S 6.106 Creation of a business continuity plan for the failure of a directory service

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, Administrator

The partial or complete failure of a directory service will generally have a serious impact on the ability of the users to do their work. When a directory service server fails, it may no longer be possible to perform any server-based tasks, for example. As part of the contingency planning, it is therefore necessary to draw up a concept detailing how the effects of a failure of directory service components can be minimised and which action needs to be taken in case of a failure.

The following aspects must be taken into account in this regard:

• The contingency planning for the directory service system must be integrated into the existing business continuity plan (see also module S 1.3 Business continuity management).
• Data may also be lost due to the failure of a system. For this reason, it is necessary to create a data backup policy for the directory database that can be integrated into the existing backup concept or can replace the previous policy entirely. Additional information on this subject can be found in module S 1.4 Data backup policy as well as in safeguard S 6.107 Creation of data backups for directory services.
• If replicas of important information and files were created on several servers, then it is possible to use these replicas when an individual directory service server fails. Using the replication mechanisms offered by directory services, it is possible to provide users with a local replica of the data in order to obtain faster access times and ensure high availability of the servers (see S 2.409 Planning of partitioning and replication in the directory service).
• A directory service offers you the ability to distribute the directory database among several different directory service servers (partitioning) so that each server only stores part of the data. In this case, when a single directory service server fails, only the directory partition stored on this server will be affected (see S 2.409 Planning of partitioning and replication in the directory service). When creating a business continuity plan, it must be ensured that all partitions of the directory service installation are taken into account in the plan.
• The entire system configuration of the directory service components must be documented. All tasks required to recover the system must be described so that these tasks can also be carried out in an emergency by personnel who do not have detailed knowledge of the previous system configuration.
• The contingency planning must ensure that correspondingly trained personnel are available in emergencies.
• A recovery plan must be created that guarantees the directory service system can be restarted in a controlled manner.
• The contingency planning must take the special features of important directory service servers into account and must be specified according to these features.

Various scenarios in which the directory service system or parts of it become compromised should be examined in the framework of contingency planning. The business continuity plan should describe how to respond and which action to take in each of these scenarios as precisely as possible. The responses should be evaluated regularly.

Contingency planning that is performed well enough in advance and contains specific instructions that can also be followed by personnel who are not familiar with the administration of the system can lessen the impact in the event of damage. It must be noted that the documents for emergency situations contain information requiring protection, which means they must be stored securely. However, authorised persons must be able to access these documents in an emergency.

Each of the following emergency situations should be examined:

Attacks

If an attack, for example an extension of user rights, is detected on a directory service, it cannot be assumed that deleting the corresponding account from the affected systems without performing detailed security analyses will return it to a secure state. In fact, it is necessary to consider the possibility that changes were made to the system configuration or that malicious software programs (e.g. backdoors or Trojan horses) were installed.

To reliably delete potential malware, it is recommended to completely restore the affected directory service components to guarantee a trustworthy basis for the directory service. The data backups created should be used for this purpose, but the documentation of the exact configuration and the security policies of the directory service will also be needed for this purpose. Furthermore, all accounts with extended rights (and especially the accounts in the group of administrators) should be examined at a minimum to ensure all accounts in the group should actually belong to it and immediately assign new passwords to minimise the chances of success of subsequent attacks. The passwords of the user accounts also need to be changed. In addition, the source of the attack should be investigated, and the results and experience gained from the investigation should be integrated into the existing security concepts.

Theft

If directory service components are stolen, then all existing accounts, and especially those with extended rights, should be assigned new passwords immediately. Furthermore, the theft should be investigated and a detailed security analysis performed. The infrastructural security precautions in particular should be extensively modified based on these results. When in doubt, it is recommended to reinstall all components of the entire directory service structure.

In case of an attack or in case of theft, the respective persons responsible should be informed of the improved security concepts and required to follow the requirements in these security concepts.

Misconfigurations

Misconfigurations of the system administration can have a negative impact on the overall structure of a directory service over the course of time. The configurations of directory service systems should be examined regularly for errors. As soon as an error is detected, the scope of the error should be evaluated and corrective measures initiated.

Depending on the software, it may be possible to make the changes needed to eliminate the configuration error directly, but if the problems are more extensive, it may be necessary to restore the system from the latest data backups or even to reinitialise the system. If the reasons for the configuration errors cannot be determined with absolute certainty, then it is recommended to restore the directory service from a backup with a trustworthy state.

In order to avoid repeating the same problems in the future, the security policies must be examined and adapted accordingly, if necessary. Furthermore, operations in the test network and in the production environment must be analysed so as to reduce downtimes and the number of misconfigurations in the live network to a minimum using the experience gained from the operation of the test network.

Failures due to force majeure

The threats posed by force majeure, e.g. by earthquakes, flooding, fire, storm damage, and cable damage, can have a negative impact on the availability of a directory service. Adequate safeguards against these threats must be taken into consideration to increase availability, for example through the use of redundant communication connections or IT systems.

Review questions:

• Was the contingency planning for directory services meeting the actual needs carried out?
• Are business continuity plans available in case of the failure of important directory service systems?
• Were all emergency procedures for directory service components documented?