S 4.242 Setting up a reference installation for clients

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

It is recommended to set up a reference installation for clients in which the basic configuration and all configuration changes, updates and patches can be tested in advance before installing them on the users' clients. This applies to the basic settings of the system, security patches and updates and to normal updates published by the manufacturer.

Such a reference installation can also be used to simplify the installation of new clients by copying the respective preconfigured installation in an appropriate way to the computer to be installed ("cloning"). In the ideal case, only very few settings must then be adjusted. A reference installation used to clone clients must be configured and tested with special care.

The reference installation must be structured in such a way that the most important parameters of the hardware and software platform for all systems to be derived from this reference installation are the same. This does not necessarily mean that an identical hardware and software configuration must exist on all clients. But the configuration of the different clients must be sufficiently similar, so that the reference character of the installation is retained.

When testing application programs and settings that affect the clients' users, it is extremely important that administrators do not do so with administrator rights but under a user ID that has the same authorisations and for which the same settings regarding the user environment are selected as the users who are to work with the system.

It can be advantageous to use different test systems for different types of tests, for example, one or more systems for testing device drivers or system-related programs and patches for operating systems, and another system for tests related to the application programs. In this case one must be aware, however, that certain forms of interaction between the operating system environment and the application programs cannot be covered. If special demands are made on the security of the clients, it can therefore become necessary to indeed use identically equipped and configured systems for certain application scenarios.

Checklists should be drawn up for typical and frequently recurring test cases. Beyond documenting the test, they can also contribute to increasing efficiency and avoiding mistakes.

All tests should be documented in such a way that they can be reconstructed at a later point in time. This is necessary, in particular, for tests of security updates and new device drivers where an erroneous configuration or a failure of the installation can lead to the affected clients no longer being able access to the network or even to start. Precisely in these cases a meaningful documentation can substantially reduce the time needed for error detection and elimination.

Review questions:

• Does a documented reference installation for clients exist?
• Do checklists for test cases exist?
• In the event of high protection requirements: Does a separate reference installation exist for every client type which can be used to rule out interaction of programs/updates?