S 4.322 Blocking unneeded VPN accounts

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

VPN access points must be secured in such a way that only authorised users or IT systems are allowed to access via these. For this, access control methods must be used on the VPN endpoints, which check whether a given sender is authorised to communicate with the recipient. The proper function and configuration of the method used must be checked at regular intervals. VPN access points that have been forgotten, user IDs of employees who have left the organisation, or IT systems that have been disposed of are dangerous security gaps and must be closed as quickly as possible. VPN access points no longer needed by suppliers, partners, and customers must also be disabled promptly. After disabling an access point, it should be checked to ensure that it actually is impossible to access the network using this access point.

If it is known that individual users of the VPNs will be absent for a longer period of time or will not be using the VPN for some other reason (because they are on holiday, ill, or need to do other tasks), consideration should be given to blocking their user IDs on the VPN server during this time so that it is impossible to work using their user ID while they are absent. If possible, every user who will be absent for a longer period of time should inform the network administrator in due time. If outsiders such as customers or suppliers only need VPN access at certain times, the access authorisations should be restricted to these time frames.

Efficient administration of the access authorised users and IT systems, for example based on certificates, should be introduced and then checked and modified as necessary at regular intervals. The access data and the corresponding services must be protected against unauthorised access.

Review questions:

© Federal Office for Information Security. All rights reserved.