S 3.62 Training on the administration of directory services

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator, Head of IT

The administration of a directory service requires detailed knowledge of the technology, of the basic concepts, as well as of the product used. If the administrators do not possess such knowledge, then this could quickly result in faulty configurations having a serious impact on security in the organisation. For this reason, the corresponding administrators must receive adequate training in this area.

Contents of the training program

Depending on the size of the network, the administration of a directory tree will generally be performed by a whole group of administrators with special tasks and spheres of activity rather than by a single administrator. This means that not all administrators of a directory will require the same kind of training. However, to guarantee secure operation, every administrator will need to have sufficient knowledge of the basics of the underlying operating systems in order to place his/her own tasks within the overall context.

Training programs should always contain the following main points and explain each point. The depth to which a given administrator will need to study the individual aspects depends on his qualifications and on the type of work he will be performing.

• Basic knowledge of authentication
  
  • Overview of the basic information security terminology needed for a directory service such as the terms confidentiality, integrity, and availability
  • Procedures for identification and authentication, specification of the definitions of terms such as knowledge, ownership, and attribute
  • Point out general methods of authentication using certain knowledge such as passwords, one-time passwords, challenge/response procedures, digital signatures, etc., and raising awareness in terms of handling the authentication features
  • Point out general methods for authentication using ownership in the form of tokens, smart cards, magnetic strip cards, etc, for example.
  • Point out possible procedures for biometric authentication such as fingerprint recognition, iris recognition, facial recognition, etc.
  • Point out the advantages and disadvantages of single sign-on products (SSO products)
  • Requirements placed on the application environment of an SSO product, for example the requirements placed on the workstation of the administrator
  • Overview of the security functions of the SSO product used
  • General legal aspects of data protection when using directory services (e.g. presenting the problems related to data protection, publication of real names, legal aspects of directory services, and employee data in directory services)
  • General aspects of and information on authorisation management
• General basics of directory services
  
  • Method of operation of a directory service
  • Overview of the security mechanisms used by general directory services, security administration
  • Tree structure and name resolution
  • Inheritance within the directory tree
  • Authentication methods used in a directory service
  • Physical protection required by all directory service servers including their replications
• Directory service
  
  • General: What needs to be taken into account when planning, configuring, and administering the directory service?
  • Schema administration
  • Partitioning
  • Replication, e.g. the mechanisms used for replication, default parameter settings used for the replication of the directory service content, the problems related to local administration of the directory service in connection with replication conflicts
  • Backup, e.g. the potential problems when creating backups of directory services, restoring directory service servers from backups, the safeguards to take when the directory service servers that define the tree structure fail
  • Assignment of rights, e.g. the assignment of access rights to directory service objects at the attribute level, inheritance of access rights and inheritance blockages, effective access rights, role-based administration, delegation of administrative tasks
  • Inheritance of rights and calculation of effective rights
• Basics of product-specific / special directory services
  
  • Product-specific method of operation of the directory service
  • Product-specific authentication methods of the directory service
• Public Key Infrastructure (PKI)
  
  • Method of operation of a PKI
  • Certificates and certificate types
  • What needs to be taken into account when planning a PKI?
  • Interaction via a PKI
  • Administration of the certificate server
• Secure Sockets Layer (SSL)
  
  • Basic method of operation of the SSL protocol
  • Configuration of SSL
• Lightweight Directory Access Protocol (LDAP)
  
  • LDAP access to the directory service
  • Possible user connections
• Administration and client software
  
  • Overview of the responsibilities of the administrators required for the secure operation of an SSO product
  • Overview of error messages that could be important for administrators
  • Overview of possible administrator privileges
  • Method of operation of the administration and client software
  • Authentication of the administration and client software

If decisions regarding role-based administration and the delegation of administration tasks need to be made when planning directory services, then the administrators also need to be trained accordingly for their particular tasks. Special emphasis should be placed on the group of schema administrators because these administrators have the ability to change the entire design of the directory tree database.

Administration of the directory service client software and LDAP access requires detailed knowledge of the configuration options of the system. The underlying operating system also plays a role in the definition of a security environment, especially for the file system security.

Review questions:

• Have all administrators received training on the security functions of the underlying operating system that are used by the directory service?
• Have all administrators received training on how to handle the relevant client and server security mechanisms in terms of the directory service?
• Have all administrators received additional training for their special tasks when role-based administration and delegation are used?