OPS.1.2.5 Remote Maintenance
The term remote maintenance refers to time-limited access to IT systems and the applications running on them, carried out from another IT system. The access can serve, for example, to perform configuration, maintenance, or repair work.
Description
Introduction
The term remote maintenance refers to time-limited access to IT systems and the applications running on them, carried out from another IT system. The access can serve, for example, to perform configuration, maintenance, or repair work.
Remote maintenance can take place in different ways. When performing remote maintenance on clients, the keyboard and mouse signals of IT systems are often transmitted by the administrators to a remote IT system. The remote IT system transmits the screen output to the administrators’ IT system. The administrators perform actions on the remote IT system as if they were on-site themselves (active remote maintenance). When performing remote maintenance on servers, the input and output of the console is often transmitted.
In passive remote maintenance, only the screen content of an IT system is transmitted to the administrators. Administrators give instructions to on-site users, which are executed by them and observed by the administrators. However, in practice this approach usually proves to be very time-consuming and cumbersome, which is why IT Operations is often given full access via the IT system.
Since many IT systems are beyond the reach of their administrators (e.g. in remote data centers, industrial plants, or an external location without IT staff), remote maintenance is used in many institutions. In remote maintenance, internal IT systems and applications of an institution are often accessed via insecure networks. Due to the far-reaching intervention possibilities in these IT systems and applications, the security of remote maintenance components is of particular importance.
Objective
The objective of this building block is to protect the information that is stored, processed, and transmitted during remote maintenance, as well as to protect the remote maintenance interfaces of IT systems. For this purpose, requirements are placed on remote maintenance that relate equally to functions of active and passive remote maintenance.
Scope and Modeling
The building block is to be applied to all target objects in the information domain where remote maintenance is used.
This building block considers remote maintenance predominantly from the perspective of IT Operations and provides guidance for administrators on how remote maintenance can be used. The security aspects of the communication connections and authentication mechanisms used, as well as the securing of remote maintenance access, are important components of this building block. Nevertheless, it does not cover all relevant aspects of the business processes connected with remote maintenance. In particular, the building blocks OPS.1.1.3 Patch and Change Management, ORP.3 Information Security Awareness and Training, CON.1 Crypto Concept and CON.3 Data Backup Concept are additionally to be observed. Likewise, the requirements of the building block layer NET Networks and Communication must be implemented insofar as these are directly connected with remote maintenance.
If remote maintenance is performed by external service providers, the building block OPS.2.3 Use of Outsourcing must also be observed. If cloud-based remote maintenance products are used, the general requirements from building block OPS.2.2 Cloud Use must also be met.
Requirements for securing remote maintenance using firewalls are not part of this building block. Requirements for this can be found in building block NET.3.2 Firewall.
Basic aspects of IT administration are also not considered in this building block. They can be found in building block OPS.1.1.2 Proper IT Administration. Requirements for system management are also not considered. These can be found in building block OPS.1.1.7 System Management.
Remote maintenance in the industrial environment is not the focus of this building block. Requirements for this can be found in building block IND.3.2 Remote Maintenance in the Industrial Environment.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for the building block OPS.1.2.5 Remote Maintenance.
Insufficient Knowledge of Remote Maintenance Regulations
Administrators who set up and use remote maintenance rely on regulations that specify how remote maintenance should be used. For example, it is necessary to specify how applications for remote maintenance should be configured. Otherwise, remote maintenance can create additional risks for the internal network. If the regulations on remote maintenance are not communicated to those involved, dangers arise for IT Operations. For example, a remote maintenance interface could be set up and an authentication method with an insecure password could be permitted, instead of a secure, certificate-based method.
Missing or Inadequate Planning and Regulation of Remote Maintenance
If remote maintenance is not carefully planned, established, and regulated, the security of all IT systems in an institution can be compromised. If, for example, insecure communication protocols, encryption algorithms, or authentication mechanisms are used, security vulnerabilities can arise. A coupled network of a third party can also be compromised via inadequately secured remote maintenance interfaces.
Inappropriate Use of Authentication in Remote Maintenance
Different authentication mechanisms can be used in remote maintenance. If an insecure authentication method is used, unauthorized third parties can obtain administrative permissions on remote maintenance systems or for remote maintenance tools. As a result, they can access the institution’s IT systems and cause extensive damage.
An example of this is a login procedure that uses only a short password. In an attack, this password can be guessed in a short time and access to the institution’s IT systems can be gained in this way.
Faulty Remote Maintenance
In order to ensure the security and functionality of IT systems and applications that can only be accessed remotely, professional and regular remote maintenance is required. If such IT systems and applications are not properly configured and maintained via remote maintenance, they may in the worst case no longer be usable. If the remote maintenance processes do not run correctly, this can lead to malfunctions of individual operating system components. Furthermore, late or faulty IT system maintenance can create security vulnerabilities.
