While supporting supporting FIM customers to assess their FIM environment and helping them to maintain their FIM configuration, 2 discussion topics are alltime favorites: FIM Security and FIM best practices.
For ease of use I’ve been collecting this information in some articles.
Below you’ll find the short links for ease of use:
As you might see, there is still a lot of room for improvement, so I invite you to update the article where you think information is missing.
When discussing a basic FIM setup (using FIM Sync and FIM Service + Portal) a common diagram being drawn is the one below.
It does not discuss the other FIM add-ons (like FIMCM, BHOLD or reporting) but still it’s a useful and very visual guidance for planning you security.
Main purpose is to explain that the initial security setup for your FIM
DOES require a collection of security accounts and groups to segregate duties (so installing FIM with one single account, used for all FIM functions and accounts is a very bad idea.)
ONLY needs 1 core administrator account with administrator access to the FIM server’s local security
DOES NOT require services or technical accounts with local or domain admin rights (except 1, the FIM Installer account)
In the current world of Information Technology, protective measures do not stop at the network edge. Recent news reports based on security breach post-mortems indicate the need to protect assets using measures that reduce administrative access. While the principle of least privilege has always been known to IT Security professionals, there is a need in the industry for a standardized method of constructing an operator experience that reduces access with a more sophisticated level of granularity than what is available in many traditional access control models.
Just Enough Administration (JEA) is a solution designed to help protect Server systems. This is accomplished by allowing specific users to perform administrative tasks on servers without giving them administrator rights, and then auditing all actions that these users performed. JEA is based on Windows PowerShell constrained runspaces, a technology that is already being used to secure administrative tasks in environments such as Microsoft Exchange Online.”