What do you get with eBook?

Instant access to your Digital eBook purchase

Download this book in EPUB and PDF formats

Access this title in our online reader with advanced features

DRM FREE - Read whenever, wherever and however you want

Buy Now

Microsoft Forefront Identity Manager 2010 R2 Handbook

Chapter 1. The Story in this Book

Microsoft Forefront Identity Manager 2010 R2 (FIM 2010 R2) is a tool that helps you with Identity Management. As you might know or are able to guess, Identity Management is, for the most part, process-oriented rather than technology-oriented. In order to be able to explain some concepts within this area, I have chosen to write this book using a fictive company as an example.

In this chapter, I will give you a description of this company and will talk about:

The challenges
The solutions
The environment

The challenges

During a recent inventory of the systems and functions that the The Company's IT department supported, a number of challenges were detected. We will now have a look at some of the Identity Management (IdM)-related challenges that were detected.

Provisioning of users

Within The Company, they discovered that it can take up to one week before a new employee or contractor is properly assigned their role and provisioned to the different systems required by them to do their job.

The Company would like for this to not take more than a few hours.

Identity lifecycle procedures

A number of issues were detected in lifecycle management of identities.

Changes in roles took way too long. Access based on old roles continued even after people were moved to a new function or changed their job. Termination and disabling of identities was also out of control. They found that accounts of users who had left the company more than six months ago were still active.

After a security review, they found out that a consultant working with the HR system still had access using VPN and an active administrative account within the HR system. The access should have been disabled about six months ago, when the upgrade project was completed. They also found that the consultant who the company engaged to help out during the upgrade, didn't even work for the firm any more.

What The Company would like is not only a way of defining policies about identity management, but also a tool that enforces it and detects anomalies.

Highly Privileged Accounts (HPA)

Although The Company has been successful in reducing the number of strong administrative accounts over the last few years, a few still exist. There are also other highly privileged accounts and also a few highly privileged digital identities, such as code signing certificates. The concern is that the security of these accounts is not as strong as it should be.

The Public Key Infrastructure (PKI) within The Company is a one layer PKI, using an Enterprise Root CA without Hardware Security Module (HSM). The CSO is concerned that it is not sufficient to start using smart cards, because he feels the assurance level of the PKI is not high enough.

Password management

The helpdesk at The Company spends a lot of time helping users who forgot their password. These are both internal users as well as partners, with access to the shared systems.

Traceability

They found that they had no process or tools in place to trace the status of identities and roles historically. They wanted to be able answer questions such as:

Who was a member of the Domain Admins group in April?
When was John's account disabled and who approved that?

The solutions

Once the challenges had been defined, The Company started looking for possible solutions.

When they were searching the globe for someone who might help them with their issues, they found a highly recommended consultant in Sweden, who had worked with identity management for more than a decade. We will now have a look at the solutions that he proposed for their major issues.

Implement FIM 2010 R2

By implementing Microsoft Forefront Identity Manager 2010 R2, The Company will be able to:

Automate lifecycle management of identities all the way from creation to deletion
Implement self-service password reset
Strengthen the identity of highly privileged accounts, using smart cards
Get traceability of the whole lifecycle of an identity

Start using smart cards

By using smart cards to store identities of the highly privileged accounts, the security for this type of account is increased. Even if the PKI does not have a high assurance level, it is more secure to use a smart card than to just use a password.

By implementing the Certificate Management (CM) part of FIM 2010 R2, The Company will get the control they would like when managing these strong identities.

Even if the PKI within The Company does not have high assurance levels, the use of smart cards will enhance the security of the highly privileged accounts. If the initial proof-of-concept of using smart cards works out, a redesign of the current PKI will be discussed.

Implement federation

All the services shared with the major partners were using Microsoft Sharepoint. The consultant therefore suggested that The Company should investigate if federation would work with these partners.

The Microsoft product used when implementing federation is Active Directory Federation Services (AD FS). To get an overview of federation and AD FS, please visit http://aka.ms/ADFSOverview.

