S 5.33 Secure remote maintenance

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator, Head of IT

The remote maintenance of IT systems poses special security risks. When performing remote maintenance, the differentiation as to whether internal or external maintenance personnel accesses the IT systems must be made. For administrators to be able to help IT users quickly without having to physically go to the location where the particular IT system is installed, the IT support personnel will often use remote maintenance accesses. For security reasons, it makes sense to avoid using external personnel for remote maintenance. If this is not possible, additional security safeguards are unavoidable.

The IT system to be maintained must provide the following security functions:

• The connection established for remote maintenance should always be initiated by the local IT system. This can be accomplished by having the IT systems to be maintained call the remote maintenance location or by using an automatic callback function.
• The user of the IT system must explicitly consent to the remote access, for example by entering a corresponding confirmation on the system. The user should monitor all activities during remote access.
• The external maintenance personnel must authenticate when beginning the maintenance session. If passwords are transmitted in unencrypted form to this end, one-time passwords should be used (see S 5.34 Use of one-time passwords).
• Remote maintenance must be logged. In this, at least start and end of the remote maintenance, as well as the persons involved must be documented. If nobody can monitor the remote accesses on the maintained IT system, all activities for performing remote maintenance must be logged on the IT system to be maintained.

Furthermore, additional functions can be implemented on the IT system to be maintained:

• activation of a lock-out period in the event of failed access attempts,
• blocking of the remote maintenance feature during normal operation and express approval for a precisely defined period of time,
• restriction of the rights of the maintenance personnel: the maintenance personnel should not be granted full administrator rights; graduated administration of rights must be implemented; on Unix systems, S 2.33 Division of administrator roles under Unix, and in PC networks, S 2.38 Division of administrator roles must be observed additionally
  (The maintenance personnel should only have access to the data and directories currently requiring maintenance),
• on the IT system, there should be a separate user ID for the maintenance personnel that can be used to perform all maintenance work, if possible:
• if the connection to the remote maintenance location is disrupted for some reason, access to the system must be terminated by an automatic logout function.

External remote maintenance

Remote maintenance using external networks or by third parties is particularly critical. For security reasons, it makes sense to avoid using external personnel for remote maintenance. If this is not possible, the following aspects must be considered in addition to the security safeguards mentioned above:

• When performing remote maintenance using external communication connections, the access points and connections must be secured. The remote maintenance personnel must authenticate themselves and the data transmitted must be encrypted. For example, the connection can be implemented via VPN or it is also possible to use dedicated connections.
• If technically feasible, all activities during third party administration should be monitored by in-house IT experts. For example, a graphical user interface can be used to display and record all input and output regarding the IT system to be maintained while a client is remotely administered. The maintenance personnel should not be left unattended, even if third party remote maintenance is necessary because the know-how or capacity required are not available internally (see also S 2.3 Data media control). If there is any uncertainty regarding the processes, the local IT expert should ask immediately. It must be possible at all times to cancel remote maintenance locally.
• If data or programs are created on the local IT system while performing maintenance, this must be clearly indicated in an understandable manner, e.g. this should only be performed in specifically indicated directories or using certain user IDs.
• All remote administration processes must be recorded. In this, at least start and end of the remote maintenance, as well as the persons involved must be documented. If nobody can monitor the remote accesses on the maintained IT system, all activities for performing remote maintenance must be logged on the IT system to be maintained.

According to S 3.55 Non-disclosure agreements (NDAs), contractual provisions relating to data secrecy must be included in the contract concluded with the external maintenance personnel. It is especially important to specify that data stored externally in the context of maintenance must be deleted carefully after completing the maintenance work. Likewise, the duties and qualifications of the external maintenance personnel must be defined carefully.

Review questions:

• Has it been ensured that remote maintenance will only be performed when adequate security safeguards are taken?
• Has it been ensured that remote maintenance accesses can only be initiated by the local IT system?
• Is the remote maintenance performed adequately logged?