Microsoft

Note-to-self: #FIM2010 Virtualisation support

Nowadays, it’s not a hot topic anymore, rather a common practices to run your FIM / MIM environment in a virtualized setup.
Still once in a while we do get questions about virtualization support for FIM/MIM.

Bookmark the sources below, as it might be useful to retrieve the answer quickly.

First, more general to check is: the Windows Server Catalog (http://www.windowsservercatalog.com/).
On that catalog page you find the link to the Server Virtualization Validation Program site (http://www.windowsservercatalog.com/svvp.aspx?svvppage=svvp.htm).

“Please visit the Server Virtualization Validation Program site for more information on validated solutions and available support.” 

That page mentions:

“Information on Microsoft’s support policy for Hyper-V and Azure can be found at:

and

“The information provided by the Microsoft Application Support Policy is for guidance purposes only. Please visit the Products listing to review the latest information available ”

Microsoft Server Software and Supported Virtualization Environments points to this KB article : https://support.microsoft.com/nl-be/kb/957006

It explicitly refers to Forefront Identity Manager as:

“Microsoft Forefront Identity Manager 2010
Microsoft Forefront Identity Manager 2010 and later versions are supported.”

Just as a side step, the Products Listing page (on http://www.windowsservercatalog.com/results.aspx?&bCatID=1521&cpID=0&avc=0&ava=0&avq=0&OR=1&PGS=25), has the latest updates on Windows Server 2012 and later…

In the left side menu bar you’ll find OS Compatibility and Processor architecture:

OS compatibility

Supports Windows Server 2012 R2
Supports Windows Server 2012
Supports Windows Server 2008 R2
Supports Windows Server 2008

Processor architecture

Windows Server 2012 R2 (x64)
Windows Server 2012 (x64)
Windows Server 2008 R2 (x64)
Windows Server 2008 (x64)
Windows Server 2008 (x86)

Another side note, for support lifecycle the KB article refers to http://support.microsoft.com/?pr=lifecycle.
But, for FIM 2010 / MIM 2016 there is an easier short cut you should use :

FIM 2010: https://support.microsoft.com/en-us/lifecycle/search?sort=PN&alpha=Microsoft%20Forefront%20Identity%20Manager&Filter=FilterNO

MIM 2016 (also include FIM2010 info): https://support.microsoft.com/en-us/lifecycle/search?sort=PN&alpha=Microsoft%20Identity%20Manager&Filter=FilterNO

For future use, this info has also been published on TNWIki, you can use this short URL http://aka.ms/FIM2010Virtualisation and http://aka.ms/MIM2016Virtualisation.

 

#FIM2010 & MIM 2016 licensing model is changing as of 1st of april 2015

Source: http://www.microsoft.com/licensing/products/products.aspx

Download the “Microsoft Product Use Rights (WW, English, April 2015)” document at http://www.microsoftvolumelicensing.com/userights/Downloader.aspx?DocumentId=8488 In short, prior to 1st of april 2015, you required

  • a FIM server license for every FIM server installed and a CAL for every user managed in the FIM Service, or
  • Forefront Identity Manager 2010 R2 External Connector
Functionality Covered by
FIM Server Components (FIM Sync, FIM Services, FIM portal, …) FIM Server SKU
CAL Standalone FIM CAL, or Azure Active Directory Premium (AADP), or Enterprise Mobility Suite (EMS) User, orEnterprise Cloud Suite (ECS) User SL
External Users FIM External Connector license (per server)

After 1st of april 2015:

  • Windows Server license (Standard & Datacenter) will include FIM server entitlement
  • FIM Server 2010 R2 licenses will not be available anymore on the price lists
Functionality Covered by
FIM Server Components (FIM Sync, FIM Services, FIM portal, …) Windows Server license (Standard & Datacenter) will include FIM server entitlement
CAL Standalone (FIM) CAL, or Azure Active Directory Premium (AADP), or Enterprise Mobility Suite (EMS) User, or Enterprise Cloud Suite (ECS) User SL
External Users Windows Connector license

Certificate and Identity Management

  • A CAL is also required for any person for whom the software issues or manages identity information.

Synchronization Service

  • A CAL is not required for users only using the Forefront Identity Manager synchronization service.

From the PUR:

  • External Connector License means a license attached to a Server that permits access to the server software by External Users.
  • External Users means users that are not either your or your Affiliates’ employees, or your or your affiliates’ onsite contractors or onsite agents.
  • CAL means client access license. There are two kinds of CALs: user and device. A user CAL allows access to the server software from any device by one user. A device CAL allows access to the server software from one device by any user.

