Identity Manager (FIM/MIM): Planning security setup for accounts, groups and services - Part 4. Detailed Description
https://msdnshared.blob.core.windows.net/media/2016/08/7827.NinjaAwardTinyBronze.pngBronze Award Winner
Return to Table of Contents of this article series
Pre-installation: Securing the FIM backend infrastructure
SQL Server
Although FIM and MIM heavily rely on SQL Server, SQL security configuration is out of scope for FIM configuration. Nevertheless, proper configuration of these accounts is key and it should be handled in cooperation with an SQL expert.
References
Please check the reference below to properly secure your SQL infrastructure you use to support FIM.
- [42.] Guidelines on choosing Service Accounts for SQL Server Services.
- [46.] SQL Server 2012 Security Best Practice Whitepaper
The Section “Service Account selection and management”, says:
"/../The Local System account is not only an account with too many privileges, but it is a shared account and might be used by other services on the same server. Any other service that uses this account has the same set up privileges as the SQL Server service that uses the account.
Although Network Service has network access and is not a Windows superuser account, it is a shareable account. This account is useable as a SQL Server service account only if you can ensure that no other services that use this account are installed on the server.
Using a local user or domain user that is not a Windows administrator is the best choice.
If the server that is running SQL Server is part of a domain and must access domain resources such as file shares or uses linked server connections to other computers running SQL Server, a domain account is the best choice.
If the server is not part of a domain (for example, a server running in the perimeter network (also known as the DMZ) in a Web application) or does not need to access domain resources, a local user that is not a Windows administrator is preferred.
Creating the user account that will be used as a SQL Server service account is easier in SQL Server 2005 than in previous versions. When SQL Server 2005 is installed, a Windows group is created for each SQL Server service, and the service account is placed in the appropriate group. To create a user that will serve as a SQL Server service account, simply create an "ordinary" account that is either a member of the Users group (non-domain user) or Domain Users group (domain user). During installation, the user is automatically placed in the SQL Server service group and the group is granted exactly the privileges that are needed.
If the service account needs additional privileges, the privilege should be granted to the appropriate Windows group, rather than granted directly to the service user account. This is consistent with the way access control lists are best managed in Windows in general. /../"
The FIM 2010 deployment guide also discusses the SQL security requirements.
Source: [12.] Before You Begin
Before you install the FIM Service, certain tasks should be completed and verified on the server that is running SQL Server.
If you are using FIM Reporting, you will need to create two additional service accounts:
- SQL Reporting Service Account
- SQL Analysis Service Account
Ensure that the service accounts used by SQL Server Database and SQL Server Agent are either domain accounts or built-in service accounts (for example, Network Service). You cannot use local computer accounts.
When you configure the service accounts for SQL Server, consult the following articles:
- [47.] Service Account Types Supported for SQL Server Agent:
- [48.] Selecting an Account for the SQL Server Agent Service
| Important |
| The SQL Server service account should not be a local computer account. A local account cannot impersonate domain accounts and the FIM Service will not behave as expected. |
IIS
References
Please check full details in the reference below to properly secure your IIS infrastructure you use to support FIM.
Action items
Please find below a list of configuration items relevant to FIM, but do remember the complete list has more actions to achieve an IIS lock down.
| Items | Action |
| Installation and Configuration | Install only the IIS modules you need. |
| Web Application Isolation | Isolate web applications.
Separate different applications into different sites with different application pools. |
| Web Application Isolation | Implement the principle of least privilege. Run your worker process as a low privileged identity (virtual application pool identity) that is unique per site. |
| Authentication | Disable anonymous access to server directories and resources. |
| Application Pool Identities | Don’t use the built-in service identities (such as Network Service, Local Service, or Local System).
For maximum security, application pools should run under the application pool identity that is generated when the application pool is created. The accounts that are built in to IIS are ApplicationPoolIdentity, NetworkService, LocalService, and LocalSystem. The default (recommended) and most secure is ApplicationPoolIdentity. |
| Application Pool Identities | Using a custom identity account is acceptable, but be sure to use a different account for each application pool. |
Exception
Reference:
- [32.] To allow SSPR for users that forgot their password you must allow anonymous access to the password reset portal.
SharePoint
Essentially the SharePoint configuration is out-of-scope for this document, but proper configuration of the SharePoint environment is essential. Please work with a SharePoint expert to secure your environment.
This section only has informational purposes, but has been added as a reminder to secure the FIM Portal back-end services.
