IT Baseline Protection Manual S 4.79 Secure access mechanisms for local administration
S 4.79 Secure access mechanisms for local administration
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
Some active network components can be administered via local access. Such local access is generally implemented by means of a serial interface (normally of type V.24 or EIA-232-E). The following measures must be observed to ensure secure local access:
The active network components and their periphery, such as connected terminals, must be installed securely (refer to S 1.29 Adequate siting of an IT system).
Local access for the purpose of administering local components must be disabled by means of software and / or hardware.
Any existing default password for local access must be modified immediately after putting the active network component into operation (for selection of a new password, refer to S 2.11 Provisions governing the use of passwords).
The security features of permanently connected terminals and computers, such as automatic screen lock and auto logout, must be activated (refer to S 5.11 Blocking the server console and active network components).
A local administration offers the following advantages:
The danger of intercepting passwords is reduced.
Administration is still possible after a failure of a network segment containing the active component, or after a failure of the entire network.
A local administration has the following disadvantages:
As a rule, active network components can be configured such that they can be administered either locally or centrally. No general recommendations can be made concerning the selection of the appropriate configuration technique. However, it must be noted that if an exclusively local administration has been configured, central administration of the active network components is no longer possible. These components must then always be administered directly on-site. This also increases reaction times in the event of a failure, as longer distances possibly need to be covered in order to reach the components.
Local access by means of a V.24 or EIA232E interface is generally slower than remote access via the network.
Additional controls:
Have the default passwords for local access been replaced by secure ones?
