S 4.79 Secure access mechanisms for local administration

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

For some active components, the components can be administrated with the help of local access. Such local access is mostly implemented with the help of a serial port (normally a V.24 and/or EIA-232-E interface). The following safeguards must be taken into consideration for secure local access:

• The active network components and their peripheral devices, e.g. connected terminals, must be installed securely (see S 1.29 Adequate siting of an IT system),
• The local access for administrating the local components must be blocked by the software and/or mechanically.
• Any existing default password of the local access must be changed immediately upon start-up (information on selecting the new password can be found in S 2.11 Provisions governing the use of passwords),
• The security features of permanently connected terminals or computers, e.g. automatic screen lock or automatic logout, must be activated.

Local administration offers the following advantages:

• The risk of passwords being intercepted is reduced.
• Continuous administration is possible even if the network segment the active component is located on or the entire network fails.

However, local administration also entails the following disadvantages:

• Active network components may generally be configured in such a way that local or central administration of the active network components is possible. However, it is not possible to provide a general recommendation for selecting the configuration method. It must be taken into consideration, though, that no central administration of the active network components is possible when the configuration is designed for an exclusively local administration. In this case, administration must always be performed on site directly on the corresponding components. In this case, the response time in the event of a failure is also longer, since the distances to cover until reaching the location of the component may be longer.
• When implemented with the help of a V.24 and/or EIA-232-E interface, local access is generally slower than remote access using the network.

Review questions:

• Is local access for administration of the active network components protected by the software and/or mechanically?
• Are default passwords changed before starting the IT system?
• Have the security mechanisms of permanently connected components been enabled (e.g. automatic screen lock, automatic logout)?