Return to Table of Contents
See paragraph 2.4 Account types for detailed explanation.
According the use of these accounts we’ll use 4 account types
The indication of importance is related to the risk profile of the account.
This setting provides a basic assessment of the impact & risk of not-installing or using this account.
HIGH
(RED)
Configuration Required
Critical risk on FIM systems, linked systems & general infrastructure
Real & proven danger
High impact on recovery
Impact of risk is critically higher than operational burden
Risk of setting up a configuration that cannot be recovered using a normal DRP planning.
Critical impact on security, violation of common security best practices
Critical impact on linked systems like HR, AD, O365
MEDIUM
(ORANGE)
Strongly advised to follow best practice
Significant impact on FIM systems, linked systems & general infrastructure
Impact of risk is significantly higher than operational burden
LOW
(YELLOW)
Advised to follow best practice
Low risk
Theoretical, low frequency
Easy to recover
Impact of risk is higher or equal than operational burden
OPTIONAL
(GREEN)
Suggestion to follow best practice
Impact of risk is equal or lower than operational burden
FIM Service Account
SharePoint Service Account
Pwd Registration Server Account
Password Reset Server Account
FIM CM Web Pool Agent Account
Reference:
[19.] Server Configuration - Service Accounts
This section only has informational purposes, but has been added as a reminder to secure the FIM Back end services.
From: Server Configuration - Service Accounts :
“If you configure services to use domain accounts, Microsoft recommends that you configure service accounts individually to provide least privileges for each service, where SQL Server services are granted the minimum permissions they need to complete their tasks.”
There are 4 more accounts for the core SQL services, but this is outside the scope of this document.
Full details are available in the SQL Server whitepaper: SQL Server 2012 Security Best Practices - Operational and Administrative Tasks .
From the white paper:
“The SQL Server Agent service account requires sysadmin privilege in the SQL Server instance that it is associated with. In SQL Server 2005 and above, SQL Server Agent job steps can be configured to use proxies that encapsulate alternate credentials.”
Importance
LOC
Account Type
Account Reference
Name (to fill)
¨
D
Functional
FIM installer administrator account*
<domain>\<account>
Service
FIM Sync service SVCA
Security Group
FIMSyncAdmins
FIMSyncOperators
FIMSyncJoiners
FIMSyncBrowse
FIMSyncPasswordSet
Technical
FIM Task scheduler
ADMA Account
FIMMA Account
SQL MA Account
Other Management agents:
- 1 account per type of MA
And by preference 1 account per MA.
FIM service SVCA
Backup Portal Administrator
FIM Portal - Application Pool Account
FIM SSPR Registration Portal - Application Pool Account
Source: [36.] Create an OU and User Accounts for FIM CM Agents
“The following table summarizes the accounts and permissions required by FIM CM. You can allow the FIM CM create the following accounts automatically, or you can create them prior to installation. The actual account names can be changed. If you do create the accounts yourself, consider naming the user accounts in such a way that it is easy to match the user account name to its function.”
-" Grant local admin rights
-" Grand SQL SysAdmin
Grant local admin rights
Grant SQL SysAdmin
[1][2] This applies both to fresh installation of FIM component or implementation of an hotfix or service pack. Only during implementation of a service pack, the installation account that runs the installation needs the elevated rights. Only DURING installation, not before, not after.
Download the entire guide at once, in PDF version from Technet Gallery .
This document has some additional content, which is not available online.
Return to Table of Contents of this article series