References
Please check the reference below to properly secure your SQL infrastructure you use to support FIM.7
| Important |
| We recommend that you install SharePoint Server 2010 by using least-privilege administration. |
Accounts
| Account | Purpose | Requirements |
|---|---|---|
| SQL Server service account | The SQL Server service account is used to run SQL Server. It is the service account for the following SQL Server services:
If you do not use the default SQL Server instance, in the Windows Services console, these services will be shown as the following:
|
Use either a Local System account or a domain user account. If you plan to back up to or restore from an external resource, permissions to the external resource must be granted to the appropriate account. If you use a domain user account for the SQL Server service account, grant permissions to that domain user account. However, if you use the Network Service or the Local System account, grant permissions to the external resource to the machine account (domain_name\SQL_hostname$). The instance name is arbitrary and was created when Microsoft SQL Server was installed. |
| (Sharepoint)
Setup user account |
The Setup user account is used to run the following:
|
If you run Windows PowerShell cmdlets that affect a database, this account must be a member of the db_owner fixed database role for the database. |
| Server farm account or database access account | The server farm account is used to perform the following tasks:
|
Additional permissions are automatically granted for the server farm account on Web servers and application servers that are joined to a server farm. The server farm account is automatically added as a SQL Server login on the computer that runs SQL Server. The account is added to the following SQL Server security roles:
|
Pre-installation: Securing FIM Components
FIM general
SPN
References
Please check the reference below to properly secure the require SPN entries.
Please refer to the references section at the end of the guide, for more details on Kerberos settings.
Description
From: [16.] FIM 2010 R2 Kerberos Settings (SPN Configuration):
”/../ Service principal names (SPNs) are unique identifiers for services running on servers. Every service that uses Kerberos authentication needs to have an SPN set for it so that clients can identify the service on the network. If an SPN is not set for a service, clients have no way of locating that service. Without correctly set SPNs, Kerberos authentication is not possible.
* *
An SPN is registered in Active Directory under a user account as an attribute called Service-Principal-Name. The SPN is assigned to the account under which the service the SPN identifies is running. Any service can look up the SPN for another service. When a service wants to authenticate to another service, it uses that service's SPN to differentiate it from all of the other services running on that computer.
* *
Because multiple services can run simultaneously under the same account, setting an SPN requires four unique pieces of information. These four pieces of information uniquely identify any service running on a network and can be used to mutually authenticate to any service.
* *
For each SPN that is set, the following information is required:
1. The type of service, formally called a service class. This enables you to differentiate between multiple services running under the same account.
2. The account under which the service is running.
3. * The computer on which the service is running, including any aliases that point to that computer.*
4. The port on which the service is running (optional if the default port for the service of that type is used such as port 80 for HTTP).
FIM SPN Configuration
From: [16.] FIM 2010 R2 Kerberos Settings (SPN Configuration):
Syntax configuration examples have been omitted in this guide.
| SPN | Account | Description |
|---|---|---|
| MSSQLsvc/<SQLDatabase Server> | SQL Database Account | SPN required for the FIM Service database. Allows clients the ability to locate an instance of SQL. |
| FIMService/<FIM Service Server> | FIM Service Account | SPN required for the FIM Service. Allows clients the ability to locate an instance of the FIM Service. |
| HTTP/<FIM Portal Alias> | SharePoint Service Account | This is a requirement because SharePoint runs as a "farm" - even in single-server configurations - you have to run the site and authentication under the app pool account... AND still set up your SPN's. |
| HTTP/<passwordregistration portal server> | Password Registration Server Account | The SSPR portals use IIS 7.0/7.5. IIS 7.0/7.5 has an authentication feature - 'Enable Kernel Mode Authentication'. With this feature the Kerberos ticket for the requested service is decrypted using Machine account (Local system) of the IIS server. It no longer depends upon the application pool Identity for this purpose. The following assumes that the password registration and reset portals are being accessed through a custom host header. In this instance the SPN is required only for the IIS machine account and not for our FIM Password Service account. |
| HTTP/<passwordreset portal server> | Password Reset Server Account | The SSPR portals use IIS 7.0/7.5. IIS 7.0/7.5 has an authentication feature - 'Enable Kernel Mode Authentication'. With this feature the Kerberos ticket for the requested service is decrypted using Machine account (Local system) of the IIS server. It no longer depends upon the application pool Identity for this purpose. The following assumes that the password registration and reset portals are being accessed through a custom host header. In this instance the SPN is required only for the IIS machine account and not for our FIM Password Service account. |
| HTTP/<FIM CM Server> | FIM CM Web Pool Agent Account | This is a special case even though we are running on IIS 7.0/7.5. In this instance you must ensure that useAppPoolCredentials is set to true. This will force IIS to use the appPoolCredentials to decrypt the ticket. KernelModeAuthentication is still enabled in this instance. |
SPN Delegation
“In a deployment with multiple FIMServices, ensure that each FIMService has constrained delegation configured so that each FIMService can successfully communicate to each other in order for Workflow Approvals to work properly. Approval Responses from users can come from any Portal or if Exchange is enabled from the FIMService that is polling. In all cases, the Approval Response will be directed to the FIMService machine that processed the original Request so cross-server communication: FIMPortal -> FIMService AND FIMService -> FIMService must work properly.”
