S 4.312 Monitoring directory services

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Auditor, Head of IT, Administrator

In order to be able to determine the security status of a system, it is necessary to monitor the system continuously. Among other things, it is necessary to regularly monitor the security settings and the log files of a server. The goal of such a monitoring function is to detect violations of the applicable security regulations, to detect any security gaps, and to detect misconfigurations that may open up security gaps. A corresponding monitoring concept should be considered part of the security concept for this reason.

It is generally impossible for the administrators to monitor complex systems such as directory services manually nowadays, but monitoring must be performed automatically by corresponding system components or products obtained from third party vendors. The configuration of the system monitors must also be adapted regularly to reflect the changes made to a system.

Suitable tools should be used to monitor a directory service system. If the connection is a client/server connection, then the tools must provide suitable authentication mechanisms for access. The user accessing the data must only be allowed to access the data available according to the rights configured for the user after successful authentication. Access to all administration tools should be prohibited for normal users. These types of accesses should only be operated using a communication connection with adequate encryption.

Depending on directory service and the tools available for use, it may be possible to store all directory service events in a separate log file. This makes it easier to find and evaluate specific events, for example when the directory service events are written to the global log file of the operating system.

In general, the following aspects need to be taken into account in the context of monitoring:

• The Data Protection Officer and the Personnel and/or Supervisory Board should become involved early in the planning process because it is usually necessary to access personal data when monitoring the system.
• In addition to monitoring and logging the directory service-specific events, it is also necessary to monitor and log operating system events in order to obtain a more complete picture of system operations. Recommendations for the secure installation and configuration of the operating system as well as information on this topic can be found in the corresponding modules.
• A central collection point with correspondingly automated evaluation of the log files can be set up using products offered by third-party manufacturers. If a tool is used for network and system management (see also module M 4.2 Network and system management), then it may be possible to integrate the directory service protocol directly into this tool depending on which product is used.
• Monitoring can generate large amounts of data depending on the settings. It is not only necessary to evaluate this data regularly, but also to move it to other data media or delete it completely for reasons of storage space. In addition, intensive monitoring can lead to a loss in performance. In extreme cases, a server may become overloaded to an extent that proper operation becomes impossible. For this reason, the suitable monitoring parameters must be checked in a test operation environment and modified if necessary. Changes to the parameters can also have an effect on the overall monitoring concept because it may become impossible to perform certain monitoring tasks after making the changes. This applies especially in cases where additional products are used that place high requirements on the events recorded. Examples of such products include programs that automatically analyse the logged data for behavioural anomalies to detect attacks, for example.

When monitoring the system functions, it is also recommended to regularly check the directory service replication used to deploy configuration changes on other systems. Errors during replication usually mean that the configuration changes are not performed everywhere and therefore that some users have too many rights, for example.

Review questions:

• Was the monitoring concept of the directory service designed and implemented to meet the actual needs?
• Are important system events of the directory service logged and regularly evaluated?
• Are the monitoring parameters of the directory service checked in a test operation and modified when necessary?