By implementing federation, it would be easier for The Company to move shared resources to the cloud. For example, moving the Sharepoint sites shared with partners, to Microsoft Office 365 cloud services. Read more about Office 365 at http://office365.microsoft.com.

Note

Within this book, I will not explain in detail how the implementation of federation using Active Directory Federation Services (AD FS) is made.

The use of FIM is vital in a federation scenario, as federation using claims-based authentication and authorization requires very good control on attributes and group/role membership changes of users.

The environment

The following diagram gives you an overview of the relevant parts of infrastructure within The Company:

The servers you see do not in any way represent any scaling scenario, but rather show the different functions I will be using in my examples in this book.

In the following table, you will find a short summary of the systems involved, so that when they are referenced in the book later on, you will have an idea about their usage:

System	Usage	Products installed/to be installed
DC	Domain Controller for the Active Directory domain `ad.company.com`.	AD DS and DNS role installed.
CA	Enterprise Root Certification Authority. The Company uses only a one-layer PKI without any HSM.	AD CS, including Web Enrollment role, installed
SQL	Central Microsoft SQL Server used by many systems. Among these systems are the HR and Phone systems.	SQL Server 2008 R2, including Integration Services, installed.
MAIL	E-mail system.	Exchange 2010 installed.
RD	Remote Desktop system used by administrators.	Remote Desktop Services role installed.
TMG	The Company firewall.	Forefront Threat Management Gateway 2010 installed.
UAG	The remote access solution used by The Company.	Forefront Unified Access Gateway 2010 installed.
FIM-Dev	The test and development server for FIM.	SQL Server 2008 R2 and Visual Studio 2008. FIM Sync, Service and Portal will be installed.
FIM-Sync	The FIM Synchronization server.	FIM Synchronization Service will be installed.
FIM-Service	The FIM Web Service and Portal server.	FIM Service and FIM Portal will be installed.
FIM-CM	The FIM Certificate Management Server	FIM CM Service and Portal will be installed.
FIM-PW	The FIM Password Registration and Reset server.	FIM Password Registration and Reset will be installed.
SCSM-MGMT	SCSM Management Server. Used by FIM Reporting.	SQL Server 2008 R2 and System Center Service Manager will be installed.
SCSM-DW	SCSM Data Warehouse Server. Used by FIM Reporting.	SQL Server 2008 R2 and System Center Service Manager will be installed.

All systems have Microsoft Windows Server 2008 R2 as the operating system.

The products installed/to be installed show the status of the systems when we start our journey with The Company in this book. Details about the features and products already installed will be explained in Chapter 2, Installation.

The Active Directory domain within The Company is ad.company.com, using AD as the NetBIOS name. The public domain used by The Company is company.com; this is also the primary email domain used.

Description

Microsoft's Forefront Identity Manager simplifies enterprise identity management for end users by automating admin tasks and integrating the infrastructure of an enterprise with strong authentication systems. The "Microsoft Forefront Identity Manager 2010 R2 Handbook" is an in-depth guide to Identity Management. You will learn how to manage users and groups and implement self-service parts. This book also covers basic Certificate Management and troubleshooting. Throughout the book we will follow a fictional case study. You will see how to implement IM and also set up Smart Card logon for strong administrative accounts within Active Directory. You will learn to implement all the features of FIM 2010 R2. You will see how to install a complete FIM 2010 R2 infrastructure including both test and production environment. You will be introduced to Self-Service management of both users and groups. FIM Reports to audit the identity management lifecycle are also discussed in detail. With the "Microsoft Forefront Identity Manager 2010 R2 Handbook" you will be able implement and manage FIM 2010 R2 almost effortlessly.

What you will learn

Prerequisites for installing FIM 2010 R2 How to install and scale the solution Implementation of User Management including Self-Service Implementation of Group Management including Self-Service Configuration of the Self-Service Password Reset feature Getting Reports from FIM Issuing Smart Cards using FIM Certificate Management Troubleshooting FIM 2010 R2

What do you get with eBook?