S 2.410 Orderly withdrawal of a directory service from operation

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

If a decision is made to take a directory service out of operation because, for example, it will be replaced by a newer version on new hardware, then the issues described in the following must be taken into account.

The withdrawal of a directory service from operation must be planned and executed with care to ensure, on the one hand, that authorised users will still be able to log in and access the resources in the network they need, and on the other hand to ensure that data and rights no longer needed are securely deleted or permanently taken away, for example.

Before withdrawing the directory service from operation, it must be checked if there is a backup of the directory service data available that can be used to restore the directory service again in case there are problems in the network.

This also applies to encrypted data stored on other computers in the network of the organisation but whose corresponding key information is part of the directory service. If the directory service contains a certification authority, then it is possible for cryptographic keys and certificates to be affected by withdrawing the service from operation. It must be examined in this case if it is necessary to explicitly back up the key material.

If the directory service to be taken out of operation provides information that is still needed for certain purposes or applications, then it must be ensured that this information is available to the required extent by other data sources.

Deletion/disposal of the storage media

The storage media of all affected computers must be securely deleted before they are reused (see S 2.167 Selecting suitable methods for deleting or destroying data). If it is planned to dispose of the hardware, then it must be disposed of in a secure manner (see S 2.13 Correct disposal of resources requiring protection).

Deleting partitions from the directory service

If a directory service is designed to be distributed, then individual directory service servers will often only store part of the entire name space in a given partition of the directory service. The other parts of the directory service contain references to the parts to be removed.

When taking a partition of the directory service out of operation, it must be ensured that there are no other partitions in the hierarchy of the directory service below the partition to be deleted. Otherwise these partitions would lose their references to the higher-level areas of the directory service in the name space and would therefore be completely unusable.

If such a partition or the corresponding directory service server is completely removed from the entire directory service, then all references to the parts removed must be deleted or correspondingly modified in the other components of the directory service. This includes references to the following information, among other information:

It must be noted that references in directory services belonging to external organisations could also be affected. In the framework of planning the withdrawal from operation, it is therefore necessary to ensure that the corresponding changes are also triggered at the external organisations affected by the withdrawal.

If the partition to be taken out of operation has a special role in the directory service, for example as a master or owner of a global index, then this role must be moved to another part of the directory service beforehand because otherwise it is impossible to guarantee the proper function of the directory service.

Review questions:

© Federal Office for Information Security. All rights reserved.