S 2.407 Planning the administration of directory services

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, Administrator

The administration of a directory service requires careful planning. The planning should take adequate division of the administrative tasks and the corresponding administrator accounts into account. As a general rule, the administration of the directory service itself should be separated from the administration of the data in the directory by creating administrative roles with names such as "Service Administration" and "Data Administration", for example, with each role having different areas of responsibility.

Service administrators should take care of the preparation of the entire directory service, specification of the directory-wide settings, installation and maintenance of the software, as well as installation of the operating system on the directory service servers.

In contrast, data administrators should be responsible for the administration of the data stored in the directory service, and therefore stored on the servers of the directory service. They should not be able to configure or provide the directory service. Data administrators should not be responsible for all of the data in the directory service, if possible. Data administrators usually administer a subset of the objects in the directory service. For this purpose, it should be possible to restrict the administration capabilities of a certain administrator account to special areas of the directory service using the settings in the access control lists for the objects stored in the directory service.

Some information needed for the administration or configuration of the directory service is controlled by objects in the directory service itself. Although this information, such as information on trust relationships, schemas, or rules for replication, is stored in the directory service, it should be administered by the service administrators. For this reason, service administrators can simultaneously be data administrators, but data administrators cannot simultaneously be service administrators.

Furthermore, it is also possible to plan an extended administrative model for the directory service. The configuration of role-based administration and the possibility of delegating administrative tasks have an impact on the security of the directory service and therefore need to be given special consideration. If the security administration is designed clearly, sensibly, and consistently, then it will also be possible to increase transparency and efficiency at the same time.

Every organisation needs to answer the following questions in the framework of planning the directory service administration:

• Which administrator groups are needed?
• Which administrative model will be implemented? Central or local administration?
• Which administrator roles should exist within the tree structure?
• Should administrative tasks be delegated? If so, to whom?
• Which objects may be accessed by which administrators over the various directory service interfaces?

The following security-related aspects should be considered when planning the administration of the directory service:

• Delegation is performed by assigning access rights to the directory service objects and their attributes. The inheritance mechanism is generally used in this case to administer the authorisations to objects in subtrees. Complex scenarios with delegation, and therefore scenarios in which rights are inherited, should be avoided, though. Such scenarios can become complex and difficult to manage very quickly, in which case it is easy to open security gaps due to incorrect configurations.
• A global administrator possessing full access rights to all objects of the directory service is generally created by default during the initial installation of a directory service. This should be changed during the initial installation of the directory service. The access rights should be distributed according to the administrative model defined in advance.
• In cases in which administrative tasks are delegated, the administrators should only be granted the absolute minimum of rights needed to perform the administrative tasks delegated to them.
• Administrative access to the first and/or top part of the directory service should be specially protected due to the wide-ranging authorisations granted in this case. If the protection requirements are correspondingly high, then consideration should be given to applying the two-person rule, for example in the form of a shared password, before allowing such access.
• Schema changes are particularly critical operations and should only be performed (if at all) by authorised administrators after careful planning. The changes must be documented in detail.
• If a separate certification authority (CA) is integrated into the directory service, then its operation and administration must be planned according to the security policy created for this purpose.
• The administrative tasks should be delegated so that there is no overlapping. Otherwise, two different administrators could make contradictory changes, which could then lead to replication conflicts. The risk of replication conflicts can be reduced by using an administration model in which no areas of responsibilities overlap. If replication conflicts are expected or have already occurred, then the values should be examined manually at regular intervals and always after making important changes.

• The administrative delegation model and the rights assignments resulting from the model must be documented.
• For large directory services, consideration should be given to using tool-based administration. There are various commercial tools as well as free tools for practically all directory services. If such tools are used, then they must be configured and operated securely.

Review questions:

• Are the administrative tasks for the administration of the directory service itself clearly separated from the data administration tasks?
• Are the authorisations in the administrative model of the directory service restrictive and is it ensured that there is no overlapping wherever possible?
• Are all administrative task areas and authorisations adequately documented?