S 4.307 Secure configuration of directory services

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

A directory service should be in a secure state after installation has been completed (see S 4.308 Secure installation of directory services) so that only authorised administrators are able to access the directory service during the subsequent configuration phase.

Depending on the operational scenario, the following directory service configuration can be expanded by adding any number of functions not normally available in a pure directory service. In such cases, it is necessary to guarantee the security of the various functions by specifying suitable parameters in the configuration.

Typical configuration tasks for directory services include the following:

• configuration of the directory tree hierarchy,
• configuration of the object access rights,
• configuration of the inheritance filters,
• configuration of the administration roles,
• configuration of the delegation of administrative tasks,
• configuration of the users and user groups,
• distribution of the administrative tasks,
• configuration of the client access to the directory service,
• configuration of the partitions of the directory database,
• configuration of replication for the directory service,
• configuration of the interface used for synchronisation with external directory services, and
• configuration of the system monitors.

All these tasks apply to directory service software. However, it must not be forgotten that it is also necessary to securely configure the underlying operating system, and especially the configurations of the server access, network connections, and file system.

Any number of modules for adding functionality not normally available in a pure directory service could be added to the configuration procedure for a directory service. This includes the following:

• the LDAP server module, which allows LDAP clients to access user information,
• the tool that allows administrative access using a web browser,
• the console (tool) as an administration platform for the directory service,
• the certificate server, which is installed in the tree during the initial installation of a directory service server, and
• any additional modules desired.

Depending on the operational scenario and the range of functions offered by the directory service server, it will be necessary to examine which additional modules are needed to operate the directory service and should therefore be installed. Unused modules should not be installed, because every module installed can cause security problems when configured incorrectly.

A corresponding security plan must be drawn up for every module activated. This plan must then be implemented by specifying suitable configuration parameters (see also S 2.405 Drawing up a security policy for the use of directory services).

The security of a directory service system also depends on the security of the client software used to access it. For this reason, the client computers and client programs also need to be included in the planning of a secure directory service system configuration. Special safeguards need to be implemented for administrative accesses to the directory service.

The following general information should be considered in any case:

• The relevant safeguards in the IT-Grundschutz Catalogues for the respective underlying operating system also must be applied to secure the respective client installation.
• If the client software is to establish a secure LDAP connection, protected using SSL to the directory service, the client must be provided with a corresponding root certificate that it may use to verify the authenticity of the SSL server certificate.
• The security of the directory service installation also depends on the integrity of the clients used for the purpose of administration. It is therefore particularly important to secure these clients.

An organisation can also develop its own client software that communicates with the directory service using the standardised LDAP interface (or some other interface designed for this purpose).

In general, a directory service system will not only consist of just one directory service server, and will instead consist of a cluster of servers (see also S 2.403 Planning the use of directory services). In this case, the directory database can be distributed between the various servers in the form of individual partitions. Furthermore, the individual servers can mutually replicate the directory databases. Since this means there are several copies of a database partition available on different servers, it is possible to distribute the load. The servers will need to exchange information on all changes in this case to ensure the copies of the directories are up to date at all times. It is therefore necessary to draw up a replication concept. The following aspects, amongst other things, must be taken into account in this:

• Is the directory service server operated in the master/slave mode or is multi-master replication implemented?
• Which types of replication will be configured?
• Which servers should retain replicas of the directory service?
• Which directory service information must be replicated (definition of the filters)?
• Should changes to replicas of the directory service be allowed and should such changes be transferred to the original (definition as read/write or read-only)?

Since a system is generally subject to constant change during ongoing operations, it is also necessary to permanently monitor the security and reconfigure it when necessary. More information can be found in S 4.311 Secure operation of directory services.

Review questions:

• Are all directory service servers configured for the role they will assume?
• Were the client computers and programs also taken into account during configuration?