Changing FIM Service account
References
Source: [11.] Change the Forefront Identity Manager 2010 R2 Synchronization Service Account
The procedure is described in detail in the reference TechNet page.
Before you change the account of any of the FIM Services, make sure you can roll-back, so you need to have a DRP plan in place (and a working backup-restore…)
Required settings
| Items | Ref. | Description |
|---|---|---|
| Account Security | [11.] | To complete this procedure, you must be logged on as a member of the FIMSyncAdmins security group. |
| Account Security | [11.] | See the Account security requirement of the FIM Sync service account, section below. |
| Backup | [11.] | Back up the encryption key set by running MIISkmu.exe. |
| Installation | [11.] | Run Setup from the FIM installation CD in maintenance mode and change the Microsoft Forefront Identity Manager 2010 R2 service account credentials from the old account to the new one. During the setup process, you are prompted for the encryption key set |
Risks
| Items | Ref. | Description |
| Attacks | [11.] | To prevent attacks to the registry and system files by malicious users, it is strongly recommended that you do not add the Microsoft Forefront Identity Manager 2010 R2 service account to the local administrators group. |
| Account Lock down | [11.] | Local Security Policy
No additional lock-down procedures are needed to secure the Microsoft Forefront Identity Manager 2010 R2 service account in a domain. By default, you cannot log on locally with the Microsoft Forefront Identity Manager 2010 R2 service account. |
FIM Setup
FIM setup account – functional account
References
- [12.] Before you begin
- [17.] Considerations for New Installation of FIM 2010 R2
- [18.] Installing the FIM 2010 R2 Server Components
- [5.] Segregation of duties
Required settings
| Items | Ref. | Description |
|---|---|---|
| Account type: domain account | [18.] | You must create a user account to run installation of the FIM components. This installer account must be a domain user account. The most important reason is that the FIM installer account is assigned root administrator in the FIM service and portal, during the installation you need SQL sysadmin (SA) rights, which is by preference a domain joined SQL server with Windows authentication. |
| Account Security: SQL | [18.] | ONLY DURING INSTALLATION
To be able to install FIM Synchronization Service or FIM Service, the account must be a SQL sysadmin. The account that you use does not have to be a SQL sysadmin after the installation is complete. The user account used to install the FIM Service must be granted the sysadmin role in SQL Server. By default, members of the Local Administrators group do not have the necessary permissions. Unless the user account is either the built-in administrator account, or the user account used to install SQL Server, then the user account must be granted the sysadmin role in SQL Server. |
| Account Security: Sharepiont | [18.] | To be able to install the FIM Portal, the account must be a SharePoint administrator.
To be able to install the FIM Portal, it is assumed that SharePoint is installed with the default settings, that the default SharePoint site can be reached using the address specified in the user interface, and that the user who is installing the FIM Portal is authorized as an administrator of that SharePoint site. |
| Account Security | [18.] | ONLY DURING INSTALLATION
This account should be a local administrator account. |
| Account Security | [18.] | ONLY DURING INSTALLATION
The FIM installer accounts should be member of the local administrators group. |
| Account Security | [18.] | The FIM installer account should only be a member of the security group FIMSyncAdmins. |
| Account security | [18.] | Use the following restrictions on the FIM installer account:
|
| Account separation | [5.] | Due to the fact that the FIM installer account is only used to install FIM component, during initial setup or during application of an hotfix, do not use this account for other purposes.
