Recommended Secured Deployment
File Access Manager uses self signed certificates, and SSL for internal communication.
If you require a higher security configuration, follow these configuration guidelines:
- Required Environment
- Installation Considerations and Constraints
- Post Installation Configuration
- Configuring the Process Exploit Mitigation for File Access Manager Services
- Enabling New Version Notifications
Required Environment
Windows Operating System Version - File Access Manager must be installed on a Windows Server 2019 Datacenter edition, version 1809.
File Access Manager Version - For a secured deployment, use File Access Manager version 8.1.0.1 or higher.
Installation Considerations and Constraints
File Access Manager should be installed in the default directories (e.g., C:\Program Files\SailPoint
). These include:
- Server Installer
- All Services (Core and Collectors)
- Administrative Client
The File Access Manager database should be created on an SQL Server that is set up with a certificate and enforces encryption.
Post Installation Configuration
Complete the following steps to configure File Access Manager securely:
-
Replace all self-signed certificates with trusted certificates that you must provide. See the section Configuring File Access Manager to Use Local Certificates within the Certifications and SSL Installation Guide.
-
Set up recommended Process Exploit Mitigation for File Access Manager services (Windows Defender settings). Refer to Configuring the Process Exploit Mitigation for File Access Manager Services.
-
Change IIS settings (on which web components are installed) to require SSL. Refer to the File Access Manager Website SSL section within the Certifications and SSL Installation Guide.
-
Set all Active Directory connections to use LDAPS (for Identity Collectors and Data Enrichment Connectors).
-
Enable the File Access Manager New Version Notifications feature. See the Enabling New Version Notifications section.
-
For all these changes to take effect, restart all services or restart the server.
Configuring the Process Exploit Mitigation for File Access Manager Services
Part of the higher security settings involve configuring the Process Exploit Mitigation settings in Windows Defender for the File Access Manager Services, with the following settings enabled:
Component | Setting | Location |
---|---|---|
Control Flow Guard (CFG) | on (default) | System setting |
DEP | on (default) | System setting |
Randomize memory allocations (Bottom-Up ASLR) | on (default) | System setting |
Export Address Filtering (EAF) | on (This requires manual configuration per service) | Program settings |
Import Address Filtering (IAF) | on (This requires manual configuration per service) | Program settings |
The system settings should be kept in the default values. Please verify that these settings above are in fact set in the Windows Exploit Protection Settings under the system tab.
The program settings can be updated using a script which is part of the File Access Manager deployment package, or manually in the Process Exploit Mitigation tool. Both methods are described below.
Configuring the Program Settings Using FAM.Exploit.protection.Settings.xml Script
You can enable the recommended security settings for File Access Manager using the FAM.Exploit.protection.Settings.xml file from the installation folder.
To apply the settings, run the following command in an elevated PowerShell window:
Set-ProcessMitigation -PolicyFilePath "Full path to FAM.Exploit.protection.Settings.xml"
This script updates the File Access Manager and configures permissions per service.
For these settings to take effect, the services need to be restarted.
Configuring the Program Settings Using the Windows Defender Settings Tool
If you can't run the script described above, or prefer to manually configure the settings, you can use the Windows Defender Settings tool as follows:
- On the Windows server, open the Windows Defender Settings.
- Select App & Browser Control.
- Select Exploit Protection Settings.
- Go to the Program Settings tab.
-
For each of the File Access Manager services:
- Select + Add program to customize to open the parameters panel.
- Set EAF (Enhanced Anti-Exploit) and IAF (Important Anti-Exploit) to On.
-
Select Apply to save the changes.
- Restart all the modified services, or reboot the server.
Enabling New Version Notifications
SailPoint publishes updates to the File Access Manager periodically, which may include new releases, minor releases, and software patches.
When updates are available, the application can send an email to the File Access Manager administrator to notify about the update. This feature is disabled by default.
To enable this feature:
-
Update the database with the email address to which the notification email will be sent. Run the following SQL update statement:
update [whiteops].[system_configuration_value] set [value] = N'[ENTER DESIRED eMAIL HERE]' where [name] = N'New Version Message To'
-
On the Scheduled Task Handler service server, edit the file:
-
In the appSettings section, change the newVersionCheckIntervalInMinutes from -1 (which means no check for new versions) to the desired check interval in minutes.
-
Save the file and close it.
-
Restart the Scheduled Task Handler service.
After the service restart, an email will be sent to the specified address whenever a newer version is available to download from Compass.
Removing Unnecessary Banner Information on Web Responses
Microsoft’s Internet Information Server (IIS) includes a header with every response that includes the originating server and webserver version.
To remove this information, you should configure the IIS to remove the 'Server' header. The method depends on the installed IIS version, as described below:
-
For IIS before version 10 - In Windows IIS Manager, you can use the URL Rewrite module to create a rule to rewrite all outgoing messages, replacing the server value in the header with an empty string. A detailed description can be found on MS IIS Support blog below, in the third method "3. Using URLReqrite": https://techcommunity.microsoft.com/t5/iis-support-blog/remove-unwanted-http-response-headers/ba-p/369710
-
For IIS version above 10 - Update the SiqWeb web.cofig file
C:\inetpub\wwwroot\siqApi\web.config
.