IT Baseline Protection Manual S 4.92 Secure operation of a system management system
S 4.92 Secure operation of a system management system
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
To ensure the secure operation of a system management system, which may consist of a number of different management tools (see S 2.171 Selection of a suitable system management product), the configuration of all components involved must be examined to ascertain that it is secure (see also S 4.91 Secure installation of a system management system). To do this it is necessary to provide appropriate security for the operating systems of the components which are administered by the system management system and which therefore have installed parts of the system in the form of software and/or data. The provision of security also includes the secure siting of the computers that perform central tasks for the management system (management servers or computers with management databases). In addition, provision must be made for secure data transmission (see S 5.68 Use of encryption procedures for network communications).
Particular attention should be paid to the following points during operation of a management system:
The new hardware and software components added by the management system must be documented in the course of updating of the system documentation.
Changes to the management system itself must also be documented and/or logged.
Updating must be carried out in the same way for the emergency procedure manual. In particular the startup and recovery plans must be modified, because after the introduction of a management system many standard functions of the administered operating systems can only be executed with the aid of the functions of the management system. On the other hand, however, the emergency procedure manual must also include instructions on how the system can be made available without the management system (for example in the event of total failure of central components) to a sufficient degree within a short time (emergency operation regulation; see also Section 3.3 Contingency planning concept).
Access to the components or data of the management system is generally carried out exclusively by the management system itself or by other authorised system mechanisms (such as a data backup system). Access must therefore be prohibited for normal users. In normal cases this also applies to the role of the local administrator of an individual computer. If it does become necessary in exceptional cases to access the local components of the management system on a computer (for example for crash recovery or when installing new components, assuming the management system does not support this as part of its management function), this authorisation should be granted explicitly, and only for performing this particular task.
The relevant powers must be laid down as part of the security policy. In the field of management, too, there is a division of roles between administrators and auditors - and depending on the product also between administrators with different rights (such as workgroup administrators or divisional administrators). It is advisable to define certain roles and to set up users with the appropriate authorisations in accordance with these different roles. In that way the user accessing the system is granted only those rights to components or data in the management system that are necessary for the task in hand. Depending on the management system, users are set up either in the management system or in the user administration system for the computers. As the existing systems do not include direct provision for the definition of different roles (such as administrator and auditor), the roles must be emulated as closely as possible by creating various user accounts (e.g. "Administrator", "Auditor", "Computer Admin", "Data Privacy Officer") with the corresponding rights. Depending on the system, these roles can only be emulated incompletely and at some expense, because it may be necessary to assign and maintain the rights for individual roles explicitly for each system component (files, programs).
Access to the management software must be protected by secure passwords. The passwords should be changed at regular intervals, in accordance with the security policy.
Functions offered by the management software which according to the management strategy should not be used should (if possible) be disabled.
The logging files must be checked for anomalies at regular intervals (such as the execution of functions that are not supposed to be used). It is recommended to use log analysers for this, which may either be integrated into the management product or be available as add-on software, and which can generate alarm messages (such as by e-mail or pager) as the need arises, usually under rule control.
Integrity tests must be run on the management system at certain intervals so that unauthorised changes can be detected as early as possible. This applies in particular to all configuration data in the management system.
If the system management system is also used to distribute software, the program data that is to be distributed must also be checked regularly for changes in order to prevent the distribution of modified software across the entire network.
The response of the management system in the event of a system crash should be tested. Automatic restarting of the management system or of local subcomponents of the system must be ensured, depending on the management and security policies. This prevents computers that are connected to the management system from being inaccessible to management for lengthy periods (see also S 6.57 Creation of an emergency plan for the failure of the management system).
In the event of a system crash, the management databases must not be destroyed or enter an inconsistent state. This prevents a potential attacker from exploiting provoked inconsistencies for an attack. To ensure this, the management system must either make use of a database system that supports relevant recovery mechanisms or implement these mechanisms itself (see S 2.170 Requirements to be met by a system management system). If these mechanisms are not provided by the chosen system (for example if several management tools are used), the computers that store management information should be given the maximum possible level of security (including physical, see Chapters 4 to 6).
The management system should include a suitable backup mechanism for backing up the management data, or interoperate with a backup system. When old data stocks are loaded from a data backup, it must be borne in mind that these usually have to be post-edited manually in order to match the current system configuration.
Management data stocks that have been backed up by means of backup procedures must also be stored in such a way that no unauthorised third party can gain access to them. Usually the data is not stored in secure form on the backup storage medium, which means that it can be viewed by anyone who possesses the backup program and a corresponding drive.
The validity of the division into management domains and the associated responsibilities should be examined at regular intervals. This applies in particular when internal restructuring has been carried out