S 5.15 General directory service
Description
A directory service provides information in a computer network on any object in a defined manner. Corresponding attributes can be stored with an object such as a user ID, for example. In this case, the attributes could include the first and last name of the user, their personnel number, and the name of their computer. This data can then be used by any of the various applications. The directory service and its data only need to be administered once from a central location.
Some typical areas of application of directory services include:
- Administration of address books, e.g. for telephone numbers, e-mail addresses, or certificates for electronic signatures
- Resource administration, e.g. for computers, printers, scanners, and other peripheral devices
- User administration, e.g. for the administration of user accounts and user authorisations
- Authentication, e.g. for logging in to operating systems or to applications
Directory services are optimised for read access, because data is frequently called up from the directory service while write accesses such as the creation, modification, or deletion of entries are required less often.
The data in a directory service is generally object-based and is organised logically in a tree structure. The structure can reflect the political, geographic, or organisational relationships between the data in the directory. The objects are stored in a hierarchy of distributed (when necessary) directories and databases. Based on a single root object, the objects branch out in parent/child relationships down to the leaves. Objects that themselves contain other objects are referred to as container objects, while the objects at the bottom of the tree are called leaf objects.
Numerous manufacturers offer software for directory services. Examples of such software include the Active Directory from Microsoft (see S 5.16 Active Directory) and the Novell eDirectory (see S 5.9 Novell eDirectory). Other directory services are based on the free OpenLDAP package (see S 5.20 OpenLDAP) used on many Unix-based systems, but which is also used on Mac OS X, for example.
This module examines general security aspects of directory services regardless of which product is actually used. There are additional modules for product-specific security aspects in the IT-Grundschutz Catalogues that should be applied to the corresponding servers in addition to this module.
Threat scenario
Directory services are subject to a series of direct threats. They are also exposed to indirect threats in relationship with the underlying operating system.
The following typical threats to the IT-Grundschutz of directory services are assumed to exist:
Force Majeure
| T 1.2 | Failure of the IT system |
Organisational Shortcomings
| T 2.1 | Lack of, or insufficient, rules |
| T 2.2 | Insufficient knowledge of rules and procedures |
| T 2.7 | Unauthorised use of rights |
| T 2.123 | Lack of, or inadequate, planning of the use of directory services |
| T 2.124 | Lack of, or inadequate, planning of partitioning and replication in the directory service |
| T 2.125 | Lack of, or inadequate, planning of access to the directory service |
Human Error
| T 3.9 | Improper IT system administration |
| T 3.13 | Passing on false or internal information |
| T 3.16 | Incorrect administration of site and data access rights |
| T 3.43 | Inappropriate handling of passwords |
| T 3.87 | Improper configuration of directory services |
| T 3.88 | Errors in the assignment of access rights |
| T 3.89 | Errors in the configuration of LDAP access to directory services |
Technical Failure
| T 4.10 | Complexity of access possibilities to networked IT systems |
| T 4.13 | Loss of stored data |
| T 4.33 | Poor-quality or missing authentication |
| T 4.67 | Failure of directory services |
Deliberate Acts
| T 5.16 | Threat during maintenance/administration work |
| T 5.18 | Systematic trying-out of passwords |
| T 5.19 | Abuse of user rights |
| T 5.20 | Misuse of administrator rights |
| T 5.65 | Denial of services in a database system |
| T 5.71 | Loss of confidentiality of classified information |
| T 5.78 | DNS spoofing |
| T 5.85 | Loss of integrity of information that should be protected |
| T 5.144 | Compromising of directory services due to unauthorised access |
Method recommendation
To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
Directory services may be already integrated into an operating system, as is the case with Active Directory in Windows 2000 Servers and later versions, as well as in stand-alone software components such as those offered by the open source OpenLDAP package. Correspondingly, the security of the underlying operating system always needs to be taken into account when determining the security of the data stored in a directory. However, operating system security is not covered in this module. You should refer instead to the corresponding descriptions for the secure operation of the operating system used in the modules in Layer 3.
When using a directory service, it is also necessary to handle the generic aspects found in the relevant modules in the Layer 1. The security requirements of the directory service therefore need to be considered when creating the overall concepts (see S 1.6 Protection against malware, for example).
A series of security safeguards must be implemented to securely implement a directory service, starting in the conception phase and continuing through the purchasing phase to the operation phase. The steps to be taken to accomplish this as well as the safeguards to be considered in each of the steps are listed in the following.
Planning and design
Safeguard S 3.61 Introduction to directory service basics is recommended as an introduction and should be considered first. It contains an overview of the structure of a directory service and the associated terminology.
