Security Advisor

Take Control of Digital IDs with ILM

Managing users' multiple identities -- and their multiple phases -- can get complicated. That's where ILM comes in.

Microsoft Identity Lifecycle Manager (ILM) is getting a major facelift, adding features that make it useful even for organizations that don't need account synchronization and certificate-management tools.

If you're in charge of a small network, user management is an easy and straightforward task. But as your network grows, what starts with creating and deleting user accounts and the occasional password reset quickly gets much more complex. Even in a midsize organization, users frequently need to authenticate to multiple systems and are tracked in various databases. A Windows account that you create for user Bob needs to be duplicated in Lotus Notes. Bob may also need a certificate for smartcard log-on and another certificate for e-mail encryption. The mainframe requires yet another account, and there's no automatic link to your human resources database.

Once you've set up Bob's various accounts and added him to multiple groups, he's ready to go, and you're just about ready for a vacation. The initial setup of various user accounts is not the only tedious aspect of user account management. Making required changes to the accounts, resetting passwords and deleting the account when a user leaves the company can also create large workloads.

Those aren't the biggest problems you'll face, though.

When you need to keep track of users in multiple databases, and when there's no smooth process for making changes, you end up with a serious security problem. Bob may have quit his job, but his Remote Access Services (RAS) access could remain enabled for days or weeks until word from the human resources department reaches someone who can delete Bob's user account. In many organizations, users are members of groups that they were added to because of previous job responsibilities, and they can still access resources even though their new job doesn't require this access.

Identity Lifecycle
Today's networks assign multiple identities to users, and each of these identities goes through multiple phases, from creation to deletion, with the possibility of various changes in between. The tools that come with Windows to perform the tasks related to this identity lifecycle are rather limited. Microsoft is certainly aware of this, and created ILM in response.

ILM developed out of the venerable Microsoft Identity Integration Server and certificate-management software that Microsoft acquired when it bought Alacris three years ago. ILM "2" -- the official name has not been announced yet, but it will most likely be ILM 2009 -- is currently in the late beta stage. The technology improves on the integration and adds a number of automation and self-service features. Many of these features should appeal to companies that didn't anticipate any need for ILM. If you have an extensive certificate infrastructure based on Windows

Certificate Services, or if you need to synchronize Active Directory accounts to other databases, you probably have already looked at ILM. But even if you're a Windows-only shop that never saw a need for ILM before, ILM 2 has some appealing functionality.

Workflow Design
ILM shines when it comes to workflows. A workflow consists of several business processes. Each process is a series of steps needed to perform a single task or several related tasks. ILM lets you easily customize included processes or design new processes. Most basic process-design tasks only require you to answer questions in a wizard. Tight integration with SharePoint lets you create Web portals where users can initiate authorization requests.

For example, you could let a user initiate requests for RAS access to your network. When the request is submitted, an e-mail is sent out to all managers in the user's department, asking for approval. As soon as any of the managers approves, RAS access is granted and a confirmation e-mail is sent to the user. If there's no response from any of the initial approvers within two days, the request will automatically be escalated to the network group.

Some tasks may require an even more elaborate approval process, but a user's request to be added to a distribution group might be automatically granted provided the user belongs to the appropriate department. Office integration can trigger similar workflow processes when you use it to add yourself to distribution groups from Outlook.

Administrators, too, can make use of the portal. When a user is added to your network, you can have ILM create the user account, create an Exchange mailbox and add the user to all required security groups based on the departments he works for. When a user transfers to a different department, group membership is also automatically updated. Another method to accomplish this is to use dynamic groups. Membership in these groups is automatically updated by ILM based on attributes of user accounts. For example, you could define the group membership as all employees who have Betty listed as their supervisor or everyone with the same ZIP code.

If you feel you spend too much time resetting users' passwords, ILM can help here, too. Instead of having users call the helpdesk, you can give them the option to reset their passwords themselves, right at the Windows log-on screen. Before users can create their new passwords, they have to verify their identity by answering some challenge questions; for example, the city they were born in and their mother's maiden name.

ILM can make decommissioning users who leave the company a quick and easy task, provided you've set up the process beforehand. When you delete the user, you can specify an initial action of disabling the account while a confirmation request e-mail is sent both to the ex-employee's manager and the personnel department. Once both confirm the request, the account is deleted, the Exchange mailbox is removed and any certificates you issued to the user are revoked.

ILM contains a number of pre-defined processes that you can use out of the box or that you can quickly customize to meet your requirements. You can also create brand-new workflow processes from scratch, using a wizard-based workflow designer.

ILM is not just about making identity management easier and quicker; it also improves security. All user and administrator actions can be audited so you'll be able to track who approved a request or which users reset their passwords. When implemented properly, it ensures that users' accounts are deleted or disabled the moment they leave the organization and that group memberships are always up-to-date.

About the Author

Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.


comments powered by Disqus