S 4.311 Secure operation of directory services

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, Administrator

The security of a complex system must be permanently maintained during operation because it will be necessary to make changes during ongoing operations. For this reason, there is more to maintaining security than specifying a secure initial configuration (see S 4.308 Secure installation of directory services and S 4.307 Secure configuration of directory services).

After installation and initial configuration according to the directory service concepts and security policies defined in advance, the directory service servers are generally operated in a network. The security of such a network depends on the initial configuration specified, on the one hand. On the other hand, though, another factor significantly affecting network security is the way configuration changes must be performed during live operation. The side-effects of such changes also must be taken into consideration in particular that may unintentionally open up security gaps under some circumstances.

The following aspects must be considered from the perspective of information security during the operation of a directory service system:

• An important aspect of the security of a directory service system includes the consistent administration of users and authorisations. Here, the administrative concept has an impact on the complexity of the tasks to be performed. Since it is easy to make mistakes when carrying out complex operations, the administrative tasks should be designed to be as simple as possible. A group-based access concept also contributes to the maintenance of a secure system state. The administration of database access rights is also substantially simplified and is less prone to error overall. It must be ensured in particular that access to all administration tools is prohibited for normal users.
• Changes will need to be made to a directory system in particular when external LDAP directories are imported into an existing directory service tree. In general, these newly imported directories will not have been integrated into the existing security structures yet. In order to ensure the security policy defined is still implemented consistently, the configuration of the security settings must be performed immediately. The authorisations for importing new directories and for generating directory replicas must be assigned restrictively.
• Cryptographic certificates can play an essential role in the access control mechanisms of the directory service. If a certification authority is installed on a directory service server, then a separate pair of keys can be generated automatically for every new object and then stored in the directory service. It is therefore especially important to ensure the secure operation of this directory service server in the tree. It is not only necessary to protect the data stored there itself, but also its availability, for example through suitable replication.
• A directory service requires special strategies in terms of virus protection so that replicas do not register accesses by the virus scanner as changes and therefore generate unnecessary transfers of data. In the worst case, it is possible for the data stored in the directory to become inconsistent, which then causes the directory service to become unusable.
• The security of an IT system always depends on the physical security of the server and network component environments. For this reason, a directory service server always needs to be installed in a secure environment (see module M 2.4 Server room, for example).
• A system must be monitored in order to be able to comprehend its security status. The security settings and the log files of a server should be examined regularly. The goal of such a monitoring function is to detect violations of the applicable security regulations, to detect any security gaps, and to detect misconfigurations that have the potential to open up security gaps. A corresponding monitoring concept should be considered part of the security concept for this reason. It is generally impossible for the administrators to monitor complex systems such as directory services manually nowadays, but monitoring must be performed automatically by corresponding system components or products obtained from third party vendors. The configuration of the system monitors also must be adapted regularly to reflect the changes made to a system. The log files and security settings can be examined manually or with the help of tools. The recommendations for monitoring are summarised in S 4.312 Monitoring directory services.

From a security perspective, it is also important to document all policies, rules, and processes that affect the operation of a directory service system. Operation manuals should be created for this purpose and they should be updated when changes are made to the system. Since the operation manuals contain security-relevant information, they must be stored in such a way that unauthorised access is prevented. Authorised administrators should have easy access to the manuals, however.

The recommendations provided here can only have a general nature, since the maintenance of system security also depends on the local circumstances. For this reason, corresponding policies for secure operation of a directory tree must be created as early as during the network planning phase, taking into consideration the local requirements. Under some circumstances, it may be impossible to securely configure certain mechanisms optimally. For example, this is the case if "old" applications must be operated continuously that are only designed to use weak authentication or no authentication at all. In this case, alternative countermeasures must be implemented at another location, for example at the organisational level, to reach an adequate level of security.

Potential security gaps may only be detected and/or avoided by competent administrators. For this reason, the training and continued education of the system administrators is an important safeguard (see also S 3.62 Training on the administration of directory services).

In addition, normal users so need to be trained on security aspects (see also S 3.63 Training users on authentication with the help of directory services) so that they know the potential risks involved and can use the security mechanisms available correctly.

Review questions:

• Are all operation procedures of the directory service documented?
• Is access to all administration tools prohibited for normal users?