DO NOT
As other services require other privileges, the PoLP demands to use separate accounts. |
Risks
| Items | Ref. | Description |
| Same account | [18.] | The FIM Sync Service account has HPA access to the FIM Sync Service operations, using the same account bestows too many unneeded privileges to the FIM Sync service account |
FIM Synchronization Service – service account
References
- [22.] FIM 2010 R2: Same Account being used for FIM Synchronization Service and FIM MA
- [23.] FIM 2010 R2: FIM Service or the FIM Synchronization Service Account does not have Deny Logon As Batch Job set
- [12.] Before you begin
- [17.] Considerations for New Installation of FIM 2010 R2
Required settings
| Items | Ref. | Description |
|---|---|---|
| Account type: domain account | [12.] | You must create a service account to run the FIM Synchronization Service. This service account must be a domain service account. |
| Account Security | [12.] | This account should not be a local administrator account. |
| Account Security | [12.] | The service accounts should not be members of the local administrators group. |
| Account Security | [12.] | The FIM Synchronization Service SVCA should not be a member of the security groups that are used to control access to FIM Synchronization Service (groups starting with FIMSync, for example, FIMSyncAdmins). |
| Account security | [12.] | On the server running the FIM Synchronization Service, you must restrict only the FIM Synchronization Service service account and not the FIM Service service account.
On the server running the FIM Service, you must only restrict the FIM Service service account, and not the FIM Synchronization Service service account. Use the following restrictions on the service accounts:
|
| Account separation | [12.], [17.] | Due to the fact that the FIM Synchronization account is only used to run the FIM Synchronization services, do not use this account for other purposes.
As other services require other privileges, the PoLP demands to use separate accounts. |
| Account Separation | [12.], [17.] | The FIM Sync service SVCA must not be part of the FIM Sync Security Groups
The FIM Service SVCA must be part of the FIM Sync Admins security group. (See Ref. 4) This requirement excludes the use of 1 single account for both the FIM Service and the FIM Synchronization service. |
Exceptions
| Items | Ref. | Description |
| Password reset | [12.] | If you are deploying password reset, do not use the Deny access to this computer from the network restriction option. |
Risks
| Items | Ref. | Description |
| Same account | [12.] | Due to the fact that the FIM Synchronization account is only used to run the FIM Synchronization services, do not use this account for other purposes.
As other services require other privileges, the PoLP demands to use separate accounts. |
| Same account | [12.] | If you choose to use the same account for both service accounts and you separate the FIM Service and the FIM Synchronization Service, you cannot set Deny access to this computer from the network on the FIM Synchronization Service server. If access is denied, that action prohibits the FIM Service from contacting the FIM Synchronization Service to change configuration and manage passwords. |
| Same account | [12.] | The FIM Sync Service account has HPA access to the FIM Sync Service operations, using the same account bestows too many unneeded privileges to the FIM Sync service account |
FIM Administrative Security Groups
References
- [13.] Using Security Groups
Purpose
During installation/reconfiguration FIM will need 5 groups to manage security in FIM Sync.
3 Groups are used to control which tasks that users can perform in Synchronization Service Manager.
| Items | Ref. | Description |
|---|---|---|
| FIMSyncAdmins | [13.] | Members of this group have full access to everything in Synchronization Service Manager GUI. |
| FIMSyncOperators | [13.] | Members of this group have access to Operations in the Synchronization Service Manager only. FIMSyncOperators can run management agents, view synchronization statistics for each run, and save the run histories to a file. Members of the FIMSyncOperators group must also be members of the FIMSyncBrowse group to open links in synchronization statistics. |
| FIMSyncJoiners | [13.] | Members of this group have access to Joiner and Metaverse Search in Synchronization Service Manager. FIMSyncJoiners can join or project disconnectors by using Joiner, and they can use Metaverse Search to view object properties and disconnect objects from the metaverse. |
FIM also needs 2 security groups for authentication during password management operations, these do not have access to Synchronization Service Manager:
| Items | Ref. | Description |
| FIMSyncBrowse | [13.] | Can gather information about a user's lineage when resetting passwords by using Windows Management Instrumentation (WMI) queries. |
| FIMSyncPasswordSet | [13.] | Members of this group have permission to perform all operations by using the password management interfaces with WMI. Members in this group inherit all FIMSyncBrowse permissions.
For more information about setting passwords by using WMI, see the FIM Developer Reference. |
Required configuration
| Items | Ref. | Description |
|---|---|---|
| Account type: domain local groups | [13.] | By default, FIM setup creates these groups as local computer groups, rather than domain local groups. But local computer groups are known only to that server, whereas domain local groups can be recognized throughout the domain. There might be cases where you need to use domain local groups for these roles. For example:
|
| Account creation | [13.] | If you plan to use domain local groups, create the groups before installing FIM. |
| Account creation | [13.] | Add the FIM setup account to the domain group FIM Sync admins |
Risk
| Items | Ref. | Description |
| Group creation by wizard | [13.] | During installation and setup, FIM adds the user account that is running the installation to the FIMSyncAdmins group, but only if the FIMSyncAdmins group is also created during setup.
