S 4.159 Secure operation of Novell eDirectory

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator, Head of IT

The security of a complex system must be permanently maintained during operation because it will be necessary to make changes during ongoing operations. Therefore, it is not sufficient to set a secure initial configuration (see S 4.153 Secure installation of Novell eDirectory, S 4.155 Secure configuration of Novell eDirectory and the corresponding safeguards S 4.154 Secure installation of the Novell eDirectory client software and S 4.156 Secure configuration of the Novell eDirectory client software).

After installation and initial configuration according to the eDirectory concepts and security policies defined in advance, the eDirectory servers are generally operated in a network. The security of such a network depends on the initial configuration specified, on the one hand. On the other hand, though, another factor which significantly affects network security is the way configuration changes must be performed during live operation. The side-effects of such changes also must be taken into consideration in particular that may unintentionally open up security gaps under some circumstances.

The following aspects must be considered from the perspective of information security during the operation of an eDirectory directory system:

• The eDirectory certificate server plays an essential role for the access control mechanisms of the directory. The certificate server is installed on the first eDirectory server of an eDirectory tree. A separate pair of keys is generated automatically and stored to the certificate server for every new object in the eDirectory. It is therefore particularly important to ensure secure operations of this "first eDirectory server" in the tree. It is not only necessary to protect the sensitive data stored there itself, but also its availability. Therefore, it is absolutely recommendable to configure the replication of the eDirectory to different servers; at least a complete read/write replica should exist in particular. If the "main server" is shut down for an important reason or if this server fails permanently, the nearest read/write replica may be declared the master replica and used to maintain operations.

• The security of an IT system always depends on the physical security of the servers and network components as well. This must also be ensured for operating eDirectory. Corresponding safeguards can be found in layer 2, for example in the modules S 2.4 Server room or S 2.9 Computer centre.

• Changes to an eDirectory directory system particularly result when external eDirectory or LDAP directories are imported into an existing eDirectory tree. In general, these newly imported directories will not have been integrated into the existing security structures yet.
  
  In order to ensure the security policy defined is still implemented consistently, the configuration of the security settings must be done immediately. The authorisations for importing new directories and for generating directory replicas must be assigned restrictively.

• A system must be monitored in order to be able to track its security status. The goal of such a monitoring function is to detect violations of the applicable security regulations, to detect any security gaps, and to detect misconfigurations that have the potential to open up security gaps. For this reason, a corresponding monitoring concept should be considered part of the security concept. It is generally impossible for the administrators to monitor complex systems such as eDirectory manually nowadays. Instead, monitoring must be performed automatically by corresponding system components or products obtained from third party vendors. The configuration of the system monitors also must be adapted regularly to reflect the changes made to a system. The recommendations for monitoring are summarised in S 4.160 Monitoring of Novell eDirectory.

• An important aspect of the security of an eDirectory system includes the consistent administration of users and authorisations. Here, the administrative concept has an impact on the complexity of the tasks to be performed. Since it is easy to make mistakes when carrying out complex operations, the administrative tasks should be designed to be as simple as possible. This contributes to the maintenance of a secure system state. Therefore, a group-based access concept is absolutely necessary. In this way, the administration of database access rights is also substantially simplified and is less prone to error.

From a security perspective, it is also important to document all policies, rules, and processes affecting the operation of an eDirectory system. Operation manuals should be created for this purpose and they should be updated when changes are made to the system. Since the operation manuals contain security-relevant information, they must be stored in such a way that unauthorised access is prevented. Authorised administrators should have easy access to the manuals, however.

The recommendations provided here can only be of a general nature, since the maintenance of system security also depends on the local circumstances. For this reason, corresponding policies for secure operation of an eDirectory directory tree, which take local requirements into consideration, must be created right from the network planning phase. Under some circumstances, it may be impossible to securely configure certain mechanisms optimally. For example, this is the case if "old" applications that are only designed to use weak authentication or no authentication at all must be operated continuously. In this case, alternative countermeasures must be implemented at another location, for example at the organisational level, to reach an adequate level of security.

Potential security gaps can only be detected and/or avoided by competent administrators. For this reason, the training and continued education of the system administrators is an important safeguard (see also S 3.29 Training on the administration of Novell eDirectory). In addition, normal users must also be trained on security aspects (see also S 3.30 Training on the use of Novell eDirectory client software) so that they know the potential risks involved and are able to properly use the security mechanisms available.

The security settings and the log files of a server should be examined regularly. This may be performed manually or supported by tools. Otherwise, there is the risk that deviations from the security policies and security problems are not detected prematurely and therefore not eliminated in due time either (see also S 4.160 Monitoring of Novell eDirectory).

Example: group-based access concept

An employee switches departments, and so the access rights must be adapted. If user-related access control lists (ACLs) are used, every directory must be verified in order to remove and/or enter the user from and/or to the ACL, if required. On the other hand, if group-based ACLs are used, the user must only be removed and/or entered from and/or to the relevant groups in the user administration. The change may be performed centrally on the user object.

Review questions:

• Is the eDirectory certificate server replicated to different servers?
• Are the security settings adapted after changes to the eDirectory directory system?
• Are all policies, rules, and processes referring to the operation of an eDirectory system documented and up-to-date?
• Are the security settings and the log files of an eDirectory server subjected to regular checks?