title: Security Hardening Guide category: Administration tags: security, hardening, LDAPS, SSL, service-account, best-practices priority: High

Security Hardening Guide

This guide covers best practices for securing your IdentityCenter deployment. As an identity governance platform with access to your Active Directory, IdentityCenter should be treated as a critical security asset.

Network Security

Use HTTPS

Always run IdentityCenter over HTTPS in production:

• Obtain a TLS certificate from your organization's CA or a public CA
• Configure the web server (IIS or Kestrel) to use HTTPS on port 443
• Redirect all HTTP traffic to HTTPS
• Use TLS 1.2 or higher

Use LDAPS for AD Connections

When connecting to Active Directory, use LDAPS (LDAP over SSL) instead of plain LDAP:

To enable LDAPS:

1. Ensure your domain controllers have a valid certificate
2. When creating a connection, set Port to 636 and enable Use SSL
3. Test the connection to verify SSL works

Important: Plain LDAP (port 389) transmits credentials and data in clear text. Always use LDAPS in production environments.

Firewall Rules

Restrict network access to only what's needed:

Block all other inbound and outbound traffic.

Service Account Security

AD Service Account

The service account used to connect to Active Directory should follow least privilege:

Recommended permissions:

• Read-only access to the OUs containing your user, group, and computer objects
• Grant write permissions only if you're using write-back features (editing AD objects from IdentityCenter)
• Never use a Domain Admin account

Best practices:

• Use a dedicated service account solely for IdentityCenter
• Use a Group Managed Service Account (gMSA) if possible — passwords are managed automatically
• Set a strong, unique password (20+ characters)
• Do not set "Password Never Expires" — rotate regularly or use gMSA
• Disable interactive login for the service account

SQL Service Account

The database account should have minimal permissions:

• Grant db_owner on the IdentityCenter database only
• Do not use sa or a sysadmin-level account
• Use Windows Authentication (Integrated Security) when possible
• If using SQL authentication, use a strong password

Application Service Account

If running IdentityCenter as a Windows Service:

• Create a dedicated service account
• Grant "Log on as a service" right
• Grant read/write access to the application directory only
• Do not use the built-in LocalSystem account in production

Authentication & Access Control

Admin Account Security

• Use strong passwords for all IdentityCenter admin accounts
• Limit the number of administrator accounts (principle of least privilege)
• Review admin account access regularly
• Consider using a separate admin account from your daily-use account

Session Security

IdentityCenter enforces session timeouts:

• Idle sessions expire after a configured period
• Re-authentication is required after session expiration
• Sessions are invalidated on logout

Database Security

Connection String Protection

• Never store connection strings in plain text in production
• Use environment variables or Azure Key Vault for sensitive configuration
• Restrict file system access to appsettings.json

Database Encryption

• Enable Transparent Data Encryption (TDE) on your SQL Server database
• Use encrypted connections between IdentityCenter and SQL Server (Encrypt=True in the connection string)
• Regularly backup the database and store backups securely

Database Access

• Restrict SQL Server access to only the IdentityCenter server
• Use firewall rules to block database access from other machines
• Enable SQL Server audit logging for the IdentityCenter database

Server Hardening

Operating System

• Keep Windows Server fully patched
• Enable Windows Defender or equivalent antivirus
• Disable unnecessary services and features
• Restrict Remote Desktop access to authorized administrators only

IIS (if applicable)

• Remove default IIS site and sample applications
• Disable directory browsing
• Configure request filtering to block suspicious requests
• Enable HTTP Strict Transport Security (HSTS)

File System

• Restrict access to the IdentityCenter installation directory
• Only the application service account and administrators should have access
• Audit file system access to the application directory
• Protect log files — they may contain sensitive information

Monitoring & Auditing

Enable Audit Logging

IdentityCenter logs all administrative actions:

• User logins and logouts
• Configuration changes
• Object modifications (write-back)
• Policy changes
• Access review decisions

Review audit logs regularly in Administration > Audit Logs.

Monitor for Anomalies

Watch for:

• Unusual login patterns (failed logins, logins at odd hours)
• Unexpected configuration changes
• Large-scale object modifications
• Sync failures (could indicate AD connectivity issues or credential compromise)

Integrate with SIEM

Forward IdentityCenter logs to your SIEM system for centralized monitoring:

• Use the API to pull audit data
• Set up alerts for critical events (admin login failures, configuration changes)

Deployment Checklist

Use this checklist when deploying IdentityCenter to production:

• HTTPS enabled with valid TLS certificate
• LDAPS configured for all AD connections (port 636)
• Dedicated service account for AD access (not Domain Admin)
• Dedicated SQL account with minimal permissions
• Connection string secured (not in plain text)
• Firewall rules configured (only required ports open)
• Admin accounts use strong, unique passwords
• Number of admin accounts minimized
• Windows Server fully patched
• Antivirus enabled
• File system permissions restricted
• Audit logging enabled
• Backup schedule configured
• Recovery procedure tested

Next Steps

• Installation & Setup — Initial deployment
• Connections Overview — Configuring secure connections
• Upgrade Guide — Safely upgrading versions