IT Baseline Protection Manual T 3.39 Improper administration of the RAS system
T 3.39 Improper administration of the RAS system
Improper administration of RAS components constitutes a potential risk which should not be overlooked. Once they get to a certain size and structure, RAS systems are complex systems which only trained system administrators can configure correctly and securely. Administrative errors generally have a pronounced effect on the stability and security as an administrator possesses privileged rights in the system. Some of the problems which can occur with RAS systems are set out below.
Security-relevant routine tasks on the RAS client are frequently neglected. These include, for example, regular data backups or scanning for computer viruses. In particular, mobile RAS clients are taken around by their users and are therefore only seldom available to system administration staff. While it is possible for remote administration to be performed during an established RAS session, depending on usage profile, connection times may be too short to carry out systematic remote maintenance. But if the regular administrative tasks are not performed, different clients may have different configurations.
Remote administration of computers can be performed with the aid of commonly used software products and is often possible simply using mechanisms provided by the operating system. The use of unauthorised software (by the user or the administrator), often means that either non-permitted protocols are used over a RAS connection or that settings are made which do not comply with the security guidelines in force and can therefore open up security loopholes.
If computer virus checking is performed exclusively on the server, encryption of data client-side can be a problem. Many application protocols can be processed over RAS connections so that transport of e-mail, Web content or files is possible. Encrypted data can in this case no longer be checked for viruses using anti-virus software installed on the server.
There is no anti-virus software installed on the RAS client or such software is out of date or disabled. As RAS clients are frequently operated in insecure environments with the result, for example, that the exchange of data media is in practice uncontrolled, computer viruses constitute a particularly serious threat. In particular, the danger exists that computer viruses or Trojan horses can find their way into the LAN through the RAS client.
If functions which place heavy demands on bandwidth are performed over RAS connections, then there is a danger that the user will terminate a RAS session and start another one because he believes there is a fault on the line. But in reality it is simply a case of the response time being unacceptably slow because the bandwidth is inadequate. This can not only result in inconsistencies in the application data due to unexpected termination of a connection, but repeated attempts by users to establish a connection followed by termination of the connection can also increase the loading on the RAS system.
A general danger found when administration is inadequate is that hardware or software components used for communication, upon which the RAS connections rely, are configured either incorrectly or so that they are incompatible. Incorrect configuration can range here from incorrect security settings through to incompatible communication protocols. The consequences of incorrect configuration are just as diverse, for example, users are unable to log on when they need to or unauthorised third parties can successfully establish a connection.
Examples
An employee working out in the field regularly uses the replication mechanism of a groupware product to update his local copy of a technical reference database. Because the replication mechanism is incorrectly configured, replication is always initiated after the RAS connection has been established so that connection using a mobile phone modem always appears to "hang" after successful logon.
A company uses a software management system which regularly installs new software updates on the individual users' computers. Due to a configuration error, the mobile RAS clients are included in this procedure. After a connection has been successfully established, the entire bandwidth is then taken up by the management software attempting to install a substantial update package on the computer