Should Microsoft Identity Integration Server Be Part of Your Security Plan?
You support thousands of users on your large network, and those users rely on dozens - maybe even hundreds - of applications to get their work done. In today's business climate, security is always an issue. You want your users to have access to the information they need, but nothing else, and you don't want outsiders gaining access to confidential internal data.
You've implemented access controls to keep that from happening, but those controls are dependent on accurate verification of the identities of all users who log on, and identity theft becomes easier in an environment where individual users can get lost in the crowd. To further complicate matters, each application may have its own separate user database or directory, they may use different authentication methods, and a user may have different passwords for different systems.
Managing all that identity data can become an administrative nightmare. Old accounts may not be deleted or deactivated promptly, leaving former employees and others with access they should no longer have. At the same time, new employees may not be able to get accounts created on all the systems quickly, so that they're unable to perform some of their job duties.
To make matters worse, government regulations such as HIPAA and COPPA in the U.S., the Data Protection Act in the U.K. and similar laws require organizations to comply with strict standards governing how identity information is stored and disseminated.
What's needed is a way to consolidate multiple identity databases so it can be secured and managed from a centralized location. In this article, we'll discuss how Microsoft's Identity Integration Server (MIIS) can help enterprise level network administrators do just that.
What is MIIS?
Microsoft has a plethora of server products, and it's easy to get lost in all the acronyms and name changes. Many network administrators are unfamiliar with MIIS (which you might also sometimes see used to refer to the Microsoft Internet Information Services web server, more commonly known as IIS). In its original incarnation, it was known as Microsoft Metadirectory Services or MMS; the name change came about with the 2003 version.
Note: MMS 2.x is no longer available; Microsoft will continue support for existing MMS 2.x customers through September 30, 2004.
The original name more precisely describes what MIIS is (its own identity, if you will). It's an application that runs as a Windows service on Server 2003. It is built on a metadirectory, which is a directory that consolidates and organizes information from other separate directories or databases into one centralized location. The metadirectory service links the individual directories so that you can control how data is shared between them. For example, changes made to one database can be automatically propagated to other linked databases.
MIIS specifically consolidates identity information. That could include user logon IDs and passwords, e-mail account information, telephone numbers, addresses, social security numbers, employee ID numbers and other information.
Specifically, MIIS performs the following:
Account provisioning and de-provisioning
Identity integration and management
How Account Provisioning/De-provisioning Works
Provisioning and deprovisioning refer to automatically creating and removing user accounts. For example, when a new employee is hired, information on the person is entered into the personnel department's database. With MIIS, this information can be used to automatically create accounts in other connected databases for the person. Similarly, if the personnel department marks an employee as terminated, his logon account, e-mail account and other accounts on databases throughout the organization can be automatically disabled or deleted.
How Directory Synchronization Works
Directory synchronization involves ensuring that particular information about an individual (for example, his e-mail address or his social security number) is the same across the different databases in which that piece of information is entered. This is accomplished by ensuring that the information in the metadirectory is accurate and flowing that information to the other directories.
How Identity Integration and Management Work
A key aspect of managing identity information that resides in many disparate databases involves determining which source is authoritative. That is, if there is conflicting information in two or more of the databases, which one is presumed to be accurate?
Different databases might be best designated as authoritative for different pieces of information. Thus identity information is divided into separate attributes; for example, two of the attributes associated with a user might include the user's e-mail address and job title. The LDAP database used by the personnel department might be considered authoritative as to job title, since that department is likely to have the most up-to-date information as employees are promoted or make lateral moves within the company. On the other hand, the e-mail address information in the personnel database might well be out of date, since it was probably entered when the employee first joined the organization. The company's Exchange server would be the most logical authoritative source for that piece of information.
MIIS allows selected attributes to be extracted from the connected databases, with conflicts resolved according to which is considered authoritative for that attribute, then those attributes are consolidated in the metadirectory. Then MIIS can recognize when changes are made to one of its connected databases and (based on rules you define) propagate the change to other databases. These rules determine whether, when and how the changes will be propagated throughout the organization's databases.
Identity Management "Parts and Pieces"
Let's take a brief look under the hood of MIIS and at the components that make up an identity management infrastructure.
A dedicated SQL database contains a set of tables where the identity data is stored. This set of tables is called the metaverse. There is one metaverse entry for each object (person) and it contains the attributes for that object taken from all the different databases connected to MIIS.
