Planning permissions and roles
Microsoft Forefront Threat Management Gateway implements access control to all components of the configuration and monitoring information through the Windows Server 2008 security descriptors of the applicable objects. The discretionary access control list (DACL) in the security descriptor of each object defines the types of access, or permissions, that can be granted to users and groups and specifies the users and groups that have been granted each of the permissions defined.
To simplify the administration of granting permissions to users, Forefront TMG provides administrative roles. A role defines a collection of rights, which authorize users and groups to perform specific actions. When a role is assigned to a user or group, Forefront TMG configures the DACLs in the security descriptors of the corresponding objects to grant the permissions needed to perform the actions allowed by the role to the user or group. Forefront TMG also reconfigures the DACLs in the applicable security descriptors whenever you modify the assignments of the administrative roles or the Microsoft Forefront TMG Control service (isactrl) is restarted.
Using role-based administration
You can use administrative roles to organize Forefront TMG administrators into separate, predefined categories, each with its own set of actions that the administrators are allowed to perform. When you assign a role to a user, you grant that user rights to perform specific actions. After you determine which administrators should be allowed to configure or view Forefront TMG policy, other configuration settings, and monitoring information, you can assign roles appropriately.
Roles can be assigned to any Windows user or group. Based on the rights included in the role assigned to a user or group, Forefront TMG configures the corresponding permissions for accessing the applicable components of the Forefront TMG configuration and monitoring information for each administrator.
When you assign a role that include rights to view or modify the local configuration to a user or group, Forefront TMG configures the applicable permissions for accessing the configuration settings stored in the local instance of Active Directory Application Mode (ADAM).
Administrative roles should not be assigned to CREATOR OWNER, CREATOR GROUP, or their security identifiers (SIDs). This is because these SIDs do not exist in ADAM, in which the Forefront TMG configuration is stored.
Because Forefront TMG controls access to your network, you should take special care in assigning roles that include rights to perform actions on the Forefront TMG server and related components. Carefully determine who should be allowed to log on to the Forefront TMG server. Then, assign roles with logon rights accordingly.
Role-based administration features
Forefront TMG offers several predefined administrative roles. As with any application in your environment, when you assign these administrative roles to users, you should apply the principle of least privilege and consider the administrative tasks that different Forefront TMG administrators need to perform. A user that has one role, such as Forefront TMG Array Administrator, can perform specific Forefront TMG administrative tasks that a user with another role, such as Forefront TMG Array Monitoring Auditor, is not allowed to perform.
The Forefront TMG administrative roles can be assigned to any Windows user or group. No special privileges or Windows permissions are required.
Note
The only exception is that to view the Forefront TMG performance counters by using Perfmon or the Forefront TMG Dashboard, the user must be a member of the Windows Server 2008 Performance Monitor Users group.
Users who belong to the local Administrators group on a computer running the Forefront TMG services do not need to be assigned a role. They have full rights to configure and monitor Forefront TMG.
Array-level administrative roles
You can use the array-level administrative roles to organize array-level administrators into separate, predefined categories, each with its own set of actions that administrators are allowed to perform. The following table describes the Forefront TMG array-level roles.
| Role | Description |
|---|---|
Forefront TMG Array Monitoring Auditor |
Users and groups assigned this role can monitor basic Forefront TMG server and network activity but cannot view the Forefront TMG configuration. |
Forefront TMG Array Auditor |
Users and groups assigned this role can perform all monitoring tasks, including log configuration and alert definition configuration, and can view the Forefront TMG configuration. |
Forefront TMG Array Administrator |
Users and groups assigned this role can perform any Forefront TMG administrative task on the specific array, including rule configuration, applying of network templates, and monitoring. |
Note
Administrators with the Forefront TMG Array Auditor role can configure all report properties with the following exceptions:
- Cannot configure a different user account when publishing reports.
- Cannot customize report contents.
A user assigned the Forefront TMG Array Administrator role can run highly privileged processes on the Forefront TMG server.
Roles and actions
Each Forefront TMG role defines a list of rights that authorize users to perform specific actions. These actions are typically Forefront TMG administrative tasks. The following table lists some actions along with the roles in which they are performed for the array-level roles.