If you specify a preexisting group during setup, the user account that is running the installation will not be added to the preexisting group. |
| Local groups | [13.] | If you do not create the groups in advance, FIM setup will suggest to create these groups as local computer groups, rather than domain local groups. There might be cases where you need to use domain local groups for these roles. For example:
|
Group type selection
Source: [13.] Using Security Groups
There might be cases where you need to use domain local groups for these roles. For example:
- Two servers running FIM wiht a shared database for the purposes of redundancy
- FIM management is distributed across the organization, using domain local groups grant access to the appropriate people within your organization.
- When the FIM configuration must be moved from one server to another
- Centralised or remote log management, you can use domain local groups to control access remote servers.
- If you are enabling password synchronization on FIM, you must use a domain account for the FIM Synchronization Service service account.
Important |
If you plan to use domain local groups, create the groups before installing FIM. |
* FIM task scheduler – technical account*
Required settings
| Items | Ref. | Description |
| Account type: domain account | You must create a service account to execute the FIM Task scheduler jobs. Due to the fact the FIM Security groups should be hosted on AD, this service account must be a domain user account. |
|
| Account Security | This account should not be a local administrator account. | |
| Account Security | The service accounts should not be members of the local administrators group. | |
| Account Security | The FIM task scheduler account must be a member of the security group FIMSyncAdmins, to allow for cleaning the run history | |
| Account security | On the server running the FIM Synchronization Service, you must allow the FIM Task scheduler account
Use the following restrictions on the FIM task scheduler account:
|
|
| Account Security – Folder access | The FIM task scheduler account might need specific access on files and folders on the server to
|
|
| Account separation | Due to the fact that the FIM Task scheduler account is only used to execute the tasks, do not use this account for other purposes.
As other services require other privileges, the PoLP demands to use separate accounts. |
PCNS
<To be completed>
FIM Service
FIM Service – service account
References
- [23.] FIM 2010 R2: FIM Service or the FIM Synchronization Service Account does not have Deny Logon As Batch Job set
- [12.] Before you begin
- [17.] Considerations for New Installation of FIM 2010 R2
- [18.] Installing the FIM 2010 R2 Server Components
Required settings
| Items | Ref. | Description |
| Account type: domain account | [12.] | To run the FIM Service component, you must have a dedicated domain service account |
| Account type: mail enabled | [12.] | To be able to use the Office Outlook integration feature, an Exchange Server mailbox must also be created for this account. To use the FIM 2010 R2 Add-in for Outlook feature, you must set up the domain service e-mail account on a server that hosts Exchange Server 2007 or Exchange Server 2010. If you plan to use SMTP for notifications rather than Exchange Server, ensure that this service account has the required permissions on the SMTP gateway. |
| Account Security | [23.] | This account should not be a local administrator account. |
| Account Security | [12.] | The service accounts should not be members of the local administrators group. |
| Account Security | [17.] | The FIM Service Service SVCA must be member of the security groups:
For SSPR
|
| Account security | [23.] | On the server running the FIM Synchronization Service, you must restrict only the FIM Synchronization Service service account and not the FIM Service service account.
On the server running the FIM Service, you must only restrict the FIM Service service account, and not the FIM Synchronization Service service account. Use the following restrictions on the service accounts:
For SSPR
|
| Account separation | [12.], [17.] | Due to the fact that the FIM Service account is only used to run the FIM Service service, do not use this account for other purposes.
As other services require other privileges, the PoLP demands to use separate accounts. |
| Account Separation | [12.], [17.] | The FIM Service SVCA must be part of the FIM Sync Admins security group. (See Ref. 4)
The FIM Sync service SVCA must not be part of the FIM Sync Security Groups This requirement excludes the use of 1 single account for both the FIM Service and the FIM Synchronization service. |
| Account Separation | [12.] | You must reserve the domain service e-mail account for the exclusive use of the FIM Service. If e-mail messages are being processed by other applications, such as Office Outlook 2007, the functionality of FIM Service might be affected. |
| Account settings: mail | [18.] | See page 50, par. 9.1, post-installation FIM Service |
Risks
| Items | Ref. | Description |
| Same account | [17.] | Due to the fact that the FIM Synchronization account is only used to run the FIM Synchronization services, do not use this account for other purposes.
As other services require other privileges, the PoLP demands to use separate accounts. |
| Same account | [17.] | If you choose to use the same account for both service accounts and you separate the FIM Service and the FIM Synchronization Service, you cannot set Deny access to this computer from the network on the FIM Synchronization Service server.
