S 4.92 Secure operation of a system management system

Initiation responsibility: Head of IT, Information Security Management

Implementation responsibility: Administrator

To ensure secure operation of a system management system which may consist of a number of different management tools (see S 2.171 Selection of a suitable system management product), the secure configuration of all components involved must be examined and ensured (see also S 4.91 Secure installation of a system management system). For this purpose, it is necessary to provide appropriate security for the operating systems of the components managed by the system management system and thus have parts of the system installed in the form of software and/or data. Provision of security also includes placing the computers that perform central tasks for the management system (management servers, computers with management databases) in a secure location. In addition, secure data transmission must be ensured (see S 5.68 Use of encryption procedures for network communications).

Particular attention should be paid to the following aspects during operation of a management system:

• The new hardware and software components added by the management system must be documented in the course of updating the system documentation-
• Changes to the management system itself must also be documented and/or logged.
• Updating must be performed in the same manner for the business continuity handbook. On the one hand, the restart and recovery plans in particular must be modified, because many standard functions of the managed operating systems can only be executed with the aid of the management system functions after the management system has been introduced. On the other hand, the business continuity handbook, however, must also include instructions on how the system can be made available without the management system (for example, in the event of total failure of central components) to a sufficient degree in a short period of time (emergency operation regulation) (see also module S 1.3 Business continuity management).
• Access to the components or data of the management system is generally performed exclusively by the management system itself or other authorised system mechanisms (e.g. data backup system). Access must therefore be prohibited for normal users. In normal cases, this also applies to the role of the local administrator of an individual computer. If local components of the management system must actually be accessed directly on a computer in exceptional cases (e.g. for crash recovery or when installing new components, assuming the management system does not support this as part of its management function), this authorisation should be granted explicitly and only for performing this particular task.
• As part of the security strategy, the relevant authorisations must be defined. In the management area too, there is a division of roles between administrators and auditors, and depending on the product, also between administrators with different rights (e.g. work group administrator, divisional administrator). It is recommended to define certain roles and to set up users with appropriate authorisations in accordance with these different roles. In this manner, the user accessing the system is only granted rights to components or data of the management system necessary for the task at hand. Depending on the management system, users are set up either in the management system or in the user administration system of the computers. As the existing systems do not include direct provision for the definition of different roles (such as administrator and auditor), the roles must be reproduced as closely as possible by creating various user accounts (e.g. "Administrator", "Auditor", "Computer Admin", "Data Protection Officer") with corresponding authorisations. Depending on the system, these roles can only be reproduced incompletely and with some effort, because it may be necessary to assign and maintain the authorisations for individual roles explicitly for each system component (files, programs).
• Access to the management software must be protected by using secure passwords. The passwords should be changed at regular intervals according to the security strategy.
• Functions provided by the management software, which according to the management strategy should not be used, should be disabled if possible.
• The logging files must be checked at regular intervals for anomalies (such as the execution of functions that are not supposed to be used). Here, it is recommended to use log analysers, which may either be integrated into the management product or be available as additional software and which can generate alarm messages (e.g. e-mail, pager) usually depending on specific rules.
• The management system should be integrity tested at intervals so that any unauthorised changes can be detected as early as possible. This applies in particular to all configuration data of the management system.
• If the system management system is also used to distribute software, the program data to be distributed must also be checked regularly for changes in order to prevent modified software from being distributed throughout the entire network.
• The response of the management system to a system crash should be tested. Depending on the management and security strategies, automatic restarting of the management system or local subcomponents of the system must be ensured. This prevents computers that are connected to the management system from being inaccessible to management for longer periods of time (see also S 6.57 Creation of an emergency plan for the failure of the management system).
• In the event of a system crash, the management databases must not be destroyed or become inconsistent. This prevents a potential attacker from exploiting provoked inconsistencies for an attack. For this purpose, the management system must either make use of a database system supporting relevant recovery mechanisms or implement these mechanisms itself (see S 2.170 Requirements to be met by a system management system). If these mechanisms are not provided by the chosen system (for example, if several management tools are used), the computers storing management information should be given the maximum possible level of security (including physical protection) (see modules of Layer 3).
• The management system should include an appropriate backup mechanism for backing up the management data or collaborate with a backup system. When old databases are reinstalled from a data backup, it must be taken into account that they must usually be subsequently edited manually so that they match the current system configuration.
• Management databases that have been backed up by means of backup procedures must also be stored in such a manner that unauthorised third parties cannot gain access to them. The data is usually not stored in secure form on the backup data medium, which means that it can be read by anyone who possesses the backup program and a corresponding drive.
• The validity of the division into management domains and the associated responsibilities should be examined at regular intervals. This applies in particular when internal restructuring has been performed.

Review questions:

• Are changes to the management system and newly added hardware and software components documented and is the business continuity handbook updated accordingly?
• Is access to components or data of the management system exclusively granted to the latter and is access prohibited for normal users and/or have explicit authorisations been granted for exceptional cases?
• Are different roles with rights to access components or data of the management system defined for different tasks?
• Are secure passwords used for the management software and changed at regular intervals?
• Are all functions of the management software which are not intended to be used according to the management strategy disabled?
• Are the logging files of the management software checked at regular intervals for anomalies?
• Are integrity tests performed on the management system at regular intervals to detect unauthorised changes as early as possible?
• If the system management system is used to distribute software: Are integrity tests performed on program data at regular intervals to detect unauthorised changes as early as possible?
• Is the response of the management system to a system crash tested in order to prevent the system from being inaccessible for longer periods of time?
• Are mechanisms available ensuring that the management databases remain consistent after a system crash of the management system?
• Is a backup procedure available to back up management data?
• Is the validity of the division into management domains and the associated responsibilities examined at regular intervals?