| Action | Forefront TMG Array Monitoring Auditor | Forefront TMG Array Auditor | Forefront TMG Array Administrator |
|---|---|---|---|
View Dashboard, alerts, connectivity, sessions, services |
Allowed |
Allowed |
Allowed |
Acknowledge and reset alerts |
Allowed |
Allowed |
Allowed |
View log information |
Not allowed |
Allowed |
Allowed |
Create alert definitions |
Not allowed |
Not allowed |
Allowed |
Create reports |
Not allowed |
Allowed |
Allowed |
Stop and start sessions and services |
Not allowed |
Allowed |
Allowed |
View firewall policy |
Not allowed |
Allowed |
Allowed |
Configure firewall policy |
Not allowed |
Not allowed |
Allowed |
Configure cache |
Not allowed |
Not allowed |
Allowed |
Configure a virtual private network (VPN) |
Not allowed |
Not allowed |
Allowed |
Drain and stop network load balanced (NLB) firewall or Web Proxy load balanced server |
Not allowed |
Allowed |
Allowed |
View local configuration (in ADAM on array member) |
Not allowed |
Allowed |
Allowed |
Change local configuration (in ADAM on array member) |
Not allowed |
Not allowed |
Not allowed |
For instructions for assigning array-level roles, see Configuring array-level administrative roles.
Best practices
Consider the following best practices.
Credentials
When requested to present credentials, use strong passwords. A password is considered strong if it provides an effective defense against unauthorized access. A strong password does not contain all or part of the user account name and contains at least three of the four following categories of characters: uppercase characters, lowercase characters, base 10 digits, and symbols found on the keyboard (such as !, @, or #).
Permissions
Apply the principle of least privilege when configuring permissions for Forefront TMG administrators, as described in the following section. Carefully determine who is allowed to log on to the Forefront TMG server, eliminating access to those who are not critical to the server functions.
Least privileges
Apply the principle of least privilege, where a user has the minimum privileges necessary to perform a specific task. This helps ensure that if a user account is compromised, the impact is minimized by the limited privileges held by that user.
Keep the Administrators group and other user groups as small as possible. A user who belongs to the Administrators group on the Forefront TMG server, for example, can perform any action on the Forefront TMG server.
Users who belong to the local Administrators group on a computer running the Forefront TMG services automatically have full rights to configure and monitor Forefront TMG.
Logging on and configuring
When you log on to the Forefront TMG server, log on with the least privileged account necessary to perform the anticipated administrative tasks. For example, to configure a rule, you should log on as a Forefront TMG administrator. However, if you only want to view a report, log on with lesser privileges.
In general, use an account with restrictive privileges to perform routine tasks that are unrelated to administration, and use an account with broader privileges only when performing specific administrative tasks.
Guest accounts
We recommend that you do not enable the Guest account on the Forefront TMG server.
When a user logs on to the Forefront TMG server, the operating system checks whether the credentials match a known user. If the credentials do not match a known user, the user is logged on as Guest, with the same privileges granted to the Guest account.
Forefront TMG recognizes the Guest account as the default All Authenticated Users user set.
Discretionary access control lists
With a new installation, the discretionary access control lists (DACLs) in the security descriptors of Forefront TMG objects are appropriately configured. In addition, Forefront TMG reconfigures DACLs when you modify administrative roles and when the Microsoft Forefront TMG Control service (isactrl) is restarted.
Warning
Because Forefront TMG periodically reconfigures DACLs, you should not use the Security and Configuration Analysis tool to configure the per-file DACLs for the Forefront TMG objects. Otherwise, there may be a conflict between the DACLs set by Group Policy and the DACLs that Forefront TMG tries to configure.
Do not modify the DACLs set by Forefront TMG. Note that Forefront TMG does not set DACLs for the objects in the following list. You should set DACLs for the objects in the following list carefully, giving permissions only to trusted, specific users and groups:
- Folder for reports (when you select to publish the reports).
- Configuration files created when exporting or backing up the configuration.
- Log files that are backed up to a different location.
Be sure to carefully set DACLs, giving permissions only to trusted users and groups. Also, be sure to create strict DACLs for objects that are indirectly used by Forefront TMG. For example, when creating an Open Database Connectivity (ODBC) connection that will be used by Forefront TMG, be sure to keep the data source name (DSN) secure.
Configure strict DACLs for all applications running on the Forefront TMG server. Be sure to configure strict DACLs for associated data in the file system and in ADAM.
If you customize the SecurID HTML or error message templates, be sure to configure appropriate DACLs. The recommended DACL is Inherit permission from parent.
We recommend that you do not save critical data (such as executables and log files) to FAT32 partitions. This is because DACLs cannot be configured for FAT32 partitions.
Revoking user permissions
When you revoke administrative permissions for a Forefront TMG administrator, we recommend that you delete the user account from the Active Directory directory service, to ensure that the user no longer has access.
Removing administrator permissions
To remove administrator permissions, remove the user from the specific administrator group.
To remove Forefront TMG administrators who are logged on, from a security group, and add them into a new group, perform the following steps:
- Add the administrator account into the new group.
- Log off and then log on with the administrator account, so that the new settings take effect.
- Remove the administrator account from the original group.