S 4.322 Blocking unneeded VPN accounts
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
VPN access points must be secured in such a way that only authorised users or IT systems are allowed to access via these. For this, access control methods must be used on the VPN endpoints, which check whether a given sender is authorised to communicate with the recipient. The proper function and configuration of the method used must be checked at regular intervals. VPN access points that have been forgotten, user IDs of employees who have left the organisation, or IT systems that have been disposed of are dangerous security gaps and must be closed as quickly as possible. VPN access points no longer needed by suppliers, partners, and customers must also be disabled promptly. After disabling an access point, it should be checked to ensure that it actually is impossible to access the network using this access point.
If it is known that individual users of the VPNs will be absent for a longer period of time or will not be using the VPN for some other reason (because they are on holiday, ill, or need to do other tasks), consideration should be given to blocking their user IDs on the VPN server during this time so that it is impossible to work using their user ID while they are absent. If possible, every user who will be absent for a longer period of time should inform the network administrator in due time. If outsiders such as customers or suppliers only need VPN access at certain times, the access authorisations should be restricted to these time frames.
Efficient administration of the access authorised users and IT systems, for example based on certificates, should be introduced and then checked and modified as necessary at regular intervals. The access data and the corresponding services must be protected against unauthorised access.
Review questions:
- Is it checked regularly whether only authorised IT systems and users can access the VPN?
- Has it been ensured that VPN access points are disabled immediately when not needed any more?
- Is VPN access for external persons restricted to the periods it is actually needed?
- Are new and unavailable IT systems taken into consideration in the process of ensuring the patch and change distribution?
- Are all phases of the process also implemented for the unavailable systems in the course of synchronisation?
- Does the patch and change management process react to changes in the IT infrastructure?