T 2.69 Lack of, or inadequate, planning of the use of Novell eDirectory

As a tool for resource management in networks, eDirectory is designed for use in a heterogeneous IT environment in numerous supported operating systems. The security of the overall system naturally depends on the security of every subsystem. The operating system security and specifically the file system security are the basis for the security of eDirectory.

Since both eDirectory and the available client software can be installed and operated on numerous operating systems, this may result in a large variety of security settings to be performed in each case for the operating system used. This increases the planning requirements and requires the corresponding knowledge of all operating systems involved. Therefore, there is a risk that the use of eDirectory is not planned with sufficient levels of detail and thoroughness if the overall solution is very heterogeneous.

Planning the tree structure and mapping the company's infrastructure inside it are very important for using eDirectory in the intranet. In the event of erroneous planning, there is the risk of inconsistencies and excessive complexity in the directory service structure. This may result in misconfigurations or improper and/or poor operation of the system.

The global tree structure of the eDirectory directory has a large impact on the security of an eDirectory installation. In particular, problems may arise when different sub-trees have different security requirements or the sub-trees belong to different organisational units. Due to the implicit inheritance mechanisms and the complexity of the rules for determining the actually efficient, effective rights applying to an individual object, high requirements are placed on the planning of the system.

The implicitly used CA (certificate authority) is an essential part of the security of eDirectory. Improper planning may have significant adverse effects on the security of the directory service in this case as well.

Planning the access options for a directory service constitutes a core issue for system security. This applies both to the use on the intranet and particularly to the use of eDirectory as LDAP server on the internet.

Furthermore, planning the administration of the directory service is an important issue. eDirectory allows implementation of a role-based administration concept, as well as the delegation of administrative tasks. This is particularly important with regard to security administration. Planning the administration requires the utmost diligence and care, since otherwise there is a risk of unauthorised system users unintentionally being provided with access.

Moreover, the eDirectory software offers the iMonitor tool, which allows web-based monitoring access to the eDirectory servers and the directory system. An improperly planned use of this functionality might result in unauthorised users gaining access to internal information on the eDirectory installation.

Regarding the operation of eDirectory, partitioning the directory service and its replication are important items. Here, poor planning may result in poor performance, inconsistencies regarding data storage, and losses of data in the worst case.

The eDirectory directory service allows for role-based administration of the directory database, as well as for delegating individual administrative tasks. In this regard, the administrative roles and the delegation options must be planned in accordance with the security policy to be specified (see S 2.238 Specification of security guidelines for Novell eDirectory). If the administrative tasks are not planned at all or planned erroneously, there is the risk of the system being administrated insecurely or poorly.

eDirectory allows for synchronising directory data with other directory services using DirXML. DirXML consists of a core (engine) and specialised drivers (e.g. for Windows 2000 Active Directory, Lotus Notes, SAP R/3, Netscape, etc.) for exchanging directory information in the XML format. The third party directory services may use a so-called publisher channel to inform eDirectory of changes. If the rights are assigned accordingly (depending on the system under examination in each case), these changes will also be active in the eDirectory. The external directories may in turn register with the eDirectory in order to obtain information about changes to the set of eDirectory information using this channel (subscriber channel) and to synchronise their directory accordingly. This synchronisation requires detailed planning, because sensitive data could be copied automatically unintentionally to an external computer otherwise. It is also possible, for example, to unintentionally overwrite existing data in this manner. In order to protect the data during transport, SSL may be used. In this context, errors made during the planning phase may cause a loss of integrity and confidentiality regarding the directory data.

If nothing else, the use of login scripts for users and user groups must be planned. In the event of a lack of or improper planning, inconsistencies regarding the specified security policy may arise.

Furthermore, the following problems may also result from a lack of or improper planning:

© Federal Office for Information Security. All rights reserved.