T 2.59 Operation of non-registered components

As a rule, all components of a network should be known to the system administration. On an organisational level, it should be guaranteed that new components are registered with and released by the system administration, for example through automatic reporting from the purchasing organisation or a corresponding request from the organisational unit operating the components.

Non-registered components are a security risk as they are not integrated in organisational in-house processes and controls. On the one hand, this can cause problems for the users of non-registered components (e.g. loss of data, as the system is not integrated into the data backup). On the other hand, it can also jeopardise other network components. For example, weaknesses can arise through unrecorded access points to the network if they are poorly protected against unauthorised access or not even protected at all. In particular, as such components are not controlled by the network management and/or the system management, errors in the configuration of the local system can lead to a gap in security.

Example:

The administrator uses the system management system to maintain the passwords (community names) for the network management system in use which is based on SNMP. A workgroup buys a new network PC but forgets to report this to the central administration. At installation, the password (community name) for the local SNMP demon is set to "public". This password is well-known. Perpetrators can now start an SNMP-based attack, as they have full access to the SNMP data. A PC compromised in this way can serve as a starting point for further perpetration to the internal network. For example, password sniffers could be installed.