Book Image

Microsoft Forefront Identity Manager 2010 R2 Handbook

By : Kent Nordstrom
Book Image

Microsoft Forefront Identity Manager 2010 R2 Handbook

By: Kent Nordstrom

Overview of this book

Microsoft's Forefront Identity Manager simplifies enterprise identity management for end users by automating admin tasks and integrating the infrastructure of an enterprise with strong authentication systems. The "Microsoft Forefront Identity Manager 2010 R2 Handbook" is an in-depth guide to Identity Management. You will learn how to manage users and groups and implement self-service parts. This book also covers basic Certificate Management and troubleshooting. Throughout the book we will follow a fictional case study. You will see how to implement IM and also set up Smart Card logon for strong administrative accounts within Active Directory. You will learn to implement all the features of FIM 2010 R2. You will see how to install a complete FIM 2010 R2 infrastructure including both test and production environment. You will be introduced to Self-Service management of both users and groups. FIM Reports to audit the identity management lifecycle are also discussed in detail. With the "Microsoft Forefront Identity Manager 2010 R2 Handbook" you will be able implement and manage FIM 2010 R2 almost effortlessly.

Related Content you might be interested in

Current Title:

Small book image
Microsoft Forefront Identity Manager 2010 R2 Handbook
Kent Nordstrom
Aug, 2012 | 446 pages
No titles found
Table of Contents (21 chapters)
Microsoft Forefront Identity Manager 2010 R2 Handbook
Microsoft Forefront Identity Manager 2010 R2 Handbook
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
The Story in this Book
The Story in this Book
The Company
The challenges
The solutions
The environment
Moving forward
Summary

2
Overview of FIM 2010 R2
Overview of FIM 2010 R2
The history of FIM 2010 R2
FIM Synchronization Service (FIM Sync)
FIM Service
FIM Portal
FIM Reporting
FIM Certificate Management (FIM CM)
Licensing
Summary
3
Installation
Installation
Development versus production
Capacity planning
Separating roles
Hardware
Installation order
Prerequisites
Installation
Post-installation configuration
Summary
4
Basic Configuration
Basic Configuration
Creating Management Agents
Schema management
FIM Service MA
Initial load versus scheduled runs
Moving configuration from development to production
Summary
5
User Management
User Management
Modifying MPRs for user management
Configuring sets for user management
Inbound synchronization rules
Outbound synchronization rules
Provisioning
Managing users in a phone system
Managing users in Active Directory
Temporal Sets
Self-service using the FIM portal
Managing Exchange
Summary
6
Group Management
Group Management
Group scope and types
Installing client add-ins
Modifying MPRs for group management
Creating and managing distribution groups
Importing groups from HR
FIM Service and Metaverse
Managing groups in AD
Summary
7
Self-service Password Reset
Self-service Password Reset
Anonymous request
Enabling password management in AD
Allowing FIM Service to set passwords
Configuring FIM Service
The user experience
Summary
8
Using FIM to Manage Office 365 and Other Cloud Identities
Using FIM to Manage Office 365 and Other Cloud Identities
Overview of Office 365
Summary
9
Reporting
Reporting
Verifying the SCSM setup
Default reports
The SCSM ETL process
Looking at reports
Modifying the reports
Summary
10
FIM Portal Customization
FIM Portal Customization
Components of the UI
Portal Configuration
Navigation Bar Resource
Search scopes
Filter Permissions
RCDC
Summary
11
Customizing Data Transformations
Customizing Data Transformations
Our options
Managing Lync
Selective deprovisioning
The case with the strange roles
Summary
12
Issuing Smart Cards
Issuing Smart Cards
Our scenario
Extending the schema
The configuration wizard
Configuring the FIM CM Update Service
Database permissions
Configuring the CA
Installing the FIM CM client
FIM CM permissions
Allowing managers to issue certificates for consultants
RDP using Smart Cards
CM Management Agent
Summary
13
Troubleshooting
Troubleshooting
Reminder
Troubleshooting
Backup and restore
Summary
Afterword
Afterword
Index
Index

The challenges

During a recent inventory of the systems and functions that the The Company's IT department supported, a number of challenges were detected. We will now have a look at some of the Identity Management (IdM)-related challenges that were detected.

Provisioning of users

Within The Company, they discovered that it can take up to one week before a new employee or contractor is properly assigned their role and provisioned to the different systems required by them to do their job.

The Company would like for this to not take more than a few hours.

Identity lifecycle procedures

A number of issues were detected in lifecycle management of identities.

Changes in roles took way too long. Access based on old roles continued even after people were moved to a new function or changed their job. Termination and disabling of identities was also out of control. They found that accounts of users who had left the company more than six months ago were still active.

After a security review, they found out that a consultant working with the HR system still had access using VPN and an active administrative account within the HR system. The access should have been disabled about six months ago, when the upgrade project was completed. They also found that the consultant who the company engaged to help out during the upgrade, didn't even work for the firm any more.

What The Company would like is not only a way of defining policies about identity management, but also a tool that enforces it and detects anomalies.

Highly Privileged Accounts (HPA)

Although The Company has been successful in reducing the number of strong administrative accounts over the last few years, a few still exist. There are also other highly privileged accounts and also a few highly privileged digital identities, such as code signing certificates. The concern is that the security of these accounts is not as strong as it should be.

The Public Key Infrastructure (PKI) within The Company is a one layer PKI, using an Enterprise Root CA without Hardware Security Module (HSM). The CSO is concerned that it is not sufficient to start using smart cards, because he feels the assurance level of the PKI is not high enough.

Password management

The helpdesk at The Company spends a lot of time helping users who forgot their password. These are both internal users as well as partners, with access to the shared systems.

Traceability

They found that they had no process or tools in place to trace the status of identities and roles historically. They wanted to be able answer questions such as:

  • Who was a member of the Domain Admins group in April?

  • When was John's account disabled and who approved that?

Previous Section
End of Section 3
Next Section