S 2.405 Drawing up a security policy for the use of directory services
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: Administrator, Head of IT
One of the next organisational tasks when planning the use of a directory service is to specify a security policy for the use of directory services based on the security concept (see M 2.404 Creating a security concept for directory services ). This security policy specifies exactly which security regulations should apply to a directory service system and how these regulations need to be implemented during the installation and operation of the system.
The directory service security policy should specify rules for all topics relevant to security for a directory service. These component-specific topics can be listed in the following chronological order:
1.Definition of the directory service tree structure
The first step is to define the logical structure of the directory service tree, how it is divided up in the organisation (which corresponds to the root element and therefore the top element of the tree) and in the organisational units (OUs), and in particular to define which servers are associated with which network resources to be administered (see M 2.403 Planning the use of directory services ).
The next step is to specify the type and scope of the objects stored in the directory service together with their attributes. It may be necessary to change the schema in the directory service. Furthermore, it is also necessary to specify the directory data partitions and define replicas at this point (see M 2.409 Planning of partitioning and replication in the directory service ).
2.Specification of responsibilities
A directory service should only be operated by trained network administrators. At the same time, suitable substitution arrangements must be made within the framework of contingency planning. In general, a concept for role-based administration should be created for the operation of the directory service. Only authorised administrators should be allowed to change directory service security parameters. The responsibilities of each user of the directory are illustrated below.
3.Definition of naming conventions
To make the administration of the directory tree easier, naming conventions should be specified so that the servers, applications, printers, users, user groups and the additional directory service objects all have unique names.
4.Specification of the rules for user accounts
Furthermore, the restrictions to be applied to all accounts or only to certain accounts must be specified before actually setting up the user accounts.
This applies especially to the rules for passwords and for the response of the system to failed login attempts. In addition, rules regarding the creation of login scripts should be specified.
5.Configuring groups
To simplify administration, user objects with the same requirements should be placed in a group. User rights, access rights to the directory objects and any additional predefined functions can then be assigned to the groups instead of to individual user objects. The user objects inherit the rights and authorisations of the groups to which they belong. It is conceivable, for example, to place all employees in a department in a single group. In this case, user authorisations should only be assigned to individual users in exceptional cases and only when absolutely necessary.
6.Specification of the logging rules
In this step, the organisation must define which events generated by the directory service need to be recorded in a log and which combinations of events must be reported to the administrators. Furthermore, it is necessary to decide how long the event data collected will be retained.
7.Rules for data storage
It is necessary to specify where user data will be stored and how this data will be protected (see M 2.138 Structured data storage ). Data should not be stored locally on the hard disks of the individual clients. However, the question of data storage must be clarified at the level of the individual partitions. Databases should be classified in terms of their protection requirements, and the directory partitions should be created on correspondingly trustworthy and secure hosts. The highly confidential data in particular must be taken into account when defining the partitions.
8.Set up project directories
A suitable directory structure that supports the storage of objects should be specified to enable clear separation of the user-specific data (objects) from the project-specific data.
9.Assignment of access rights
It is necessary to define which attributes of the objects of the directory service will be shared and which data access rights should be assigned to these attributes.
10.Responsibilities of the administrators and users in the client/server network
In addition to performing the network management tasks (see above), it is also necessary to specify the responsibilities of the individual administrators in the directory system. The responsibilities to be assumed may include the following, for example:
- Administration of the directory service tree or individual partitions
- administration of the scheme definition,
- Administration of the certification authority and the key objects
- evaluation of the log files on the individual servers or clients,
- Granting access rights
- generation of new passwords and change of passwords and performance of data backups.
The users of a directory service with client access will also need to assume certain responsibilities, especially when they have been granted the right to execute administrative functions. In general, though, the users are only required to handle their directory service passwords responsibly.
11.Training
Finally, it is necessary to specify which users will need to receive training on which aspects. The directory service can only be put into productive operation after the users have received adequate training. The administrators in particular must receive thorough training on the administration and security of a directory service.
The security policies developed must be documented, and the users of the directory service must be informed of the security policies to the required extent. It must be noted when defining the security policy for directory services that this policy must be based on the existing security policies of the organisation, must not contradict these security policies (consistency) and must not violate any applicable laws. In general, a directory service security policy is created by correspondingly adapting existing regulations or expanding them accordingly, for example by adding additional requirements for certain components. It may be necessary under some circumstances to specify new regulations for functionality specific to directory services. It is generally true that directory service planning is based on the corresponding security policies, but that this planning also has an influence on the security policies themselves (feedback process).
Review questions:
- Are all areas relevant to the intended use of the directory service covered by the security policies?
- Have all users been informed of the directory service security policies?