First off, I am a student at UAT. A co-worker and I have been tasked to implement Microsoft’s Forefront Identity Manager. We have already been offered and shown the demonstration showing how Forefront works and we have asked some questions in regards to integrating it into our current infrastructure. However, we never addressed security vulnerabilities that the product might open up within our network, both internally and externally. After reading this document located at https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/deployment/574-BSI.html, the Implementation Frameworks section, there is a sub section within the first framework titled “Vendor Provides” Element. Is it best to first disable all the features then enable them one at a time until the product becomes functional to the liking of business or disable one feature at a time till the functionality of the product is functioning acceptable to business needs? I know one should use the most restrictive means first as this provides better security, but the company I work for has had a laxed security governance for quite some time that going most restrictive is probably not an option. Any suggestions would be great.
Software/Hardware used: Microsoft Forefront Identity Manager, Excahnge 2003, Windows Server 2003