OPS.1.1.2 Proper IT Administration

Description

Introduction

IT administration refers primarily to activities within IT Operations that require administrative rights and that modify the configuration of IT components. Administrators not only ensure that IT components remain available, but also implement information security measures and verify whether these are effective.

The areas of activity of administrators include, among other things, setting up, configuring, auditing, and modifying existing IT for an institution. This also includes specialist administration, i.e. the IT administration of applications for whose operation the corresponding specialist department rather than the IT Operations organizational unit is responsible.

Administrative rights for IT components (i.e. in particular for IT systems, IT services, applications, IT platforms, and networks) are privileged rights that can include, in addition to access credentials, network access as well as physical access. Therefore, both the administrative rights at the organizational level and the administration tools themselves are an attractive target for attackers. Essential for the security of IT administration are the proper and traceable execution of all administrative activities and the securing of the tools required for this purpose.

Objective

The objective of this building block is to establish information security as an integral part of proper IT administration. By implementing this building block, the institution on the one hand ensures that the IT administration activities required for the security of the information domain are carried out properly and systematically. On the other hand, the institution also responds to the particular threats arising inevitably from dealing with privileged rights and from access to security-relevant areas of the institution.

Scope and Modeling

The building block OPS.1.1.2 Proper IT Administration is to be applied once to the entire information domain.

In order to create an IT-Grundschutz model for a specific information domain, all building blocks must generally be considered in their entirety. As a rule, several building blocks are to be applied to the topic or target object.

This building block addresses:

• Cross-cutting requirements for the administration process, both for IT Operations and in specialist administration,
• Requirements for administrative activities, as well as
• Requirements for handling administrative permissions, i.e. privileged physical access, logical access, and system access.

The following content is also relevant and is addressed elsewhere:

• Remote administration of IT systems via external interfaces as well as remote maintenance of devices and components by the manufacturing or supply companies (see OPS.1.2.5 Remote Maintenance)
• Patch and change management (see OPS.1.1.3 Patch and Change Management)
• Securing of administration tools (see NET.1.2 Network Management and OPS.1.1.7 System Management)
• The proper management of users and permissions (see ORP.4 Identity and Access Management)
• Special requirements for cases where IT administration is performed by third parties (see OPS.2.3 Use of Outsourcing and OPS.3.2 Providing Outsourcing)
• Aspects for the IT administration of industrial IT (see building blocks from the IND Industrial IT area)

This building block does not address:

• The general aspects of IT Operations such as inventory, commissioning and decommissioning of IT components, and the general framework conditions for administrators (see OPS.1.1.1 General IT Operations)
• The briefing of personnel on general security policies for IT to be followed (see ORP.3 Information Security Awareness and Training)
• The continuous training of personnel and the accompanying awareness of threats and security measures (see ORP.2 Personnel and ORP.3 Information Security Awareness and Training)

Threat Landscape

Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for the building block OPS.1.1.2 Proper IT Administration.

Insufficiently Regulated Responsibilities

IT administration encompasses diverse tasks across a wide variety of components in different areas. If there are no regulations on responsibilities or processes, or if the regulations and processes are not known to those responsible, this can have various consequences. Required administration tasks may not be completed at all or may be handled by the wrong area, which may not be aware of all the details to be observed. Countervailing measures may also be taken by different areas. This can cause IT systems to be only partially or no longer available.

If when defining responsibilities it is not taken into account that different IT administration activities — e.g. between application operations and system operations — are inseparably linked, related tasks may not be properly executed.

If administrators receive too many rights because responsibilities are not regulated, they may be able to access confidential information that they are not allowed to view. This is particularly the case when, out of convenience, too many administrative accounts with too extensive rights are set up, in the worst case even across organizational units.

In addition, too large a number of administrators can lead to a loss of control if it is not clearly regulated who is responsible for which tasks. In this case, all information security objectives are at risk.

Insufficient Documentation

Documentation can be insufficient if information about IT components (e.g. about configuration or access rights) has not been recorded or has only been incompletely recorded. Documentation is also insufficient if it is not updated in the context of IT administration activities, because it then no longer corresponds to the actual state.

Insufficient documentation can lead to misconfigurations or generally faulty IT administration. This can significantly jeopardize all information security objectives.

In addition, emergency management can also be significantly impaired because information must first be gathered for time-critical tasks, or tasks cannot be performed as planned due to the discrepancy between documentation and the actual state. This can lead to a failure not being resolved quickly enough and the availability of IT components being impaired for longer.

Misuse of Privileged Permissions by Administrators

Overly broad administrative permissions can be used for sabotage or to spy on information that can be used as a starting point for attacks. This jeopardizes all information security objectives.

Privileged physical, logical, and system access can also be misused if processes for the departure of internal or external administrators are insufficient, allowing departed persons to continue accessing IT components. In this case too, all information security objectives are at risk.

