Month: January 2015

Planning #FIM2010 Security & Best Practices

While supporting supporting FIM customers to assess their FIM environment and helping them to maintain their FIM configuration, 2 discussion topics are alltime favorites: FIM Security and FIM best practices.

For ease of use I’ve been collecting this information in some articles.
Below you’ll find the short links for ease of use:

As you might see, there is still a lot of room for improvement, so I invite you to update the article where you think information is missing.

When discussing a basic FIM setup (using FIM Sync and FIM Service + Portal) a common diagram being drawn is the one below.
It does not discuss the other FIM add-ons (like FIMCM, BHOLD or reporting) but still it’s a useful and very visual guidance for planning you security.

Main purpose is to explain that the initial security setup for your FIM

  • DOES require a collection of security accounts and groups to segregate duties (so installing FIM with one single account, used for all FIM functions and accounts is a very bad idea.)
  • ONLY needs 1 core administrator account with administrator access to the FIM server’s local security
  • DOES NOT require services or technical accounts with local or domain admin rights (except 1, the FIM Installer account)

FIM Security

Note-to-self: Just Enough Administration Whitepaper

Source: https://gallery.technet.microsoft.com/Just-Enough-Administration-6b5ad370

Short URL: http://aka.ms/JEA

From the introduction: ”

In the current world of Information Technology, protective measures do not stop at the network edge. Recent news reports based on security breach post-mortems indicate the need to protect assets using measures that reduce administrative access. While the principle of least privilege has always been known to IT Security professionals, there is a need in the industry for a standardized method of constructing an operator experience that reduces access with a more sophisticated level of granularity than what is available in many traditional access control models.

Just Enough Administration (JEA) is a solution designed to help protect Server systems. This is accomplished by allowing specific users to perform administrative tasks on servers without giving them administrator rights, and then auditing all actions that these users performed. JEA is based on Windows PowerShell constrained runspaces, a technology that is already being used to secure administrative tasks in environments such as Microsoft Exchange Online.”

For the latest information, please see http://blogs.msdn.com/powershell/ and http://aka.ms/buildingclouds

Don’t need to tell you that you should definitely save these in your favorites. (Well, just did it… so no excuses..)

Note-to-self: Handy Windows 8 quick navigation guide

Just bumped (again) into a handy download, definitely worth to keep at hand: the Windows 8 End User Training Brochure.

For download at http://www.microsoft.com/en-us/download/details.aspx?id=39055&WT.mc_id=rss_allproducts_windows.

It contains a bunch of practical hints & tips to navigate through your Windows 8, including a list of key short cuts to make your life easier.

Enjoy!