S 2.238 Specification of security guidelines for Novell eDirectory

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, Administrator

As one of the main organisational tasks when planning the use of eDirectory, a security policy must be drawn up first. This security policy specifies which security regulations should apply to an eDirectory system and how these must be implemented during system installation.

The eDirectory security policy should specify rules for all topics relevant to security for an eDirectory directory service. The following list provides a rough overview of the areas to be regulated by such a policy. The list must be adapted, specified in detail, and expanded according to the operational scenarios existing in the government agency and/or company.

General information:

• How should eDirectory servers be secured physically?
• Which eDirectory components, e.g. ConsoleOne and iMonitor, should be used?
• Which tree structure should be selected?
• How is this tree structure partitioned?
• Are the schemes changed?
• Which object classes may be used with which sets of attributes?
• Which replications of which type should be generated?
• Which computers are eDirectory servers and which computers contain a replica?

Assigning rights:

• Which users should be allowed to exercise which rights?
• Which administrator should be allowed to exercise which rights?
• Which authentication methods should be selected?
• How is the inheritance of rights defined within the tree structure?
• Which security equivalences between objects or object classes are defined?

Administration:

• Which administrator roles are defined?
• Who is allowed to change schemes?
• Which administrative tasks may and/or should be delegated?

Data communication:

• Which data needs to be protected during communication?
• Which mechanisms must be used to protect the confidentiality, integrity, and authenticity of the data?

Certificate authority:

• Which parameters must be specified for the certificate authority?
• Who is allowed to change the certificate authority settings?
• Which objects must have certificates assigned to them?
• Which certificates will be used for SSL connections?

File system of the underlying operating system:

• Which authorisations to system files should be granted to the various administrators and users?
• Should encryption be used at the file system level?

LDAP:

• Which users are allowed to access the eDirectory using LDAP and under which conditions?
• Should anonymous login be supported?
• Which network applications are allowed to access the eDirectory using LDAP?
• Should LDAP communication be performed in general using SSL?
• Are user passwords allowed to be transmitted in plain text?

Client access to the eDirectory directory service:

• Which authentication method should be used or permitted?
• Which directory tree is allowed to be accessed from the network?
• Which resources are accessible from the network by which users?

Encryption of attributes:

• Should the secret store mechanism (available using the additional module secure login) be used for encrypting attributes?

Remote access to the system monitor and administration:

• Is using the iMonitor tool allowed?
• Who is allowed to use the iMonitor tool?
• How is the HTTPS protocol configured for this purpose?

These component-specific topics can be listed in the following chronological order:

1. Defining the eDirectory tree structure

The first step is to define the logical structure of the eDirectory tree, how it is divided into the organisation and organisational units, and in particular to define which servers are associated with which network resources to be administrated (see S 2.236 Planning the use of Novell eDirectory).

The next step is to make a decision regarding the objects stored in the directory service and their attributes. It may be necessary to change the scheme in the eDirectory. Furthermore, it is also necessary to specify the directory data partitions and define replicas at this point (see S 2.237 Planning of partitioning and replication in Novell eDirectory).

2. Specification of responsibilities

An eDirectory directory service should be operated securely by trained network administrators. At the same time, suitable substitution arrangements must be made within the framework of contingency planning. In general, a concept for role-based administration should be drawn up. Only authorised security administrators should be allowed to change eDirectory security parameters.

The responsibilities for the individual users of the eDirectory directory can be found in step 10.

3. Definition of naming conventions

In order to facilitate the administration of the eDirectory directory tree, unambiguous names should be used for the servers, applications, printers, users, user groups, and the additional eDirectory objects.

4. Specification of the rules for user accounts

Furthermore, the restrictions to be applied to all accounts or only to certain accounts must be specified before actually setting up the user accounts. This applies specifically to the rules governing passwords and to the response of the system to failed login attempts. In addition, rules regarding the creation of login scripts should be specified.

5. Setting up groups (organisational roles)

To simplify administration, user objects with the same requirements should be placed in a group. The corresponding eDirectory objects are referred to as organisational roles. User rights, access rights to the directory objects, and possibly any additional predefined functions are then assigned to the groups (organisational roles) instead of to individual user objects. The user objects inherit the rights and authorisations of the groups (organisational roles) they belong to. For example, it is conceivable to place all employees of one department in a single group (organisational role). In this case, user authorisations should only be assigned to individual users in exceptional cases and only when absolutely necessary.

6. Specification of the logging rules

In this step, the organisation must define which events generated by the eDirectory must be recorded in a log and which combinations of events must be reported to the security and/or system administrators. Furthermore, it is necessary to decide how long the event data collected will be retained.

7. Rules for data storage

It must be defined where user data will be stored (see S 2.138 Structured data storage). For eDirectory, the user data is stored only to eDirectory servers. Data is not stored locally on the hard disks of the individual clients. However, the question of data storage must be clarified at the level of the individual partitions. Databases should be classified in terms of their protection requirements, and the directory partitions should be created on correspondingly trustworthy and secure hosts. The highly confidential data of the security container must be taken into consideration in particular when defining the partitions.

8. Set up project directories

A suitable directory structure that supports the storage of objects should be specified to enable clear separation of the user-specific data (objects) from the project-specific data.

9. Assignment of access rights

It is necessary to define which attributes of the objects of the directory service will be shared and which data access rights should be assigned to these attributes.

10. Responsibilities of the administrators and users in the client/server network

In addition to assuming the network management tasks (see step 2), further responsibilities must be defined. It must be defined which administrator must assume which responsibilities in the eDirectory directory system. The responsibilities to be assumed may include the following, for example:

• administration of the eDirectory tree or individual partitions,
• administration of the scheme definition,
• administration of the CA and the key management objects (KMO),
• evaluation of the log files on the individual servers or clients,
• assignment of access rights,
• generation of new passwords and change of passwords and performance of data backups.

The users of an eDirectory directory service with client access will also need to assume certain responsibilities, especially when they have been granted the right to execute administrative functions.

In general, though, the users are only required to handle their own passwords for the login.

11. Training

Finally, it is necessary to specify which users will need to receive training on which aspects. Productive operation is only possible after the users have received adequate training. The administrators in particular must receive thorough training on the administration and security of eDirectory.

The security policies developed this way must be documented and the users of the eDirectory directory service must be informed to the required extent. When defining the security policy for eDirectory, it must be noted that this policy must be based on the hitherto applicable security policies of the government agency and/or company, must not contradict these security policies (consistency), and must not violate any applicable laws. In general, an eDirectory security policy is drawn up by correspondingly adapting existing regulations or expanding them accordingly, for example by adding additional requirements for certain components. It may be necessary under some circumstances to specify new regulations for functionality specific to eDirectory, e.g. iMonitor. It is generally true that eDirectory directory service planning is based on the corresponding security policies, but that this planning also has an influence on the security policies themselves (feedback process).

Review questions:

• Are all areas relevant to the intended use of eDirectory covered by the security policies?
• Has the logic structure of the eDirectory tree been defined and documented?
• Has an appropriate substitution arrangement been implemented for the eDirectory directory service?
• Are unambiguous names used for the servers, applications, printers, users, user groups, and the additional eDirectory objects?
• Are there provisions for setting up users and groups (organisational roles) in the eDirectory?
• Is there a provision governing the logging of events generated by the eDirectory?
• Is user data stored in accordance with its protection requirements classification?
• Does the eDirectory directory structure allow for separating user- and project-specific data (objects)?
• Has it been defined which attributes of the objects of the eDirectory directory service will be shared and which data access rights should be assigned to these attributes?
• Have all users been informed of the eDirectory security policies?