Disclosure of Protected Information to Unauthorized Persons

Via IT administration access, protected information can be accessed, such as the documentation needed for IT administration or the configurations of IT systems. If IT administration access is insufficiently secured, unauthorized persons can also access protected information. Beyond the loss of confidentiality, this information can also be manipulated or used for further attacks, which significantly jeopardizes all information security objectives.

Loss of Core Competency Holders

If the required knowledge among administrators is not redundantly available in all areas, an IT administration activity may not be able to be performed if those holding core competencies are unavailable. If, in addition, the documentation for tasks to be performed is insufficient, the IT administration activity cannot be performed by other administrators without further risks. This can lead to malfunctions not being able to be resolved. As a result, the availability of IT systems is not (sufficiently) guaranteed and vulnerabilities cannot be remediated, which facilitates attacks.

This situation can also arise if there are no designated substitutes with corresponding permissions for IT administration activities, or if designated substitutes or even the emergency access do not have the required administrative permissions.

Insufficient Availability of Administrators

If there is a shortage of administrators — e.g. due to insufficient personnel planning, overbooking, or a pandemic — required administration tasks may not be able to be performed if there is no time for them. Under some circumstances, errors may also be made in IT administration due to time pressure. Both can lead to insufficient availability of IT systems or to an increased attack surface, thereby jeopardizing all information security objectives.

Personnel shortages can additionally result in administrators being insufficiently trained for their tasks due to time constraints, which can also lead to certain IT administration activities not being carried out correctly when needed or in an emergency.

Insufficient Securing of Administration Tools

Administration tools enable extensive access to an institution’s IT. If these tools are insufficiently secured, this can lead to the administration tools themselves being at risk with regard to all information security objectives. Via them, IT administration can be sabotaged or unauthorized IT administration can be enabled.

If access to administration tools is obtained during an attack, extensive permissions can be gained. These permissions can be misused for attacks of all kinds, which also jeopardizes all information security objectives.

One cause of insufficient securing of administration tools can arise, for example, from their insufficient separation from other applications. This insufficient separation is possible at all levels. It can arise, for example, from the use of text editors or SSH clients for IT administration that are also used in a non-administrative context.

Failure of Administration Capability

If administration capabilities fail and due to poor planning there is no redundancy or other alternatives, IT administration activities of this kind cannot be performed until the outage is resolved. In the worst case, this means all IT is restricted or no longer available or functional.

Administration tools can also fail due to their own administration — for example, through mis-administration, an applied patch, or a change brought about by an IT administration activity.

Misdirected Administration

If IT administration is misdirected — for example by injecting false information — IT administration can be led to incorrect responses. For example, administrators can be incorrectly informed outside the regulated process that an IT system has failed, leading them to restart it. Through this, information, hardware, or software can be manipulated, rendering their availability and integrity no longer guaranteed. In addition, protected information can be disclosed in this way.

Erroneous Administration

Human errors can never be ruled out and can have far-reaching consequences in IT administration. Additionally, they are facilitated by some of the threats mentioned above.

The tools used in IT administration allow far-reaching changes to IT components with little effort. Depending on the error, all information security objectives can be significantly jeopardized. Errors are particularly facilitated by parallel work on different topics, where, for example, different input windows or console outputs can be confused.

IT Disruption Through IT Administration Activities

Even if IT administration activities are performed without errors, the institution’s IT can still be disrupted in the process. If, for example, prescribed maintenance windows for IT administration activities are not observed, the availability of the administered IT can be disrupted. In addition, IT administration activities correctly performed within the maintenance window can later lead to disruptions — for example, if the administrability of the corresponding components is impaired by unforeseen interactions.

Requirements

The following are the specific requirements of building block OPS.1.1.2 Proper IT Administration. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.

The IT-Grundschutz Compendium additionally defines further roles. They should be staffed insofar as this is reasonable and appropriate.

Exactly one role should be Primarily responsible. Beyond that, there may be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, this role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many persons should fill these roles.

Basic Requirements

The following requirements MUST be fulfilled as a priority for this building block.

OPS.1.1.2.A1 DISCONTINUED (B)

This requirement has been discontinued.

OPS.1.1.2.A2 Substitute Arrangements (B)

For each administration task, a substitute MUST be designated. The substitute MUST have the necessary administrative permissions (organizational and technical) to perform the task. A designated substitute MUST have the knowledge required in the context of the administration task.

The substitute arrangement MUST take into account shortage and emergency situations.

OPS.1.1.2.A3 DISCONTINUED (B)

This requirement has been discontinued.