If access is denied, that action prohibits the FIM Service from contacting the FIM Synchronization Service to change configuration and manage passwords. |
| Same account | [17.] | The FIM Service account has HPA access to the FIM Service operations, using the same account bestows too many unneeded privileges to the FIM Sync service account |
| IMPORTANT |
| You must reserve the domain service e-mail account for the exclusive use of the FIM Service. If e-mail messages are being processed by other applications, such as Office Outlook 2007, the functionality of FIM Service might be affected. |
FIM MA account
References
- [12.] FIM 2010 Installation Guide > Before you begin [12.]
Required settings
| Items | Ref. | Description |
|---|---|---|
| Configuring the Service Accounts Running the FIM 2010 R2 Server Components in a Secure Manner | [12.] | There are three service accounts that are used to run the FIM server components. They are called the FIM Service service account, the FIM Synchronization Service service account, and the FIM Password service account in this guide. The FIM MA account is not considered a service account, and it should be a regular user account. For the FIM Synchronization Service service account to be able to impersonate the FIM MA account, the FIM MA must be able to log on locally. |
| Account type | [12.] | You must create a domain account that is reserved for the exclusive use of the FIM Service management agent (FIM MA) used by the FIM Synchronization Service to communicate with the FIM Service. |
| Account Security | [12.] | The FIM Service has to know the name of the account that the FIM MA is using so that during setup it can give the account the required permissions. This account should not be a local administrator account. |
Understanding the Purpose of the FIM Service Management Agent Account
The purpose of this account is to make it possible for the FIM Service to be able to identify the FIM Synchronization Service when it is exporting to the FIM Service through the Web services. When the FIM Synchronization Service engine is exporting, all authentication (AuthN) and authorization (AuthZ) workflows are ignored and only action workflows run.
Risk
| Items | Ref. | Description |
| Portal logon with trusted account | [12.] | The account that you use for the FIM MA should be considered a trusted account. You should not use it to access the FIM Portal. If you do, all requests that are made through the FIM Portal with this account will skip AuthN and AuthZ. |
| Account Change | [12.] | If you later change this account in the FIM Synchronization Service, you must also run a change install on the FIM Service to update the service with the new account information. |
FIM SSPR – Registration & Reset portals
Due to the fact that the SSPR portals for the Password registration and Password Reset are hosted on IIS, the security mainly focusses on IIS.
The FIM configuration part is rather applying on the installation or reconfiguration.
IIS
Reference: [54.]: Security Best Practices for IIS 8
Management agents
General
General: http://aka.ms/FIM_PortsRightsPersmissions
FIM MA
FIM MA Acocunt security
ADMA
How to grant the"Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account: hhttp://support.microsoft.com/kb/303972
- For Exchange permission, incl. executing remote Exchange PowerShell, see below.
- FIM Reference: How to set more granular permissions than "replicating directory changes" on a source AD read by the ADMA
- FIM Reference: FIM 2010 - Installation Companion - Accounts
Exchange 2010 / 2013
See:
GALSync
SQL MA
Other MAs
FIM Certificate Management
References
“The following table summarizes the accounts and permissions required by FIM CM. You can allow the FIM CM create the following accounts automatically, or you can create them prior to installation. The actual account names can be changed. If you do create the accounts yourself, consider naming the user accounts in such a way that it is easy to match the user account name to its function.”
FIM CM Agent
Provides the following services:
- Retrieves encrypted private keys from the CA.
- Protects smart card PIN information in the FIM CM database.
- Protects communication between FIM CM and the CA.
| Items | Ref. | Description |
|---|---|---|
| Account Type | [36.] | Domain account |
| Account Security | [36.] |
|
FIM CM Key Recovery Agent
Provides the following services:
- Recovers archived private keys from the CA.
| Items | Ref. | Description |
|---|---|---|
| Account Type | [36.] | Domain account |
| Account Security: Local permissions | [36.] |
|
| Account Security: Certificates | [36.] |
|
| Account Security: Folder Security | [36.] |
|
FIM CM Authorization Agent
Provides the following services:
- Determines user rights and permissions for users and groups.
| Items | Ref. | Description |
|---|---|---|
| Account Type | [36.] | Domain account |
| Account Security: | [36.] |
|
FIM CM CA Manager Agent
Provides the following services:
- Performs CA management activities.
| Items | Ref. | Description |
|---|---|---|
| Account Type | [36.] | Domain account |
| Account Security: PKI | [36.] |
|
FIM CM Web Pool Agent
Provides the following services:
- Provides the identity for the IIS application pool. FIM CM runs within a Microsoft Win32® application programming interface process that uses this user’s credentials.
