• During installation, FIM creates five security groups. You can control access to FIM resources by controlling membership in these groups. For more information, see Using Security Groups.
  
  

• Physical access to a server is a high security risk. Physical access to a server by an intruder could result in unauthorized data access or modification as well as installation of hardware or software designed to circumvent security. To maintain a secure environment, you must restrict physical access to all servers and network hardware.
  
  

• Assign permissions to groups rather than to users. Because it is inefficient to maintain user accounts directly, assigning permissions on a user basis should be the exception. Deny permissions should be used for certain special cases. Use Deny permissions to exclude a subset of a group which has Allowed permissions. Use Deny to exclude one special permission when you have already granted full control to a user or group.
  
  

• Most authentication methods require the user to provide a password to prove their identity. These passwords are normally chosen by the user, who may want a simple password that is easily remembered. In most cases, these passwords are weak and may be easily guessed or determined by an intruder. Weak passwords can circumvent this security element and become the weak point of an otherwise strong security environment. Strong passwords tend to be more difficult for an intruder to discern and, as a result, help provide an effective defense of your organization's resources. A strong password:
  
  
  • Is at least seven characters long.
    
    
  • Does not contain your user name, real name, or company name.
    
    
  • Does not contain a complete dictionary word.
    
    
  • Is significantly different from previous passwords. Passwords that increment (Password1, Password2, Password3 ...) are not strong.
    
    
  • Contains characters from each of the following four groups:
    
    

An example of a strong password is J*p2leO4>F.

• For more information, see Forefront Identity Manager Best Practices and SQL Server Books Online.
  
  

• Use a tunnel from the server running FIM to connect to resources such as domain controllers (that is, if they are not on the same side of the firewall). For more information about security and Windows Server® 2008 operating system, see Windows Server® 2008 operating system Help.
  
  

• The FIM runs in the security context of a specific account. Since the account will have access to all of the FIM resources, this account should be locked down with the following restrictions:
  
  
  • Deny users access to log on as a batch job.
    
    
  • Deny users access to log on locally.
    
    
  • Deny users access to log on by using Terminal Services.
    
    
  • Deny users access to this computer from the network.
    
    

	Note
	For more information about setting account restrictions on Windows Server® 2008 operating system accounts, see Windows Server® 2008 operating system Help

• To distribute the FIM architecture by using SQL Server on another computer (that is, one that is different from the server running FIM), you need to create a service account in the domain to which the SQL Server computer and the server running FIM computer belong.
  
  

• Crash dump files that you can use to debug and troubleshoot FIM might contain sensitive user data. It is strongly recommended that you do not transmit these files through an unsecured medium, such as attaching plaintext files to e-mail or sending files through unsecured File Transfer Protocol (FTP). It is recommended that you do the following:
  
  
  • Enable users to upload files to secured HTTPS sites that are Secure Socket Layer (SSL) connections.
    
    
  • Use a non-Microsoft SSL-enabled FTP application.
    
    
  • Use certificates to secure e-mail.
    
    
  • Encrypt the files.
    
    

• Because sensitive data is exposed in the FIMSynchronizationServices process, it is strongly recommended that you limit the number of people who have rights to debug the FIMSynchronizationServices process.
  
  

• When FIM is installed, full rights to the Extensions and ExtensionsCache folders are granted to the Microsoft Forefront Identity Manager 2010 service account, the FIMSyncAdmins group, and the account that was used to run Setup. To grant rights to this folder to someone else, you have to set permissions on the folder manually, or create a group and grant permissions to everyone in that group. However, if a malicious user can get access to the compiled rules extension and the rules extension source code contains sensitive data, such as passwords, the malicious user can decompile the rules extensions and expose the data. Therefore, simply preventing write access to this directory is not sufficient to protect the data. It is strongly recommended that you limit and monitor access to the Extensions and ExtensionsCache folders.
  
  

  	Note
  	The ExtensionsCache folder is hidden by default. However, because it contains the extension assemblies, it should have the same restricted access as the Extensions folder.

• FIM transmits initial passwords as plaintext over the network. To set initial passwords, it is strongly recommended that you use Lightweight Directory Access Protocol (LDAP) over SSL to communicate with directory servers running Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server) and Netscape Directory Server 6.1 or with servers running Active Directory Lightweight Directory Services (ADLDS).