OPS.1.1.2.A4 Termination of IT Administration Activities (B)

If a person is relieved of administration tasks, all associated privileged permissions at the organizational and technical level MUST be revoked. In particular, personal administrative accounts MUST be disabled and passwords of all administrative accounts that are known to the person MUST be changed. Furthermore, all affected parties MUST be informed that this person has been relieved of the corresponding tasks and therefore no longer has administrative permissions.

It MUST be regulated under what conditions it is checked whether additional undocumented administrative rights have been acquired. This check SHOULD take place in particular if the decision to relieve a person of administration tasks was not made with the agreement of that person. If such administrative rights are found, they MUST be revoked.

OPS.1.1.2.A5 Verifiability of Administrative Activities (B)

Administrative activities MUST be verifiable. For this purpose, at minimum the following MUST be recorded:

• What change was made during an activity,
• Who performed an activity, and
• When an activity was performed.

The institution MUST be able to demonstrate at any time which person performed which administrative activities. For this purpose, all administrators SHOULD have their own access credentials. Substitutes for administrators SHOULD also receive their own access credentials. Every login via an administrative account MUST be logged.

OPS.1.1.2.A6 Protection of Administrative Activities (B)

Administrative interfaces and functions MAY ONLY be available to authorized persons. Appropriate authentication procedures MUST be defined for these interfaces and functions. It MUST be ensured that IT administration activities can only be performed after corresponding authentication has taken place.

It MUST be defined which protocols may be used for administrative interfaces, so that the communication taking place during administration is secured.

OPS.1.1.2.A21 Regulation of IT Administration Roles (B)

Roles MUST be defined that are assigned exclusively for IT administration. Administration roles MUST be assigned in a traceable manner based on the actual need in the area of IT administration. All necessary IT administration activities MUST be covered by permissions in the administration roles in accordance with the principle of least privilege.

The IT administration of different levels of IT components — e.g. the separation of operating system and application administration — MUST be taken into account when designing the administration roles.

OPS.1.1.2.A22 Separation of Administrative and Other Activities (B)

The person performing a task MUST know which part of their task constitutes administrative activities. Tasks that do not require administrative rights MUST NOT be performed with administrative rights.

It MUST be ensured that administration tools are clearly recognizable as such. If an application is used to fulfill an administration task, the SAME instance of that application MUST NOT be used for other tasks. This SHOULD be ensured at the technical level. The access credentials used for IT administration SHOULD differ from access credentials used in other contexts.

Standard Requirements

Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be fulfilled.

OPS.1.1.2.A7 Regulation of IT Administration Activities (S)

Each IT administration activity SHOULD be assigned to a clearly defined task. For these tasks, it SHOULD be regulated:

• By whom this task may be performed, and
• By whom this task may be commissioned.

It SHOULD be traceable in which processes administration tasks are embedded. IT administration activities SHOULD only be performed with those permissions necessary to fulfill the corresponding task. It SHOULD be defined how IT administration activities are to be performed.

The regulations for IT administration activities SHOULD be reviewed and updated regularly and as circumstances require.

For each IT administration activity, it SHOULD be ensured that it can also be performed in an emergency if necessary.

OPS.1.1.2.A8 Administration of Specialist Applications (S)

It SHOULD be regulated and documented which administration tasks for specialist applications are performed by IT Operations and which are performed by specialist administration.

For specialist applications, it SHOULD be identified what system-level access IT Operations needs.

All interfaces and dependencies between specialist administration and administration by IT Operations SHOULD be identified. Whenever administration processes are created and maintained, the responsibilities and dependencies of these interfaces SHOULD be considered.

OPS.1.1.2.A9 DISCONTINUED (S)

This requirement has been discontinued.

OPS.1.1.2.A10 DISCONTINUED (S)

This requirement has been discontinued.

OPS.1.1.2.A11 Documentation of IT Administration Activities (S)

IT administration activities performed SHOULD be documented traceably. It SHOULD be checked what general requirements exist for the documentation of IT administration activities. It SHOULD be identified what objectives are to be achieved with the documentation. Based on these requirements and objectives, it SHOULD be bindingly defined which steps are documented in what level of detail. The documentation SHOULD contain at minimum:

• What changes were made,
• When the changes were made,
• Who made the changes,
• On what basis or for what reason the changes were made, and
• To what extent and for what reason there was a deviation from prescribed standards or configurations, if applicable.

Documentation in the context of an IT administration activity SHOULD be included in standard work procedures. It SHOULD be regulated which options are to be used if IT administration activities are performed unscheduled.

It SHOULD be identified under what circumstances access to the documentation is necessary. Access SHOULD be ensured accordingly.

OPS.1.1.2.A12 DISCONTINUED (S)

This requirement has been discontinued.

OPS.1.1.2.A13 DISCONTINUED (S)

This requirement has been discontinued.