A requirements analysis must be performed before making any decision on which type of directory service could be used in the organisation. The use of the directory service must then be planned based on this foundation (see safeguards S 2.403 Planning the use of directory services and S 2.409 Planning of partitioning and replication in the directory service). It is vital to distribute the administrative tasks (see safeguard S 2.407 Planning the administration of directory services).
A security design and a security policy must be developed in this context (see S 2.404 Creating a security concept for directory services and S 2.405 Drawing up a security policy for the use of directory services,). They must then be integrated into the context of existing security concepts and security policies, and it is also necessary to define supplementary policies specifically for directory services.
Extensive planning and conceptional work needs to be performed if it is necessary to migrate a directory service due to restructuring or updates to the information system (see safeguard S 2.408 Planning the migration of directory services).
Purchasing
After deciding to use a directory service, it is necessary to purchase software and any additional hardware required for it. Since a directory service can be used in a variety of ways, the selection and purchasing phases (see safeguard S 2.406 Selection of suitable components for directory services) depend on the operational scenarios planned.
Implementation
The directory service can be installed after the organisational and planning preparations have been completed and the decision regarding which directory service is to be purchased has been made. The following safeguards must be implemented for this purpose:
The installation creates the initial structure of the directory service (see S 4.308 Secure installation of directory services) and can only be considered complete after the directory service has been transferred to a secure state. This ensures that only authorised administrators will be able to access the directory service in the subsequent configuration phase.
An initial configuration of the directory service is specified after installation (see safeguards S 4.307 Secure configuration of directory services, S 4.309 Setting up access authorisations for directory services, and S 4.310 Setting up LDAP access to directory services).
The users and administrators of the directory service must receive adequate training in order to minimise security incidents and to point out and raise awareness of the possible risks of improper use of the directory service (see safeguards S 3.62 Training on the administration of directory services and S 3.63 Training users on authentication with the help of directory services).
Operation
After configuration and a test operation phase, regular operations can be initiated. The following security-related aspects must be taken into account in this phase:
Directory services are subject to constant change due to their nature. It is therefore necessary to constantly change the security-related configuration parameters accordingly (see safeguard S 4.78 Careful modifications of configurations). The aspects relevant to secure operation can be found in S 4.311 Secure operation of directory services, and the aspects relating to secure communications in particular can be found in S 5.147 Protection of communications with directory services.
In order to be able to determine the security status of a directory service, it is recommended to monitor the directory service continuously (see S 4.312 Monitoring directory services).
Disposal
If the organisation decides to take a directory service out of operation, then the remaining data and rights in particular must be deleted securely. However, there are also some points to be taken into account even when only part of a directory service will be taken out of operation, and these points are illustrated in detail in safeguard S 2.410 Orderly withdrawal of a directory service from operation.
Contingency Planning
In addition to the safeguards for securing the directory service during ongoing operations, the safeguards for contingency planning are also relevant. Information on this subject can be found in safeguards S 6.106 Creation of a business continuity plan for the failure of a directory service and S 6.107 Creation of data backups for directory services.
The bundle of security safeguards to be used for the "Directory Services" module is presented in the following:
Planning and design
| S 2.403 | (A) | Planning the use of directory services |
| S 2.404 | (A) | Creating a security concept for directory services |
| S 2.405 | (A) | Drawing up a security policy for the use of directory services |
| S 2.407 | (A) | Planning the administration of directory services |
| S 2.408 | (Z) | Planning the migration of directory services |
| S 2.409 | (B) | Planning of partitioning and replication in the directory service |
| S 3.61 | (W) | Introduction to directory service basics |
Purchasing
| S 2.406 | (B) | Selection of suitable components for directory services |
Implementation
| S 3.62 | (A) | Training on the administration of directory services |
| S 3.63 | (A) | Training users on authentication with the help of directory services |
| S 4.307 | (A) | Secure configuration of directory services |
| S 4.308 | (A) | Secure installation of directory services |
| S 4.309 | (A) | Setting up access authorisations for directory services |
| S 4.310 | (B) | Setting up LDAP access to directory services |
Operation
| S 4.78 | (A) | Careful modifications of configurations |
| S 4.311 | (A) | Secure operation of directory services |
| S 4.312 | (B) | Monitoring directory services |
| S 5.147 | (C) | Protection of communications with directory services |
Disposal
| S 2.410 | (B) | Orderly withdrawal of a directory service from operation |
Contingency Planning
| S 6.106 | (Z) | Creation of a business continuity plan for the failure of a directory service |
| S 6.107 | (C) | Creation of data backups for directory services |