| Items | Ref. | Description |
|---|---|---|
| Account Type | [36.] | Domain account |
| Account Security: Local permissions | [36.] |
|
| Account Security: Audit | [36.] |
|
| Account Security: Special Rights |
|
|
| Account Security: IIS | [36.] |
|
| Account Security: Registry | [36.] |
|
| Account Security: AD Special Rights | [36.] |
|
FIM CM Enrollment Agent
Provides the following services:
- Performs enrollment on behalf of a user.
| Items | Ref. | Description |
|---|---|---|
| Account Type | [36.] | Domain account |
| Account Security: PKI | [36.] |
|
| Account Security: Special Rights | [36.] |
|
FIM Reporting (SCSM)
Reference
SCSM Installer Account
| Items | Ref. | Description |
|---|---|---|
| Account Type | [36.] | Domain account |
Account Security: Local Rights |
[36.] |
|
| Account Security: SQL Rights | [36.] | rights in SQL to create databases and assign security roles. |
Important |
After installation, the account access can be lowered or the account can be disabled and re-enabled if updates need to be installed. |
SCSM Administrators Group
| Items | Ref. | Description |
|---|---|---|
| Account Type | [36.] | Security group in AD |
| Account Security: Rights | [36.] | The Installer account is added automatically. |
| Account Security: Rights | [36.] | · The group is added to the Service Manager Administrators role automatically. · The group is added to the Data Warehouse Administrators role automatically. |
Service Manager Service Account
| Items | Ref. | Description |
|---|---|---|
| Account Type | [36.] | Domain account |
| Account Security: Local Rights | [36.] | Local admin on the SCSM and SCSMDW server. |
| Account Security | [36.] | After installation becomes the Operational System Account, is assigned to logon account for both System Center Data Access Service and System Center Management Configuration Service After installation, becomes the data warehouse run as account, is assigned to the Service Manager SDK account and Service Manager Config account. |
| Account Security: SQL | In SQL, it is added to the sdk_users and configsvc_users database roles on the SCSM and SCSMDW databases becomes a member of the db_datareader role for the DWRepository database. |
Workflow Account
| Items | Ref. | Description |
|---|---|---|
| Account Type | [36.] | Domain account |
| Account Security: Local Rights | [36.] | Member of the local Users security group.
|
| Account Security: Local Rights | [36.] | If email notifications are required, this account must be mail enabled. |
Reporting Account
| Items | Ref. | Description |
|---|---|---|
| Account Type | [36.] | Domain account |
| Account Security: SQL | [36.] |
|
BHOLD
References
See: [38.] FIM 2010: Quick Guide to installing BHOLD Core
BHOLDApplicationGroup
Items |
Ref. | Description |
|---|---|---|
| Account Type | [38.] | Domain group |
BHOLD Core Service Account
| Items | Ref. | Description |
|---|---|---|
| Account Type | [38.] | Domain user |
| Account Security | [38.] | Log on as a Service |
| Account Security | [38.] | Password never expires |
| Account Security | [38.] |
|
Security during Installation
FIM setup account – functional account
References
- [12.] Before you begin
- [17.] Considerations for New Installation of FIM 2010 R2
- [18.] Installing the FIM 2010 R2 Server Components
- [5.] Segregation of duties
Required settings
| Items | Ref. | Description |
|---|---|---|
| Account type: domain account | [18.] | You must create a user account to run installation of the FIM components.
This installer account must be a domain user account. The most important reason is that the FIM installer account is assigned root administrator in the FIM service and portal, during the installation you need SQL sysadmin (SA) rights, which is by preference a domain joined SQL server with Windows authentication. |
| Account Security: SQL | [18.] | ONLY DURING INSTALLATION
To be able to install FIM Synchronization Service or FIM Service, the account must be a SQL sysadmin. The account that you use does not have to be a SQL sysadmin after the installation is complete. The user account used to install the FIM Service must be granted the sysadmin role in SQL Server. By default, members of the Local Administrators group do not have the necessary permissions. Unless the user account is either the built-in administrator account, or the user account used to install SQL Server, then the user account must be granted the sysadmin role in SQL Server. |
| Account Security: Sharepiont | [18.] | To be able to install the FIM Portal, the account must be a SharePoint administrator.