The directories, databases, flat files and other sources of identity data that are to be consolidated in the metaverse (information in the metadirectory) are known as connected data sources. They are connected by management agents, also called connectors, which are software programs that run on the MIIS server. There is a separate management agent for each connected data source. The management agent controls which attributes from a specific database will be integrated into the metaverse.
MIIS comes with a number of management agents, including those for Active Directory/ADAM, NT 4.0, Exchange Global Address Lists (GAL), Novell eDirectory, Oracle 8i and 9i, Lotus Notes/Domino, SQL 7/2000, SunOne/iPlanet/Netscape, IBM Informix, dBase and more. MIIS can also connect to file-based systems such as delimited text, Excel, XML.
Each management agent has a dedicated storage area in the metadirectory store called the connector space. This is where the subset of each object's attributes are stored. Different versions of each object (referred to as different states and based on the attributes at particular periods in time) are stored here.
What's New with MIIS 2003?
More than the name changed when Microsoft released MIIS 2003 to replace the old MMS. One significant change was the switch from the proprietary database used by MMS to a SQL database, to provide better scalability and performance as well as a standardized security model and easier programming. Other enhancements and new features include:
Windows Management Instrumentation (WMI) support
Web based user and operations interfaces
Integration with BizTalk server
New or improved management agents for a number of different databases, including Active Directory (AD), Exchange, LDAP, Lotus Notes and XML
Support for international languages such as Japanese and German
Although these changes bring many benefits, there are also a few that will require relearning on the part of MMS administrators. The old proprietary MMS database was based on X.500 standards, which allowed for LDAP access and X.500 type replication and referrals. The new SQL database does not allow for these (instead, clients can run SQL queries). Another difference is the loss of the built-in HTTP service.
One welcome change is the ability to use Visual Basic and C# for scripting instead of the Zoomit scripting language (zscript), since many enterprises will have programmers on their staffs who know VB and C#. In addition, less scripting is necessary with MIIS 2003.
Note: Zoomit was the company that made the metadirectory called Zoomit Via, which was acquired by Microsoft in 1999 and became MMS.
The new password management capabilities include the ability for users to change passwords and for helpdesk personnel to reset passwords through a web-based interface, across connected directories that include AD/ADAM, NT 4.0, Novell eDirectory and SunOne Directory Server.
If you think MIIS might be just the thing to help gain control of a chaotic mix of directories on your network, we should warn you that it doesn't come cheap. The full version of MIIS, called Enterprise edition, lists at $24,999 per processor. If you're just interested in testing, a non-production license is available to those with MSDN Universal subscriptions. If you aren't an MSDN member, don't despair. There's a 180 day eval version of MIIS available for download at http://www.microsoft.com/downloads/details.aspx?FamilyId=E2CF0ECE-9F0D-4D73-BDD7-A32091AB3F30&displaylang=en.
If all you need to do is synchronize AD databases across forests, along with Exchange Global Address Lists (GAL), consider the Identity Integration Feature Pack (IIFP) for Active Directory. This works like an "MIIS Lite," providing account provisioning, directory synchronization and identity integration between AD/ADAM and Exchange databases only. Best of all, IIFP is free. You can download it at http://www.microsoft.com/downloads/details.aspx?FamilyID=d9143610-c04d-41c4-b7ea-6f56819769d5&DisplayLang=en.
To install either the full-fledged MIIS or the IIFP, you'll need a Windows Server 2003 computer with the following minimum hardware configuration:
PIII 500MHz or equivalent (P4 preferred)
512MB RAM (1GB preferred)
20MB free disk space for the MIIS application
8GB or more of free disk space for the database files
CD or DVD drive
You'll also need SQL Server 2000 with Service Pack 3, and if you want to create rules extensions, you need Visual Basic .NET 2003 or Visual Studio .NET 2003.
Learning More about MIIS
There are several good sources of information about MIIS if you want to find out more before taking the plunge:
Microsoft's MIIS Web site: http://www.microsoft.com/windowsserver2003/technologies/directory/miis/default.mspx
MIIS users' discussion group on Yahoo: http://groups.yahoo.com/group/mmsug/
Microsoft's Identity Integration Server (MIIS) and its "lite" version, the Identity Integration Feature Pack for Windows Server 2003 (IIFP) can help organizations get a handle on all the disparate databases throughout the organization that contain information about a person's identity. MIIS provides a centralized way to manage this information and ensure its accuracy. Accurate identity information is at the heart of network security, and if your organization's identity management has gotten out of hand, MIIS or IIFP can be an important part of your security plan.