Data
Reader small image

You're reading from  Microsoft Forefront Identity Manager 2010 R2 Handbook

Product typeBook
Published inAug 2012
PublisherPackt
ISBN-139781849685368
Edition1st Edition
Tools
Microsoft Identity Manager
Concepts
Identity Management
Right arrow
Author (1)
Kent Nordstrom
Kent Nordstrom
author image
Kent Nordstrom

Kent Nordström wrote his first lines of code in the late 70s so he's been working with IT for quite some time now. When Microsoft released its Windows 2000 operating system he started a close relationship with them that has continued since. For many years Kent has been working part time as a sub-contractor to Microsoft Consulting Services and has been doing many of the implementations of FIM and its predecessors for multinational companies and large organizations in Sweden. Apart from FIM, Kent is also well known within the community for his knowledge around Forefront TMG, Forefront UAG and PKI. Find out more by visiting his blog on http://konab.com.
Read more about Kent Nordstrom

Right arrow

Chapter 1. The Story in this Book

Microsoft Forefront Identity Manager 2010 R2 (FIM 2010 R2) is a tool that helps you with Identity Management. As you might know or are able to guess, Identity Management is, for the most part, process-oriented rather than technology-oriented. In order to be able to explain some concepts within this area, I have chosen to write this book using a fictive company as an example.

In this chapter, I will give you a description of this company and will talk about:

  • The challenges

  • The solutions

  • The environment

The Company

The name of my fictive company is The Company. The Company is neither small nor big. I will not give you any numbers on the size of this company because I do not want you to take my example setup as being optimized for a company of a particular size.

As with many other companies, The Company tries to keep up with modern techniques within their IT infrastructure. They are a big fan of Microsoft and live by the following principle:

If Microsoft has a product that can do it, let's try that one first.

The concept of cloud computing is still somewhat fuzzy to them, and they do not yet know how or when they will be using it. They do understand that in the near future this technology will be an important factor for them, so they have decided that, for every new system or function that needs to be implemented, they will take cloud computing into account.

The challenges

During a recent inventory of the systems and functions that the The Company's IT department supported, a number of challenges were detected. We will now have a look at some of the Identity Management (IdM)-related challenges that were detected.

Provisioning of users

Within The Company, they discovered that it can take up to one week before a new employee or contractor is properly assigned their role and provisioned to the different systems required by them to do their job.

The Company would like for this to not take more than a few hours.

Identity lifecycle procedures

A number of issues were detected in lifecycle management of identities.

Changes in roles took way too long. Access based on old roles continued even after people were moved to a new function or changed their job. Termination and disabling of identities was also out of control. They found that accounts of users who had left the company more than six months ago were still active.

After a security review, they found out that a consultant working with the HR system still had access using VPN and an active administrative account within the HR system. The access should have been disabled about six months ago, when the upgrade project was completed. They also found that the consultant who the company engaged to help out during the upgrade, didn't even work for the firm any more.

What The Company would like is not only a way of defining policies about identity management, but also a tool that enforces it and detects anomalies.

Highly Privileged Accounts (HPA)

Although The Company has been successful in reducing the number of strong administrative accounts over the last few years, a few still exist. There are also other highly privileged accounts and also a few highly privileged digital identities, such as code signing certificates. The concern is that the security of these accounts is not as strong as it should be.

The Public Key Infrastructure (PKI) within The Company is a one layer PKI, using an Enterprise Root CA without Hardware Security Module (HSM). The CSO is concerned that it is not sufficient to start using smart cards, because he feels the assurance level of the PKI is not high enough.

Password management

The helpdesk at The Company spends a lot of time helping users who forgot their password. These are both internal users as well as partners, with access to the shared systems.

Traceability

They found that they had no process or tools in place to trace the status of identities and roles historically. They wanted to be able answer questions such as:

  • Who was a member of the Domain Admins group in April?

  • When was John's account disabled and who approved that?

The solutions

Once the challenges had been defined, The Company started looking for possible solutions.

When they were searching the globe for someone who might help them with their issues, they found a highly recommended consultant in Sweden, who had worked with identity management for more than a decade. We will now have a look at the solutions that he proposed for their major issues.

Implement FIM 2010 R2

By implementing Microsoft Forefront Identity Manager 2010 R2, The Company will be able to:

  • Automate lifecycle management of identities all the way from creation to deletion

  • Implement self-service password reset

  • Strengthen the identity of highly privileged accounts, using smart cards

  • Get traceability of the whole lifecycle of an identity

Start using smart cards

By using smart cards to store identities of the highly privileged accounts, the security for this type of account is increased. Even if the PKI does not have a high assurance level, it is more secure to use a smart card than to just use a password.

By implementing the Certificate Management (CM) part of FIM 2010 R2, The Company will get the control they would like when managing these strong identities.

Even if the PKI within The Company does not have high assurance levels, the use of smart cards will enhance the security of the highly privileged accounts. If the initial proof-of-concept of using smart cards works out, a redesign of the current PKI will be discussed.

Implement federation

All the services shared with the major partners were using Microsoft Sharepoint. The consultant therefore suggested that The Company should investigate if federation would work with these partners.