To be able to install the FIM Portal, it is assumed that SharePoint is installed with the default settings, that the default SharePoint site can be reached using the address specified in the user interface, and that the user who is installing the FIM Portal is authorized as an administrator of that SharePoint site. |
| Account Security | [18.] | ONLY DURING INSTALLATION
This account should be a local administrator account. |
| Account Security | [18.] | ONLY DURING INSTALLATION
The FIM installer accounts should be member of the local administrators group. |
| Account Security | [18.] | The FIM installer account should only be a member of the security group FIMSyncAdmins. |
| Account security | [18.] | Use the following restrictions on the FIM installer account:
|
| Account separation | [5.] | Due to the fact that the FIM installer account is only used to install FIM component, during initial setup or during application of an hotfix, do not use this account for other purposes. DO NOT
As other services require other privileges, the PoLP demands to use separate accounts. |
Risks
| Items | Ref. | Description |
| Same account | [18.] | The FIM Sync Service account has HPA access to the FIM Sync Service operations, using the same account bestows too many unneeded privileges to the FIM Sync service account |
FIM SSPR – Registration & Reset portals
Due to the fact that the SSPR portals for the Password registration and Password Reset are hosted on IIS, the security mainly focusses on IIS.
The FIM configuration part is rather applying on the installation or reconfiguration of the FIM SSPR portals for assword registration or password reset.
Change mode install
Reference
From: [34.] Password Registration and Reset Portal Deployment
Procedure
“The following is a note on doing a change mode install.
If you do a change mode install to change the account that runs the FIM Password Registration and Password Reset portals you must also run a change mode install on the server that is running the FIM Service and specify the application pool account or accounts.
This should be done first.
That is, prior to running the change mode install on the Registration and Reset portal server, run a change mode install on the server that is running the FIM Service and associate it with the new application pool account or accounts.”
Post-installation: Securing FIM
FIM Service
References
- [18.] Installing the FIM 2010 R2 Server Components
- [29.] Configure Message Delivery Restrictions
- [30.] Configure Message Size Limits for a Mailbox or a Mail-enabled Public Folder
- [31.] Configure Storage Quotas for a Mailbox
Required settings
| Items | Ref. | Description |
Account type: domain account |
[18.] | Configuring the FIM Service Service Exchange mailbox
|
FIM Portal (SharePoint)
Reference
| Items | Ref. | Description |
| Account type | [15.] | Change the SharePoint Application Pool Account to Use CORP\SPService |
SharePoint in depth
See, page 57, paragraph 12.4, SharePoint .
Portal Security
User Account login
There are different ways of creating accounts in the FIM portal:
- synchronizing the accounts into the portal from AD, via the FIM Sync engine
- creating the accounts in the portal and setting the objectSID attribute by PowerShell script
- For more information see: How to Use PowerShell to Fix an ObjectSID on an FIM Portal Object
Administrator account / installation account
The account that installs the FIM Service / FIM portal will be assigned as primary portal administrator, as it will be added to the Administrators set in the FIM Portal.
| Items | Ref. | Description |
| Additional administrators | Additional administrators must be added to the 'Administrators' set |
Post-installation: Securing FIM Backend
Portal Security
User Account login
- To logon to the portal these administrators must have an account in the portal, with the following attributes matched to an AD user account
- logon name = corresponding AD sAMAccountName
- Domain = logondomain (NetBIOS) of domain user is logging on to
- objecSid = objectSid of user account
There are different ways of creating accounts in the FIM portal:
- synchronizing the accounts into the portal from AD, via the FIM Sync engine
- creating the accounts in the portal and setting the objectSID attribute by PowerShell script
For more information see: How to Use PowerShell to Fix an ObjectSID on an FIM Portal Object
Primary Administrator account / setup account
The account that installs the FIM Service / FIM portal will be assigned as primary portal administrator, as it will be added to the Administrators set in the FIM Portal
Secondary / personal administrator accounts
Additional administrators must be added to the 'Administrators' set
Download
Download the entire guide at once, in PDF version from Technet Gallery 
.
This document has some additional content, which is not available online.
Direct Links
- FIM 2010/MIM 2016: Planning security setup for accounts, groups and services - Table of contents
- FIM 2010/MIM 2016: Planning security setup for accounts, groups and services - Part 1. Introduction
- FIM 2010/MIM 2016: Planning security setup for accounts, groups and services - Part 2. FIM Security principles
- FIM 2010/MIM 2016: Planning security setup for accounts, groups and services - Part 3. Compact Checklist** **
- FIM 2010/MIM 2016: Planning security setup for accounts, groups and services - Part 4. Detailed Description** **
- FIM 2010/MIM 2016: Planning security setup for accounts, groups and services - Part 5. Operational Best Practices
- FIM 2010/MIM 2016: Planning security setup for accounts, groups and services - Part 6. References & authoritative resources** **
- FIM 2010/MIM 2016: Planning security setup for accounts, groups and services - Part 7. Additional resources** **
- FIM 2010/MIM 2016: Planning security setup for accounts, groups and services - Part 8. Glossary
Return to Table of Contents of the article series