Updated: May 16, 2005
Managing Access in the Extended Enterprise: The Checklist
1. Conduct a security audit.
| • | Conduct an inventory of all the digital assets on your network. Consider using Microsoft Systems Management Server (SMS) to identify the software and hardware assets are in your environment. |
| • | Classify the business data on your network by sensitivity and confidentiality requirements. |
| • | Identify the types of users in your environment. Who is accessing your network? How do they connect? What resources can they access, and what resources do they require to do their job? |
These steps provide the critical input you need to develop your identity and access management strategy.
Watch our October Security360 on Risk Management for more in-depth guidance on how to perform a security audit. Microsoft also offers a free Security Risk Self-Assessment Tool. This tool is particularly useful for organizations with fewer than 1,000 employees.
2. Consolidate your identity infrastructure.
It is likely you store identity information in a number of places, such as your HR database, your Windows directory services, and other applications. You can increase efficiency and minimize the risk of unauthorized access by integrating these different directories.
| • | If you haven’t already, deploy Windows Server Active Directory. Active Directory can provide the means to manage and administer your Windows user accounts, security policies, and enterprise resources, such as computers and printers. For more guidance about how to deploy or expand your use of Active Directory, see Chapter 4 on Directory Services in the Microsoft Identity and Access Management Series. |
| • | To help you consolidate and better manage multiple directories, use Microsoft Identity Integration Server (MIIS). MIIS enables you to integrate and synchronize identity information across disparate directory services such as Active Directory and Novell eDirectory and across applications like PeopleSoft and SAP. This integration can greatly reduce the risk of security breaches through rogue or compromised user accounts. |
3. Establish identity lifecycle management processes and policies.
A key component of any identity and access management strategy is an efficient process for creating, modifying, and retiring digital identities. It should be easy to add new employees or remove access when a vendor project is completed. Implementing a "role-based access control" approach, where application permissions are mapped to organizational roles rather than individual user, helps make this important process more manageable.
| • | Use Active Directory and MIIS to automate the user provisioning process. Configure MIIS to create or disable user accounts based on trigger events. For example, when a new employee is added to your human resources system. |
| • | Exercise a Least Privilege Policy. Give each user access to just what they need and nothing more. Using role-based access control can simplify this process. Use Active Directory groups and group policy to implement this in your network. |
| • | Avoid "authorization creep." When an employee changes roles, be sure to disable or delete user accounts and remove privileges that no longer apply. Again, Active Directory groups can help. |
For more details, see Chapter 5 on identity lifecycle management in the Microsoft Identity and Access Management Series.
4. Deploy an authentication framework.
User authentication can take many forms from passwords to smart cards and biometrics. Implementing a single platform with the options you require can simplify administration and reduce costs without sacrificing security.
| • | Take advantage of the Security and authentication Services in Windows Server 2003 and complementary partner solutions. Windows Server 2003 supports many industry standard authentication protocols, including Kerberos, EAP, and x.509 certificates, and it can be managed by Active Directory. |
| • | Consider using Smart Cards, biometric devices, or tokens for access to data that you classified as "sensitive" or confidential during your security audit. For example, at Microsoft, we take advantage of the native Smart Card support in Windows Server 2003 which provides strong authentication for users who access the network remotely. Visit the Smart Card Deployment page for more information. |
5. Integrate existing and new applications.
Applications play a critical role in identity and access management, because they consume digital identity data and enforce access to resources.
| • | Evaluate the extensive application programming interfaces (APIs) available in Windows. By building applications with these APIs, you can take advantage of the many Windows directory and security services discussed in this webcast. For more detailed information, see the chapter on Developing Identity-Aware ASP.NET Applications in the Microsoft Identity and Access Management Series. |
6. Monitor your infrastructure to ensure compliance.
Applications play a critical role in identity and access management, because they consume digital identity data and enforce access to resources.
| • | It is important to monitor for any access violations. Microsoft Operations Manager (MOM) can help you with the process of monitoring for security violations. It is also important to update your security policies and procedures as your business evolves. For example, after an acquisition or an organizational change, you should review your identity and access management practices. |
These are just some of the activities, technologies and policies that you can implement to help manage access and digital identities in your organization.
Again, for more information on each of these steps, visit microsoft.com/security360.
Visit the Microsoft Identity and Access Management Series to review and receive guidance on Identity and Access Management.
