Forefront Identity Manager 2010 R2 Best Practices for Security

Control access with Microsoft Forefront Identity Manager security groups.

  • During installation, FIM creates five security groups. You can control access to FIM resources by controlling membership in these groups. For more information, see Using Security Groups.

Restrict physical access to computers to trusted personnel.

  • Physical access to a server is a high security risk. Physical access to a server by an intruder could result in unauthorized data access or modification as well as installation of hardware or software designed to circumvent security. To maintain a secure environment, you must restrict physical access to all servers and network hardware.

Implement user rights and permissions to restrict software access to trusted accounts.

  • Assign permissions to groups rather than to users. Because it is inefficient to maintain user accounts directly, assigning permissions on a user basis should be the exception. Deny permissions should be used for certain special cases. Use Deny permissions to exclude a subset of a group which has Allowed permissions. Use Deny to exclude one special permission when you have already granted full control to a user or group.

Enforce strong password policies for all user accounts.

  • Most authentication methods require the user to provide a password to prove their identity. These passwords are normally chosen by the user, who may want a simple password that is easily remembered. In most cases, these passwords are weak and may be easily guessed or determined by an intruder. Weak passwords can circumvent this security element and become the weak point of an otherwise strong security environment. Strong passwords tend to be more difficult for an intruder to discern and, as a result, help provide an effective defense of your organization's resources. A strong password:

    • Is at least seven characters long.

    • Does not contain your user name, real name, or company name.

    • Does not contain a complete dictionary word.

    • Is significantly different from previous passwords. Passwords that increment (Password1, Password2, Password3 ...) are not strong.

    • Contains characters from each of the following four groups:


Group Examples

Uppercase letters

A, B, C ...

Lowercase letters

a, b, c ...


0, 1, 2, 3, 4, 5, 6, 7, 8, 9

Symbols found on the keyboard (all keyboard characters not defined as letters or numerals)

` ~ ! @ # $ % ^ & * ( ) _ + - = { } | [ ] \ : " ; ' < > ? , . /

An example of a strong password is J*p2leO4>F.

Implement SQL Server security best practices.

Ensure that the network context in which the server running Microsoft Forefront Identity Manager runs is behind a firewall.

  • Use a tunnel from the server running FIM to connect to resources such as domain controllers (that is, if they are not on the same side of the firewall). For more information about security and Windows Server® 2008 operating system, see Windows Server® 2008 operating system Help.

Lock down the Microsoft Forefront Identity Manager service account.

  • The FIM runs in the security context of a specific account. Since the account will have access to all of the FIM resources, this account should be locked down with the following restrictions:

    • Deny users access to log on as a batch job.

    • Deny users access to log on locally.

    • Deny users access to log on by using Terminal Services.

    • Deny users access to this computer from the network.

For more information about setting account restrictions on Windows Server® 2008 operating system accounts, see Windows Server® 2008 operating system Help

Periodically change the Microsoft Forefront Identity Manager service account password.

Create a domain service account if your SQL Server 2008 is installed on a computer other than the one that is running Microsoft Forefront Identity Manager.

  • To distribute the FIM architecture by using SQL Server on another computer (that is, one that is different from the server running FIM), you need to create a service account in the domain to which the SQL Server computer and the server running FIM computer belong.

Secure your crash dump files.

  • Crash dump files that you can use to debug and troubleshoot FIM might contain sensitive user data. It is strongly recommended that you do not transmit these files through an unsecured medium, such as attaching plaintext files to e-mail or sending files through unsecured File Transfer Protocol (FTP). It is recommended that you do the following:

    • Enable users to upload files to secured HTTPS sites that are Secure Socket Layer (SSL) connections.

    • Use a non-Microsoft SSL-enabled FTP application.

    • Use certificates to secure e-mail.

    • Encrypt the files.

Control debug rights to the FIMSynchronizationServices process.

  • Because sensitive data is exposed in the FIMSynchronizationServices process, it is strongly recommended that you limit the number of people who have rights to debug the FIMSynchronizationServices process.

Restrict access to the Microsoft Forefront Identity Manager Extensions and ExtensionsCache folders.

  • When FIM is installed, full rights to the Extensions and ExtensionsCache folders are granted to the Microsoft Forefront Identity Manager 2010 R2 service account, the FIMSyncAdmins group, and the account that was used to run Setup. To grant rights to this folder to someone else, you have to set permissions on the folder manually, or create a group and grant permissions to everyone in that group. However, if a malicious user can get access to the compiled rules extension and the rules extension source code contains sensitive data, such as passwords, the malicious user can decompile the rules extensions and expose the data. Therefore, simply preventing write access to this directory is not sufficient to protect the data. It is strongly recommended that you limit and monitor access to the Extensions and ExtensionsCache folders.

    The ExtensionsCache folder is hidden by default. However, because it contains the extension assemblies, it should have the same restricted access as the Extensions folder.

Use SSL if you are setting initial passwords.

  • FIM transmits initial passwords as plaintext over the network. To set initial passwords, it is strongly recommended that you use Lightweight Directory Access Protocol (LDAP) over SSL to communicate with directory servers running Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server) and Netscape Directory Server 6.1 or with servers running Active Directory Lightweight Directory Services (ADLDS).