OPS.1.1.2.A16 Extended Security Measures for Administration Access (S)

Access to administrative interfaces and systems SHOULD be restricted to IT systems used for IT administration. Therefore, networks used for IT administration SHOULD be separated from the productive networks of administered components by filtering and segmentation measures (out-of-band management). Where out-of-band management is not possible, software interfaces and physical interfaces for IT administration SHOULD be secured by additional measures and SHOULD only be reachable by persons authorized to use them. Two-factor authentication SHOULD be used for this purpose.

OPS.1.1.2.A20 DISCONTINUED (S)

This requirement has been discontinued.

OPS.1.1.2.A23 Role and Permission Concept for Administrative Access (S)

An appropriate role and permission concept for administrative access SHOULD exist. It SHOULD contain general requirements, at minimum regarding:

• How administration roles are requested and assigned,
• What types of administration roles exist,
• What types of permissions are granted in the context of administration roles,
• How permissions required for IT administration are granted.

OPS.1.1.2.A24 Review of IT Administration Activities (S)

Before an IT administration activity is performed, it SHOULD be checked whether the occasion and type of activity are plausible in the context of the underlying task. After an IT administration activity has been performed on a component, it SHOULD be checked whether the configuration and status of the component correspond to the desired target state.

If additional quality assurance of the executed administration task is necessary, it SHOULD NOT be performed by the same person who performed the corresponding activities.

For IT administration activities with potentially far-reaching consequences, it SHOULD be checked whether these activities could restrict the availability of IT administration itself. In this case, appropriate precautions SHOULD be taken to enable a rollback of the IT administration activities.

OPS.1.1.2.A25 Time Windows for Critical IT Administration Activities (S)

For IT administration activities with potentially far-reaching consequences, maintenance windows SHOULD be agreed upon by IT Operations. If IT Operations specifies requirements for time windows for IT administration activities, these MUST be adhered to.

OPS.1.1.2.A26 Backup of Configurations (S)

All configurations SHOULD be backed up by regular backups at the application level and at the IT system level. Before IT administration activities with potentially far-reaching consequences, an additional backup SHOULD be made. For backups, it SHOULD be ensured that they can be restored in the event of an error.

OPS.1.1.2.A27 Alternatives for Central IT Administration Tools (S)

Alternatives SHOULD be available for central IT administration tools with which administration can be performed if required. For this purpose, jump servers with access to the corresponding administration networks SHOULD be available. If such alternatives are not available, direct access and system access to the IT to be administered SHOULD be possible for IT administration.

OPS.1.1.2.A28 Logging of Administrative Activities (S)

Administrative activities SHOULD be logged. The log files SHOULD be kept securely for an appropriate period of time. The executing administrators SHOULD have no way to change or delete the recorded log files. Log data SHOULD be regularly reviewed.

Requirements for High Protection Needs

The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. The proposals SHOULD be considered for high protection needs. The specific determination is made within the framework of an individual risk analysis.

OPS.1.1.2.A14 DISCONTINUED (H)

This requirement has been discontinued.

OPS.1.1.2.A15 DISCONTINUED (H)

This requirement has been discontinued.

OPS.1.1.2.A17 IT Administration Under the Four-Eyes Principle (H)

It SHOULD be regulated which administration tasks require an additional person to monitor their execution. This person SHOULD also have the qualifications necessary for execution in the context of the IT administration activities to be performed.

OPS.1.1.2.A18 Continuous Logging of Administrative Activities (H)

For IT components with high protection needs, all administrative activities in all areas SHOULD be logged. Each administrative action SHOULD be fully traceable. The executing administrators SHOULD have no influence on the type and extent of the logging.

OPS.1.1.2.A19 Use of Highly Available IT Administration Tools (H)

Administration tools SHOULD be designed with redundancy. It SHOULD be ensured that in the event of a disruption, all administration tasks can still be performed without significant restrictions.

OPS.1.1.2.A29 Monitoring of IT Administration Tools (H)

For IT administration tools, metrics for availability SHOULD be identified. These metrics SHOULD be continuously monitored. Tolerable limit values for these metrics SHOULD be defined. If these are not met, the responsible teams SHOULD be automatically notified.

OPS.1.1.2.A30 Security Monitoring of Administrative Activities (H)

If an IT system is used for central detection and automated real-time verification of event messages, event data on administrative activities SHOULD be evaluated there. For this purpose, existing IT monitoring systems and critical administration tools SHOULD be integrated into this IT system.

Additional Information

Good to Know

The International Organization for Standardization (ISO) provides requirements for proper IT administration in Annex A of the ISO/IEC 27001:2013 standard, particularly in the context of the topics access control (A.9) and IT operations (A.12).

The BSI specifies requirements for the area of secure administration, among others, in the document “Konkretisierung der Anforderungen an die gemäß § 8a Absatz 1 BSIG umzusetzenden Maßnahmen.”