S 2.318 Secure installation of an IT system
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: Administrator
When the planning of a new IT system (see S 2.315 Planning the use of servers and S 2.321 Planning the use of client-server networks) is complete and a security policy (see S 2.316 Defining a security policy for a general server and S 2.322 Defining a security policy for a client/server network) has been created, the system can be installed.
It is advisable to first create a short installation concept on the basis of the functional planning requirements and the specifications of the security policy. As a rule, installation should be carried out in two stages: First, a basic system is installed and configured. Then, the required services and applications are set up. The installation programs of most operating systems more or less support this approach.
It will not be necessary to repeat all of the described steps for each new IT system. This may even be counterproductive as constant repetition increases the risk of errors. Therefore, it is recommended to carry out the described steps once and very carefully on a reference system while precisely documenting the required configurations. In this way, an adapted installation concept for the respective operating system can be obtained. Note that this installation concept also has to be checked and, if necessary, adapted for changes made to the operating system which do not constitute a completely new release (service packs, update releases or similar).
With virtual IT systems, an adapted operating system for each instance is only installed in vary rare cases. Usually, a basic system is created that is copied into the instance and is started as an independent clone. In the next step, the required server services and application programs are installed. It is possible to generate a new clone any time later on to create multiple instances with identical server services and application programs. However, bad decisions and incorrect settings made during the creation of the basic system may be passed on to numerous instances when the clones are installed. All recommendations from this safeguard should therefore be carefully observed for every single clone.
Installation
This safeguard only contains recommendations for the first installation steps and not for the final configuration for the intended purpose. Further configuration steps depend greatly on the respective system and application and are discussed in individual safeguards.
During installation and later configuration, the important steps at least have to be documented in such a way that they can be retraced later on. For example, an installation checklist could be created where the completed steps are ticked off and the settings used are recorded. The respective documentation is useful for error analysis and new installation at a later date. Note in this respect that administrators who may have a lesser degree of specialisation in this field than the author also need to use this documentation. Therefore it is essential that the documentation is well structured and understandable.
If the IT system is installed from data media, such as DVDs, it is recommended to carry out the installation and basic configuration offline or at least in a safe network (installation or administration network). During installation other IT systems generally need to be denied access to the IT system being installed. This is essential as no passwords are assigned and protection mechanisms are disabled during installation but access may already be possible. If several IT systems are to be partially installed via the network (e.g. loading packages), it is recommended to use an installation server in the administration network.
With the operating system it is particularly important that the installed version comes from a trustworthy source. This is essential when CD images are downloaded from the internet, for example. In this case it is absolutely necessary to check if digital signatures of the packages are available that can be used to verify the integrity and authenticity of the packages (see also S 4.177 Assuring the integrity and authenticity of software packages). If possible, packages and CD images without digital signatures or checksums should not be used.
The concept created in the planning phase (see S 2.315 Planning the use of servers and S 2.321 Planning the use of client-server networks) has to be implemented when the hard drives are partitioned. If an encrypted file system is to be used, it usually has to be installed before data can be copied there as a file system often cannot be encrypted afterwards. With some RAID systems and levels, configuration also has to be completed before the respective file systems can be set up.
Setting up the hardware and the boot loader
In the first installation stage only the hardware required to boot the system (e.g. RAID drives, encrypted file systems, etc.) and to continue the installation process (network cards if applicable) has to be configured. The remaining hardware can be set up in the second installation stage.
Following basic installation, a boot loader is usually installed and configured that loads the operating system when the system is started. In general, the boot loader provides a selection menu that can be used to choose between the various installed operating systems and configurations. The boot loader has to be configured very carefully or the system will not be able to start. The configuration has to be documented. At this point of the installation process, some systems also offer the possibility to create a boot medium that can be used to start the system in an emergency.
If clients and servers are not physically protected against unauthorised access, the boot loader should be protected by a password if possible.
If logging of the system events has not been enabled automatically, this has to be done when the basic installation is complete at the latest. If any problems occur during the remaining installation and configuration, the logs may provide valuable information.
Updating
If the system is installed from a CD, DVD or another "offline medium", it has to be checked if the manufacturer or distributor published any updates or safety patches once the basic installation is complete (see also S 2.35 Obtaining information on security weaknesses of the system and S 2.273 Prompt installation of security-relevant patches and updates).
Installing the respective server services and application programs
When the operating system is installed and the basic configuration and updates are complete, the respective server services may be installed and configured. As a rule, both clients and servers require server services for remote administration. Servers require the actual server services in addition. Clients usually require installation and setup of graphical user interfaces and application programs. It is recommended to proceed in the same way as with the operating system.
Review questions:
- Is there an installation concept that takes the functional requirements and safety-related specifications into account?
- Does the installation concept regulate the documentation of installation and configuration?
- Does the installation concept regulate offline installation and the use of trustworthy installation sources and media?