FIM / MIM is using a user CAL. The FIM server will no longer be sold as a separate license, but instead Windows Server licenses will allow customers to install the FIM Server software. Since FIM users already required a Windows Server CAL or equivalent to access FIM running on Windows Server, no additional Windows Server CALs (or Windows Server External Connector) will be required. Still it’s important to understand that you still need FIM/MIM CALs to manage identities with FIM/MIM (unless you only use the FIM/MIM Sync). Azure Active Directory Premium (AADP) and any suite that contains AADP, including Enterprise Mobility Suite (EMS) and Enterprise Cloud Suite (ECS) or a additive FIM CAL will also entitle users to access FIM. MIM will have the same licensing model. All current FIM customers with active SA on the underlying Windows Server, (since the right to install FIM server is now granted with a Windows Server license), will have rights to upgrade to MIM when it launches. And for my Dutch speaking followers… Tous la même chose:

PS: The FIM licensing page on TechNet Wiki will be updated ASAP (http://aka.ms/LicenseToFIM)

[ADD-ON, Jan 2016]
https://identityunderground.wordpress.com/2016/01/06/fimmim-licensing-clarification-on-the-requirement-to-use-cals/

Bookmark:

New Hotfix rollup (build 4.1.3627.0) is available for #FIM2010 R2 Service Pack 1

Source: http://support2.microsoft.com/kb/3022704

A hotfix rollup package (build 4.1.3627.0) is available for Microsoft Forefront Identity Manager (FIM) 2010 R2 Service Pack 1 (SP1).

The build number for BHOLD components that are included in this release is 5.0.2959.0. This hotfix rollup resolves some issues and adds some features that are described in the “More Information” section of the article.

Note-to-Self: Microsoft Security Newsletter September 2014

Source: http://aka.ms/MSSecuritynewsletter

In this months newletter you’ll find guidance on:

  • Windows Phone 8.1 Security Overview
  • Windows Phone Security Forum for IT Pros
  • Create Stronger Passwords and Protect Them
    • Inlcuding  free online tool offered by Microsoft Research, called Telepathwords, for those that would rather have a randomly generated strong password created for them.
  • Two-Factor Authentication for Office 365
  • Multi-Factor Authentication for Office 365
  • Configuring Two-Factor Authentication in Lync Server 2013
  • Adding Multi-Factor Authentication to Azure Active Directory
  • Enabling Multi-Factor Authentication for On-Premises Applications and Windows Server
  • Building Multi-Factor Authentication into Custom Apps

And:

  • Get Started with Virtual Smart Cards

Plus much more… check it out at http://aka.ms/MSSecuritynewsletter

Azure Active Directory Sync is now GA! #FIM2010 #DirSync #AADSync

Source: http://blogs.technet.com/b/ad/archive/2014/09/16/azure-active-directory-sync-is-now-ga.aspx

New Azure Active Directory Synchronization Services (AAD Sync) has reached general availability.

Here are more details about this – and here is the related documentation.

If you just want to get started, just click here to download AAD Sync.

As discussed on the release blog post:

“AAD Sync capabilities in this release include the following;

  • Active Directory and Exchange multi-forest environments can be extended now to the cloud.
  • Control over which attributes are synchronized based on desired cloud services.
  • Selection of accounts to be synchronized through domains, OUs, etc.
  • Ability to set up the connection to AD with minimal Windows Server AD privileges.
  • Setup synchronization rules by mapping attributes and controlling how the values flow to the cloud.
  • Preview AAD Premium password change and reset to AD on-premises.”

SCM Baselines for Windows 8.1, IE 11 and Windows Server 2012 R2 are now live!

Source: TechNet Blogs » Microsoft Security Guidance » SCM Baselines for Windows 8.1, IE 11 and Server 2012 R2 are now live!

Today the SCM team has finally released the SCM baselines for Windows 8.1, IE 11 and Windows Server 2012 R2.

To get the updates you can open the SCM tool and select the “Download Microsoft baselines automatically” in the tool:

SCM release

Please carefully read the Release Notes for these baselines in the Attachments/Guides section as there are a couple of known issues that may affect capabilities that worked in the past, but are no longer working with SCM and other related tools.

Alternatively, you can download all the CAB files directly from the following links:

8.1 Baseline and 8.1 Attachments

IE 11 Baseline and IE 11 Attachments

Windows Server 2012 Baseline and Windows Server 2012 Attachments

Lastly, a HUGE thank you goes to the SCM team, Aaron Margosis and Rick Munck who have put huge efforts to release these baselines.

