S 4.135 Restrictive granting of access rights to system files

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator

System files and directories are files and directories for which the Administrator is responsible. These are either important to all users or else they are used solely for administrative purposes.

If possible, only system administrators should have access to system files. The group of administrators with the privileges required to access these files should be kept as small as possible. Directories too should provide no more than the required privileges for users. Careful control should be exercised over the granting of access rights to system files, and granting of these rights must comply with the in-house security guidelines (see also S 2.220 Guidelines for access control).

System files should be kept in a separate place from application data and user files (see also S 2.138 Structured data storage). This makes it easier to obtain an overview, simplifies data backups and ensures proper access protection.

Access to system files should always be logged. Redundant, i.e. unnecessary system files, should be deleted from the system to prevent their being misused for attacks and eliminate the need to keep checking their integrity.

With regard to the restrictive granting of access rights, it is not sufficient to check only the rights of a program. The granting of rights to all programs which can be accessed from within them must also be checked.

The integrity of all system files and directories and the properness of access rights should if possible be verified at regular intervals. For many operating systems there are tools for this, by means of which such checks can be carried out rapidly and reliably.

Additional controls:

• Is the granting of rights of access to system files checked regularly?

• Are there any tools or lists which can be used to help carry out these checks?