The Microsoft product used when implementing federation is Active Directory Federation Services (AD FS). To get an overview of federation and AD FS, please visit http://aka.ms/ADFSOverview.

By implementing federation, it would be easier for The Company to move shared resources to the cloud. For example, moving the Sharepoint sites shared with partners, to Microsoft Office 365 cloud services. Read more about Office 365 at http://office365.microsoft.com.

Note

Within this book, I will not explain in detail how the implementation of federation using Active Directory Federation Services (AD FS) is made.

The use of FIM is vital in a federation scenario, as federation using claims-based authentication and authorization requires very good control on attributes and group/role membership changes of users.

The environment

The following diagram gives you an overview of the relevant parts of infrastructure within The Company:

The servers you see do not in any way represent any scaling scenario, but rather show the different functions I will be using in my examples in this book.

In the following table, you will find a short summary of the systems involved, so that when they are referenced in the book later on, you will have an idea about their usage:

System

Usage

Products installed/to be installed

DC

Domain Controller for the Active Directory domain ad.company.com.

AD DS and DNS role installed.

CA

Enterprise Root Certification Authority. The Company uses only a one-layer PKI without any HSM.

AD CS, including Web Enrollment role, installed

SQL

Central Microsoft SQL Server used by many systems. Among these systems are the HR and Phone systems.

SQL Server 2008 R2, including Integration Services, installed.

MAIL

E-mail system.

Exchange 2010 installed.

RD

Remote Desktop system used by administrators.

Remote Desktop Services role installed.

TMG

The Company firewall.

Forefront Threat Management Gateway 2010 installed.

UAG

The remote access solution used by The Company.

Forefront Unified Access Gateway 2010 installed.

FIM-Dev

The test and development server for FIM.

SQL Server 2008 R2 and Visual Studio 2008. FIM Sync, Service and Portal will be installed.

FIM-Sync

The FIM Synchronization server.

FIM Synchronization Service will be installed.

FIM-Service

The FIM Web Service and Portal server.

FIM Service and FIM Portal will be installed.

FIM-CM

The FIM Certificate Management Server

FIM CM Service and Portal will be installed.

FIM-PW

The FIM Password Registration and Reset server.

FIM Password Registration and Reset will be installed.

SCSM-MGMT

SCSM Management Server. Used by FIM Reporting.

SQL Server 2008 R2 and System Center Service Manager will be installed.

SCSM-DW

SCSM Data Warehouse Server. Used by FIM Reporting.

SQL Server 2008 R2 and System Center Service Manager will be installed.

All systems have Microsoft Windows Server 2008 R2 as the operating system.

The products installed/to be installed show the status of the systems when we start our journey with The Company in this book. Details about the features and products already installed will be explained in Chapter 2, Installation.

The Active Directory domain within The Company is ad.company.com, using AD as the NetBIOS name. The public domain used by The Company is company.com; this is also the primary email domain used.

Moving forward

The CIO, CSO, and CTO of The Company found that the solutions explained to them by the consultant would indeed help The Company mitigate the challenges they were facing. They decided to implement FIM 2010 R2.

In this book, we will follow them as they implement FIM 2010 R2. We will see how the different features and functions of FIM 2010 R2 will, in the end, solve all the issues that the company has detected.

The use of digital identities, using smart cards, is very new to them, so they decide that this should initially be implemented as a proof of concept.

Summary


You now know a little about the company I will be using in this book to give you examples and to explain concepts. So let's go on and see how The Company implements Microsoft Forefront Identity Manager 2010 R2 in its environment.

In the next chapter, I will start off with an overview to give you some conceptual understanding of FIM 2010 R2.

Previous Chapter
Chapter 7 of 21
Next Chapter
You have been reading a chapter from
Microsoft Forefront Identity Manager 2010 R2 Handbook
Published in: Aug 2012Publisher: PacktISBN-13: 9781849685368
© 2012 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Kent Nordstrom

Kent Nordström wrote his first lines of code in the late 70s so he's been working with IT for quite some time now. When Microsoft released its Windows 2000 operating system he started a close relationship with them that has continued since. For many years Kent has been working part time as a sub-contractor to Microsoft Consulting Services and has been doing many of the implementations of FIM and its predecessors for multinational companies and large organizations in Sweden. Apart from FIM, Kent is also well known within the community for his knowledge around Forefront TMG, Forefront UAG and PKI. Find out more by visiting his blog on http://konab.com.
Read more about Kent Nordstrom

Personalised recommendations for you

Based on your interests and search pattern

Et al.

Et al.

Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.

BookAug 2023230 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages4
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages1
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Mastering Tableau 2023

Mastering Tableau 2023

This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.

BookAug 2023684 pages
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages5
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages2
Data Engineering with AWS

Data Engineering with AWS

Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.

BookOct 2023636 pages5
Modern Data Architecture on AWS

Modern Data Architecture on AWS

Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.

BookAug 2023420 pages5
Practical Guide to Applied Conformal Prediction in Python

Practical Guide to Applied Conformal Prediction in Python

Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.

BookDec 2023240 pages
TinyML Cookbook

TinyML Cookbook

With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.

BookNov 2023664 pages