They have also produced the SCM materials, along with a more extensive set of GPO’s and security guide here for customers to use: http://blogs.msdn.com/b/aaron_margosis/archive/2014/08/15/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final.aspx.

See also:

  • SCM Baselines for Windows 8.1, IE 11 and Server 2012 R2 are now live!
  • What’s New in Recommended Security Baseline Settings for Windows 8.1, Windows Server 2012 R2, and Internet Explorer 11
  • Changes in the Security Guidance for Windows 8.1, Server 2012 R2 and IE11 since the beta
  • Security baselines for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11 – FINAL

Hotfix rollup package (build 4.1.3599.0) is available for #FIM2010 R2 SP1

A hotfix rollup package (build 4.1.3599.0) is available for Microsoft Forefront Identity Manager (FIM) 2010 R2 Service Pack 1 (SP1). This hotfix rollup resolves some issues and adds some features that are described in the “More Information” section.

Details at: http://support.microsoft.com/kb/2980295/nl

For a complete list of the hotfixes for FIM 2010 (incl. R2…), go to http://aka.ms/FIMBuilds

 

 

#AADSync Beta2 available on Connect #FIM2010

Source: MS Connect announcement by the AADSync product group

 

Microsoft announced the the availability of AADSync Beta2 on Connect.

You can download it here : AAD Sync Beta2 (https://connect.microsoft.com/site433/Downloads/DownloadDetails.aspx?DownloadID=53831)

 

With Beta 2 there are some new features frequently requested:

–       Select only required services/attributes to synchronize to AAD

–       Exchange hybrid deployments

–       Password write-back for multiple-forests (AAD Premium preview feature)

 

Good news: the AADSync product group is looking for customers who are interested in using Beta2 in production. If you are interested, then do the following:

–       Download the updated build from Connect and read the documentation on http://go.microsoft.com/fwlink/?LinkID=393942 for the latest information.

–       Install and verify the scenarios you plan for production use. You do not need permissions from Microsoft to start evaluating AADSync.

–       If you find any issues or need help, submit feedback through Connect. This is also the fastest way to get access to our beta support team.

–       When you have completed the verification and all issues have been resolved, send an email to “Azure AD Sync Service Feedback”AADSyncFB@microsoft.com with information which scenarios you plan to use and have verified are working. Also provide contact information. The team will respond back with information on how to get call-in support during the preview phase.

Thank you for helping us make AADSync a better product,

 

Find more information on AADSync on TechNet Wiki: http://aka.ms/AADSYnc.

Note-to-self: Update – New Strategies and Features to Help Organizations Better Protect Against Pass-the-Hash Attacks

Source: http://microsoft.com/pth

New blog post at : http://blogs.technet.com/b/security/archive/2014/07/08/new-strategies-and-features-to-help-organizations-better-protect-against-pass-the-hash-attacks.aspx

Posted by Matt Thomlinson, Vice President, Microsoft Security

Microsoft released new guidance to help our customers address credential theft, called Mitigating Pass-the-Hash and Other Credential Theft, version 2.

“The paper encourages IT professionals to “assume breach” to highlight the need for the use of holistic planning strategies and features in Microsoft Windows to become more resilient against credential theft attacks. This paper builds on our previously released guidance and mitigations for Pass-the-Hash (PtH) attacks. 

Given that organizations must continue to operate after a breach, it is critical for them to have a plan to minimize the impact of successful attacks on their ongoing operations. Adopting an approach that assumes a breach will occur, ensures that organizations have a holistic plan in place before an attack occurs. A planned approach enables defenders to close the seams that attackers are aiming to exploit.

The guidance also underscores another important point – that technical features alone may not prevent lateral movement and privilege escalation. In order to substantially reduce credential theft attacks, organizations should consider the attacker mindset and use strategies such as identifying key assets, implementing detection mechanisms, and having a breach recovery plan. These strategies can be implemented in combination with Windows features to provide a more effective defensive approach, and are aligned to the well-known National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Note-to-self: GPO Search tool

You need quickly some info on a specific GPO… Check this out, an online GPO search tool: http://gpsearch.azurewebsites.net.

 

It also has a Windows Phone application you can find here: http://aka.ms/GPSWP7[/embed].

 

Of course it’s an excellent companion when you’re securing your AD (Security Mitigation Guidance for Active Directory), with Security Compliance manager. (both FREE to download!)

 

Enjoy!