S 4.250 Selection of a central, network-based authentication service

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

As a rule, all types of IT systems need to ensure that any user desiring access to the system needs to provide authentication. This is the only way to prevent unauthorised persons from gaining access to the services provided by the system or to the data stored on the system. The only exceptions to this rule are IT systems intended to be accessible to the public such as public information services (for example public web servers) or similar systems.

After successful authentication, the system must ensure that a user is only able to access those services and data for which he or she has the corresponding authorisations.

In many cases, authentication is not performed for just a single service or a single system, and it should be possible instead to use the authentication data (e.g. a username and password) for different services and different systems. In such cases, a central network-based authentication service is needed so that the authentication data does not need to be administered and updated separately on every system in the network.

An extreme example of this is the "single sign-on" solution in which authentication is performed centrally for all services offered in an IT network. The advantage of a single sign-on is that the users only need to log in once. Each user needs just one password or token and does not need to remember a variety of passwords or a number of tokens in this case. However, an attacker will be able to access all services in the IT network if he or she is able to log in once as a legitimate user.

If a central, network-based authentication system will be used, then careful planning is especially important because the function and security of such a system are decisive factors for the security of the entire IT network.

The central authentication procedure can be implemented using a central authentication system such as Kerberos. Kerberos also offers the advantage that Kerberos authentication can be used on computers running Windows operating systems as well as on Unix systems.

The following describes in more detail the most important recommendations that need to be taken into account for the selection and use of a network-based authentication service:

Encryption of the network protocols

In contrast to a local user administration, critical information needed for a network-based authentication procedure is transmitted over a LAN or a WAN. For this reason, it is absolutely necessary to ensure that this information cannot be read or changed during transmission.

In addition, it must be ensured that an attacker is not able to log in by resending recorded login information. For this reason, the login information exchanged between the server and client for the purpose of authentication must be encrypted, and the authentication procedure must be made dynamic, for example using a challenge/response procedure.

Protection of the authentication server

Generally, all information needed for authentication is stored on a central server. For this reason, it must be ensured that unauthorised persons cannot gain access to this critical information. An authentication server must be carefully protected at all levels (the protection requirement of an authentication server is comparable to that of a security gateway). This includes the following types of protection, among others:

• It should be installed in a separate server room. The safeguards to implement in this case are described in module S 2.4 Server room. If a server room is not available, then the authentication server can be installed in a server cabinet as an alternative (see module S 2.7 Protective cabinets).
• It may only be installed in a protected network.

• Only the required services and, if possible, no other services should be available on an authentication server. At a minimum, no other services with lower protection requirements such as a web server should be available. In addition, only programs needed for operation should be installed.
• Suitable personnel with sufficient resources must also be available to design and operate an authentication server. The amount of time required to operate an authentication server should not be underestimated. The evaluation of the recorded log data alone usually takes a lot of time. The administrators must possess in-depth knowledge of the IT components used and must receive the corresponding training.
• Only administrators should be able to log on to this system. The administration rights assignments must be documented with care. Changes that are critical to security should be double checked by another person. Administrators should use strong authentication methods for the login procedure.
  Administration of the authentication server should only be possible over a secure access, for example over a secure console, using an encrypted connection, or in a separate network (administration network).

• The proper configuration of an authentication server is essential to the secure operation of the server. Errors in the configuration can lead to security gaps or failures. The best possible configuration must be documented with care.
• The patch states of the operating system and programs on an authentication server must be secure.
• Integrity tests of the software used must be performed at regular intervals (see also S 4.93 Regular integrity checking). If a violation is detected, then the authentication server must be switched off.
• The events that need to be logged must be clearly documented (S 5.9 Logging on the server) in terms of where they are stored, how they will be evaluated, and with what frequency they will be evaluated.
• Authentication servers must be integrated into the organisation-wide data backup policy as well as into the contingency planning concept. When restoring data from backups, it must be ensured that the user administration and rights administration settings are up to date.
• For secure operation of an authentication server, it is necessary to check regularly if the security safeguards implemented are being followed properly. Regular audits must be conducted to ensure secure operation.

Furthermore, when administration is performed centrally, the possible failure of the server or of the network must be taken into account (which can be the case after a denial-of-service attack). If all other computers in the network depend on the server for authentication, then the denial-of-service attack will spread to every system in the network. For this reason, it is recommended to use a high availability system, which can be realised with the help of a redundant server (see S 6.43 Use of redundant Windows NT/2000 servers).

Since reliable authentication plays an important role in the security of every network, the secure and proper operation of the authentication server is particularly important. For this reason, the authentication procedure selected must be integrated into the existing organisation-wide security guidelines.

Passwords

Analogous to safeguard S 2.11 Provisions governing the use of passwords, suitable precautions need to be taken to ensure a high password quality.

Logs

The authentication system must be able to record the events mentioned in safeguard S 5.9 Logging on the server.

All log files should be stored centrally on the server. Since this allows detailed user profiles to be generated, unauthorized persons must be prevented from reading this information for reasons of data privacy.

If a central log server is used, then it should be guaranteed that the data transmitted cannot be intercepted and read. This can be accomplished using transmission protocols that allow encryption of the data, using a VPN connection, or using a separate network between the central authentication server and the log server, for example.

Review questions:

• Has the use of a central, network-based authentication service been carefully planned?
• Have the security requirements relevant for the selection of a central, network-based authentication service been documented?