S 2.320 Orderly withdrawal from operation of servers

Initiation responsibility: Information Security Management, Head of IT

Implementation responsibility: Administrator

If a server is to be withdrawn from operation, this may not be done without preparation and without notifying the users. A number of safeguards must be implemented to ensure that

• no important data are lost,
• no services and systems dependent on the server are impaired, and that
• no sensitive data are left behind on the server's data media.

It is therefore especially important to gain an overview of which data are stored at which location on the system and from where they are accessed. Based on this information, a plan for withdrawing the server from operation should be drawn up. The following points should be taken into account when doing so:

• Data backup
  
  Prior to withdrawing the server from operation, data that are still required must either be backed up or archived externally (e.g. on magnetic tapes, CD-ROMs or DVD-ROMs) or transferred to a backup system. After backup, whether all data have really been backed up correctly should be checked. Additional information on this subject can be found in modules S 1.4 Data backup policy and S 1.12 Archiving.
• Backup system
  
  If the services provided by the server are still required, an appropriate backup system must be made available in due time. Appropriate resources must be provided for the corresponding planning, procurement and initial operation, see also S 2.319 Migration of servers.
• Informing the users
  
  If the system is shut down without being replaced, the users must be informed of this in due time and given the opportunity to backup their own data, if required.
• Removing references to the system
  
  While withdrawing a system from operation, references to the system must also be deleted. This includes, among other things, the deletion of the DNS entry and the entries in other directory services, as well as other references associated with the operating purpose. For example, if a web server is withdrawn from operation, references to this server still existing on the organisation's own web pages should be deleted.

• Deleting data on the system to be shut down
  
  It must be ensured that no information requiring protection remains on the hard disks. It is not enough just to reformat the hard disks in this case, and the disks need to be completely overwritten at least once instead. It must be noted that neither the logical deletion using the operating system's delete functions, nor newly formatting the disks actually remove the data from the hard disks. With the appropriate software, data can be reconstructed again in these cases, often without great effort. Further information can be found in S 2.13 Correct disposal of resources requiring protection and in S 2.167 Selecting suitable methods for deleting or destroying data.
• Erasing data backup media
  
  After withdrawing a system from operation, the corresponding data backup media also need to be erased or made unusable as soon as the data stored on them is not needed any more.
• Removal of other information
  
  Server systems often contain additional data (for example configuration data) stored in non-volatile storage or have information written on them (for example the name of the computer, IP address, and other technical information). This information should be removed if possible before handing over the device since an attacker may also be able to obtain data which can be used in possible attacks from such information.

It is recommended to create a checklist based on the recommendations provided above that can then be used when withdrawing a system from operation. This helps to prevent individual steps from being forgotten.

Review questions:

• Is the availability of functions, services, and data taken into account when withdrawing a server from operation?
• Is there a plan for the procedure for withdrawing the server?