Security best practices

These best practices provide guidelines that can help you manage security for Microsoft Provisioning System effectively.

Do not use SQL authentication mode

For the highest level of security, do not configure SQL to support SQL authentication. In SQL Server authentication mode, credentials are passed in plaintext in the connection string, so it is recommended that you configure SQL to support only Windows authentication.
For more information on SQL Server installation and configuration, see the section called "Install SQL Server 2000 and Service Pack 1 or 2" in the installation documentation located in the root folder on the Microsoft Provisioning System product CD. For a single computer configuration, see install_single.htm. For a multi-computer configuration, see install_multi.htm.

For multiple forests with different provisioning engines, do not use the same MPFServiceAcct password for all forests. If you do use the same MPFServiceAcct password, Microsoft Provisioning Framework (MPF) duplicates objects across the forests. This is appropriate only if you are implementing a common provisioning engine for all domains.
Note
- Although you can install Microsoft Provisioning Framework in multiple domains and forests, Delegated Administration Console limits your installation to a single domain.
The Microsoft Provisioning Framework Software Development Kit (SDK) contains additional resources to help you deploy Microsoft Provisioning Framework (MPF). For more information on the SDK and how to use it, see Microsoft Provisioning Framework SDK and documentation.

Physical access to a server is a high security risk. To maintain a more secure environment, restrict physical access to all servers and network hardware.
For more information on general security guidelines, see the Microsoft Web site(http://www.microsoft.com/).

Only a limited number of tasks require that you be logged on as a domain administrator. To limit the exposure of the domain administrators account, use it only when required.

Although the configuration of a firewall is beyond the scope of this documentation, your deployment of Microsoft Provisioning System should include the appropriate firewall support to protect network resources.

Most operators do not require the permissions available to the MPF accounts. These permissions should be granted only as needed.

Appropriate data encryption requires the use of packet encryption. If you are using Delegated Administration Console or FrontPage Provider of Microsoft Provisioning System, the COM+ authentication level for calls is configured automatically to use Packet Privacy. This property is not set by default in MPF, however. If you are using MPF, but you are not using Delegated Administration Console or FrontPage Provider, set this property by going to Component Services and changing it on the Security tab of the provisioning engine COM+ application.

When deploying a procedure, set the access type to private if public access is not required. By default, the namespace file sets access type to public, which facilitates testing. In a production environment, this does not provide the appropriate level of security.
For more information about setting the access type, see Maintaining and updating namespaces and procedures and To view or modify the access type of a procedure in Provisioning Manager Help.

Before switching to the production environment, verify that provisioning engines and queue managers both have the Requests security property configured appropriately.
For more information on configuring the Requests security property, see Administering provisioning engines and Administering queue managers in Provisioning Manager Help.

All Simple Object Access Protocol (SOAP) requests to MPF should use Secure Sockets Layer (SSL) or a strong encryption method.

Access should be allowed using only Secure Sockets Layer (SSL). Passwords are passed in plaintext to Active Directory, so exposing this information by not using SSL can pose significant security risks.
For more information on Delegated Administration Console, see Delegated Administration Console.

When running Delegated Administration Console in a production environment, do not enable debugging mode, especially using the trace option. Debugging mode makes information visible, including the server name, that should not be publicly exposed.
For more information on using debugging options, see "Working with debugging options" and "Configure debugging options" in Delegated Administration Console Help.

By default, File Transfer Protocol (FTP) clients are also permitted to log on with a Windows 2000 user name and password that have the permissions to use that computer. You can use this feature to control users' access to files on NTFS file system drives. In some cases, however, this feature can create a security risk. To mitigate this risk, use the "Allow anonymous only" option. This prevents users from logging on with Windows 2000 user names. With this option enabled, no account other than the anonymous account can log on. This is useful for security because only one account, the one that is assigned for anonymous logon, is permitted access; intruders cannot gain access with the administrator account. The same anonymous account, IUSR_ComputerName is configured for File Transfer Protocol (FTP) and Web sites provisioned by Microsoft Provisioning System.
For more information about Internet Information Services (IIS) security, see Internet Information Services 5.0 metabase ACEs.

When you log off Delegated Administration Console, be sure to close all browser windows, especially when sharing a computer. Your credentials are retained in the browser cache until you close all browser windows, and another user of the same computer could access features of Delegated Administration Console under your credentials.