Microsoft Identity Integration Server 2003 graphic

Best practices for security

Control access with Microsoft Identity Integration Server 2003 security groups.

During installation, Microsoft Identity Integration Server 2003 creates five security groups. You can control access to Microsoft Identity Integration Server 2003 resources by controlling membership in these groups. For more information, see Using security groups.

Restrict physical access to computers to trusted personnel.

Physical access to a server is a high security risk. Physical access to a server by an intruder could result in unauthorized data access or modification as well as installation of hardware or software designed to circumvent security. To maintain a secure environment, you must restrict physical access to all servers and network hardware.

Implement user rights and permissions to restrict software access to trusted accounts.

Assign permissions to groups rather than to users. Because it is inefficient to maintain user accounts directly, assigning permissions on a user basis should be the exception. Deny permissions should be used for certain special cases. Use Deny permissions to exclude a subset of a group which has Allowed permissions. Use Deny to exclude one special permission when you have already granted full control to a user or group.

Enforce strong password policies for all user accounts.

Most authentication methods require the user to provide a password to prove their identity. These passwords are normally chosen by the user, who may want a simple password that is easily remembered. In most cases, these passwords are weak and may be easily guessed or determined by an intruder. Weak passwords can circumvent this security element and become the weak point of an otherwise strong security environment. Strong passwords tend to be more difficult for an intruder to discern and, as a result, help provide an effective defense of your organization's resources. A strong password:

Is at least seven characters long.
Does not contain your user name, real name, or company name.
Does not contain a complete dictionary word.
Is significantly different from previous passwords. Passwords that increment (Password1, Password2, Password3 ...) are not strong.
Contains characters from each of the following four groups:

Group	Examples
Uppercase letters	A, B, C ...
Lowercase letters	a, b, c ...
Numerals	0, 1, 2, 3, 4, 5, 6, 7, 8, 9
Symbols found on the keyboard (all keyboard characters not defined as letters or numerals)	` ~ ! @ # $ % ^ & * ( ) _ + - = { } \| [ ] \ : " ; ' < > ? , . /

An example of a strong password is J*p2leO4>F.

Implement SQL Server 2000 security best practices.

For more information, see Best practices and SQL Server 2000 Books Online.

Ensure that the network context in which the server running Microsoft Identity Integration Server 2003 runs is behind a firewall.

Use a tunnel from the server running Microsoft Identity Integration Server 2003 to connect to resources such as domain controllers (that is, if they are not on the same side of the firewall). For more information about security and Windows Server 2003, Enterprise Edition, see Windows Server 2003, Enterprise Edition Help.

Lock down the Microsoft Identity Integration Server 2003 service account.

The Microsoft Identity Integration Server service runs in the security context of a specific account. Since the account will have access to all of the Microsoft Identity Integration Server 2003 resources, this account should be locked down with the following restrictions:
- Deny users access to log on as a batch job.
- Deny users access to log on locally.
- Deny users access to log on by using Terminal Services.
- Deny users access to this computer from the network.
Note
- For more information about setting account restrictions on Windows Server 2003, Enterprise Edition accounts, see Windows Server 2003, Enterprise Edition Help.

Periodically change the Microsoft Identity Integration Server 2003 service account password.

Create a domain service account if your SQL Server 2000 is installed on a computer other than the one that is running Microsoft Identity Integration Server 2003.

To distribute the Microsoft Identity Integration Server 2003 architecture by using SQL Server 2000 on another computer (that is, one that is different from the server running Microsoft Identity Integration Server 2003), you need to create a service account in the domain to which the SQL Server 2000 computer and the server running Microsoft Identity Integration Server 2003 computer belong.

Secure your crash dump files.

Crash dump files that you can use to debug and troubleshoot Microsoft Identity Integration Server 2003 might contain sensitive user data. It is strongly recommended that you do not transmit these files through an unsecured medium, such as attaching plaintext files to e-mail or sending files through unsecured File Transfer Protocol (FTP). It is recommended that you do the following:
- Enable users to upload files to secured HTTPS sites that are Secure Socket Layer (SSL) connections.
- Use a non-Microsoft SSL-enabled FTP application.
- Use certificates to secure e-mail.
- Encrypt the files.

Control debug rights to the MIIServer process.

Because sensitive data is exposed in the MIIServer process, it is strongly recommended that you limit the number of people who have rights to debug the MIIServer process.

Restrict access to the Microsoft Identity Integration Server 2003 Extensions and ExtensionsCache folders.

When Microsoft Identity Integration Server 2003 is installed, full rights to the Extensions and ExtensionsCache folders are granted to the Microsoft Identity Integration Server 2003 service account, the MIISAdmins group, and the account that was used to run Setup. To grant rights to this folder to someone else, you have to set permissions on the folder manually, or create a group and grant permissions to everyone in that group. However, if a malicious user can get access to the compiled rules extension and the rules extension source code contains sensitive data, such as passwords, the malicious user can decompile the rules extensions and expose the data. Therefore, simply preventing write access to this directory is not sufficient to protect the data. It is strongly recommended that you limit and monitor access to the Extensions and ExtensionsCache folders.
Note
- The ExtensionsCache folder is hidden by default. However, because it contains the extension assemblies, it should have the same restricted access as the Extensions folder.

Use SSL if you are setting initial passwords.

Microsoft Identity Integration Server 2003 transmits initial passwords as plaintext over the network. To set initial passwords, it is strongly recommended that you use Lightweight Directory Access Protocol (LDAP) over SSL to communicate with directory servers running Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server) and Netscape Directory Server 6.1 or with servers running Active Directory Application Mode (ADAM).