Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Prerequisites – Security Hardening

SUMMARY This section explains how to restrict access for system accounts with JIMS.

Prepare Deployment

Define the servers on which you want to install JIMS. Create service accounts to enable JIMS to read from the defined directory services and identity producers. If you use PC probe, you must create a service account for it.

Set up JIMS – Identity Aware Network

Follow the below steps to set up JIMS to offer an identity aware network:

  1. Define service accounts and enforcement point credentials.
  2. Install JIMS.
  3. Configure JIMS to connect to all your Active Directory services.
  4. Configure JIMS to use the identity producers of your choice.
  5. Configure the required integrations such as Juniper Secure Edge or Security Director Cloud and so on.
  6. Enroll all your SRX Series devices into JIMS.

Configure Limited-Permission User Accounts

Follow these steps for a new user account:

  1. From the Start menu, select Active Directory Users and Computers.
  2. Navigate to the Users container in the forest.
  3. Right-click Users and select New Users.
  4. Specify a descriptive first and middle name or any Windows 2000 username.
  5. Specify a password according to your organization’s password policy.
  6. Clear the User must change password at next login check box.
  7. Select the User cannot change password check box.
  8. Select the Password never expires check box.

Add Limited Permission User Accounts to Active Directory Groups

To add each new user account to an Active Directory group:

  1. Select the Built-in option.
  2. Select the Event Log Readers group and add the JIMS-EventLogRemoteAccess account.
  3. Select the Distributed COM Users group and add the JIMS-PC-Probe account.
  4. Select the Remote Management Users group and add the JIMS-PC-Probe account.
  5. Select the Domain Admins group and add the JIMS-PC-Probe account.

Define Group Policies for Limited Permission User Accounts

To define group policies for each new user account:

  1. From the Start menu, select Group Policy Management.
  2. On the Group Policy Manager tab/window, select the forest and Default Domain Policy. Right-click Default Domain Policy and select Edit.
  3. Select Computer Configuration> Policies> Windows Settings> Security Settings >Local Policies> User Rights Assignment.
  4. Select Deny Logon locally, select Define these policy settings, and add the new user account.
  5. Select Deny Logon through Remote Desktop Services, select Define these policy settings., and add the new user account.
  6. Select Deny Logon through Terminal Services, select Define these policy settings, and add the new user account.
  7. Select Deny logon as a batch job, select Define these policy settings, and add the new user account.
  8. Select Deny Logon as a service, select Define these policy settings, and add the new user account

.