paper:
“The SQL Server Agent service account requires sysadmin privilege in the SQL Server instance that it is associated with. In SQL Server 2005 and above, SQL Server Agent job steps can be configured to use proxies that encapsulate alternate credentials.”
SharePoint
| Importance | LOC | Account Type | Account Reference | Name (to fill) | |
| ¨ | HIGH |
D | Functional | SharePoint Setup administrator acct* | <domain>\<account> |
| ¨ | HIGH |
D | Service | Farm service account | <domain>\<account> |
| ¨ | LOW |
D | Service | search service account | <domain>\<account> |
| ¨ | LOW |
D | Service | search content access account | <domain>\<account> |
| ¨ | LOW |
D | Service | SharePoint Application pool account | <domain>\<account> |
All FIM Platforms
|
Importance |
LOC |
Account Type |
Account Reference |
Name (to fill) |
¨ |
HIGH |
D |
Functional |
FIM installer administrator account* |
<domain>\<account> |
FIM Synchronization
|
Importance |
LOC |
Account Type |
Account Reference |
Name (to fill) |
¨ |
HIGH |
D |
Service |
FIM Sync service SVCA |
<domain>\<account> |
¨ |
HIGH |
D |
Security Group |
FIMSyncAdmins |
<domain>\<account> |
¨ |
HIGH |
D |
Security Group |
FIMSyncOperators |
<domain>\<account> |
¨ |
HIGH |
D |
Security Group |
FIMSyncJoiners |
<domain>\<account> |
¨ |
HIGH |
D |
Security Group |
FIMSyncBrowse |
<domain>\<account> |
¨ |
HIGH |
D |
Security Group |
FIMSyncPasswordSet |
<domain>\<account> |
¨ |
HIGH |
D |
Technical |
FIM Task scheduler |
<domain>\<account> |
FIM Sync Management agents
|
Importance |
LOC |
Account Type |
Account Reference |
Name (to fill) |
¨ |
HIGH |
D |
Technical |
ADMA Account |
<domain>\<account> |
¨ |
HIGH |
D |
Technical |
FIMMA Account |
<domain>\<account> |
¨ |
HIGH |
D |
Technical |
SQL MA Account |
<domain>\<account> |
¨ |
HIGH |
D |
Technical |
Other Management agents: - 1 account per type of MA And by preference 1 account per MA. |
<domain>\<account> |
FIM Service
|
Importance |
LOC |
Account Type |
Account Reference |
Name (to fill) |
¨ |
HIGH |
D |
Service |
FIM service SVCA |
<domain>\<account> |
¨ |
HIGH |
D |
Technical |
FIMMA Account |
<domain>\<account> |
FIM Portal
|
Importance |
LOC |
Account Type |
Account Reference |
Name (to fill) |
¨ |
MEDIUM |
D |
Functional |
Backup Portal Administrator |
<domain>\<account> |
¨ |
HIGH |
D |
Service |
FIM Portal - Application Pool Account |
<domain>\<account> |
FIM SSPR Registration Portal
|
Importance |
LOC |
Account Type |
Account Reference |
Name (to fill) |
¨ |
HIGH |
D |
Service |
FIM SSPR Registration Portal - Application Pool Account |
<domain>\<account> |
FIM SSPR Reset Portal
|
Importance | LOC |
Account Type |
Account Reference |
Name (to fill) |
¨ |
HIGH | D | Service | FIM SSPR Reset Portal - Application Pool Account | <domain>\<account> |
FIM CM
Source: [36.] Create an OU and User Accounts for FIM CM Agents
“The following table summarizes the accounts and permissions required by FIM CM. You can allow the FIM CM create the following accounts automatically, or you can create them prior to installation. The actual account names can be changed. If you do create the accounts yourself, consider naming the user accounts in such a way that it is easy to match the user account name to its function.”
* *
| Importance | LOC | Account Type | Account Reference | Name (to fill) | |
¨ |
HIGH |
D | Technical | FIM CM Agent | <domain>\<account> |
¨ |
HIGH |
D | Technical | FIM CM Authorization Agent | |
¨ |
HIGH |
D | Technical | FIM CM CA Manager Agent | |
¨ |
HIGH |
D | Technical | FIM CM Enrollment Agent | |
¨ |
HIGH |
D | Technical | FIM CM Key Recovery Agent | |
¨ |
HIGH |
D | Technical | FIM CM Web Pool Agent |
Pre-installation: Account lock down
All FIM Platforms
| Importance | LOC | Account Type | Account Reference | Procedure | |
¨ |
HIGH |
D | Functional | FIM Installer account | Just before installation[1]
-" Grant local admin rights -" Grand SQL SysAdmin |
FIM Sync
| Importance | LOC | Account Type | Account Reference | Procedure | |
¨ |
HIGH |
D | Service | FIM Sync Svc SVCA | Lock down FIM Sync Service SVCA |
¨ |
HIGH |
D | Technical | FIM ADMA | Lock down AD MA Technical Account |
¨ |
HIGH |
D | Security Groups | Security Groups | Minimize memberships to FIM Sync security groups |
¨ |
HIGH |
D | Security Groups | Security Groups | Minimize administrative memberships to the FIM Servers |
FIM Sync Management agents
| Importance | LOC | Account Type | Account Reference | Procedure | |
¨ |
HIGH |
D | Technical | FIM MA | Lock down the FIM MA technical account |
¨ |
HIGH |
D | Technical | FIM MA | Block/Filter the administrative accounts from the FIM Service connector space |
¨ |
HIGH |
D | Technical | FIM ADMA | Replicating Directory Changes |
¨ |
HIGH |
D | Technical | FIM ADMA | Lock down the account to the minimum required permissions to the minimum required containers |
| ¨ | HIGH |
D | Technical | SQL MA | Lock down the account to the minimum required permissions to the minimum required tables |
¨ |
HIGH |
D | Technical | Other MA | <TBD> |
Post-Installation: Set operational admins
FIM Portal
| Importance | LOC | Account Type | Account Reference | Procedure | |
¨ |
HIGH |
D | Functional | FIM Portal Backup Account | Add a functional account as backup root account to the FIM Potal |
Hotfix installation
All FIM Platforms
| Importance | LOC | Account Type | Account Reference | Procedure | |
¨ |
HIGH |
D | Functional | FIM Installer account | Just before hotfix installation[2]
Grant local admin rights Grant SQL SysAdmin |
[1][2] This applies both to fresh installation of FIM component or implementation of an hotfix or service pack. Only during implementation of a service pack, the installation account that runs the installation needs the elevated rights. Only DURING installation, not before, not after.
Download
Download the entire guide at once, in PDF version from Technet Gallery 
.
This document has some additional content, which is not available online.
Direct Links
- FIM 2010: Planning security setup for accounts, groups and services - Table of contents
- FIM 2010: Planning security setup for accounts, groups and services - Part 1. Introduction
- FIM 2010: Planning security setup for accounts, groups and services - Part 2. FIM Security principles
- FIM 2010: Planning security setup for accounts, groups and services - Part 3. Compact Checklist** **
- FIM 2010: Planning security setup for accounts, groups and services - Part 4. Detailed Description** **
- FIM 2010: Planning security setup for accounts, groups and services - Part 5. Operational Best Practices
- FIM 2010: Planning security setup for accounts, groups and services - Part 6. References & authoritative resources** **
- FIM 2010: Planning security setup for accounts, groups and services - Part 7. Additional resources** **
- FIM 2010: Planning security setup for accounts, groups and services - Part 8. Glossary
Return to Table of Contents of this article series