Use of Insecure Protocols in Remote Maintenance
Communication over public and internal networks using insecure protocols represents a potential danger. If, for example, outdated versions of IPSec, SSH, or SSL/TLS are used to establish a tunnel between two networks or endpoints, it cannot be guaranteed that this tunnel is sufficiently secure and the information transmitted in it is adequately protected. In an attack, vulnerabilities of these protocols can be exploited to inject own content into protected connections. Protocols in which information is transmitted in clear text are generally considered insecure.
Missing Regulations for Third-Party Use of Remote Maintenance Access
If IT systems are remotely maintained by third parties without there being a contractual basis for this, the responsibilities for remote maintenance may not be clearly regulated. As a result, for example, role separations can be circumvented or open remote maintenance access is not documented.
Use of Online Services for Remote Maintenance
In addition to remote maintenance where a direct data connection to the relevant institution is established, online services can also be used. Here, the IT systems to be administered connect to the servers of online services and the administrators can access the IT systems to be administered, e.g. via a web browser.
If the communication is not end-to-end encrypted, the online services could read the data exchange. In addition, the IT systems could also be administered by unauthorized persons by modifying the data connection. If the IT systems automatically establish a data connection to the online service at system startup, the IT system could be accessed directly without the users of the IT system or the responsible administrators being aware of this.
Unknown Remote Maintenance Components
Many IT systems contain components that offer integrated functions for remote maintenance. However, these functions are often poorly documented and are not taken into account when procuring and operating IT systems.
Integrated remote maintenance components have far-reaching access to the IT systems in which they are installed. This access often acts directly on other components of the IT system and can thus bypass the security mechanisms of the operating system. In addition, integrated remote maintenance functions can contain vulnerabilities that facilitate unauthorized access to the IT system.
Requirements
The following are the specific requirements of building block OPS.1.2.5 Remote Maintenance. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.
The IT-Grundschutz Compendium additionally defines further roles. They should be staffed insofar as this is reasonable and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | IT Operations |
| Additional responsibilities | Users |
Exactly one role should be Primarily responsible. Beyond that, there may be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, this role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many persons should fill these roles.
Basic Requirements
The following requirements MUST be fulfilled as a priority for this building block.
OPS.1.2.5.A1 Planning of Remote Maintenance Use (B)
The use of remote maintenance MUST be adapted to the institution. Remote maintenance MUST be planned as needed with regard to technical and organizational aspects. In doing so, it MUST at least be taken into account which IT systems are to be remotely maintained and who is responsible for this.
OPS.1.2.5.A2 Secure Connection Establishment in Remote Maintenance of Clients (B) [Users]
If remote maintenance is used to access desktop environments of clients, the remote maintenance software MUST be configured so that it only establishes a connection after explicit consent from the users.
OPS.1.2.5.A3 Securing the Interfaces for Remote Maintenance (B)
The possible access points and communication connections for remote maintenance MUST be restricted to the necessary extent. All remote maintenance connections MUST be disconnected after remote access.
It MUST be ensured that remote maintenance software is only installed on IT systems where it is needed.
Remote maintenance connections via untrusted networks MUST be encrypted. All other remote maintenance connections SHOULD be encrypted.
OPS.1.2.5.A4 DISCONTINUED (B)
This requirement has been discontinued.
Standard Requirements
Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be fulfilled.
OPS.1.2.5.A5 Use of Online Services (S)
The institution SHOULD determine under which circumstances online services may be used for remote maintenance where the connection is established via an external server. The use of such services SHOULD generally be restricted to as few cases as possible. The IT systems SHOULD NOT establish automated connections to the online service. It SHOULD be ensured that the online service used encrypts the transmitted information end-to-end.
OPS.1.2.5.A6 Creation of a Policy for Remote Maintenance (S)
The institution SHOULD create a policy for remote maintenance in which all relevant regulations on remote maintenance are documented. The policy SHOULD be known to all responsible persons involved in the design, establishment, and operation of remote maintenance.
OPS.1.2.5.A7 Documentation in Remote Maintenance (S)
Remote maintenance SHOULD be appropriately documented. The documentation SHOULD show which remote maintenance access points exist and whether they are activated. The documents SHOULD be stored at appropriate locations and protected from unauthorized access. The documents SHOULD be available within the scope of emergency management.
OPS.1.2.5.A8 Secure Protocols in Remote Maintenance (S)
Only communication protocols classified as secure SHOULD be used. For this purpose, secure cryptographic procedures SHOULD be used. The strength of the cryptographic procedures and keys used SHOULD be regularly reviewed and adjusted if necessary.
If remote maintenance access to IT systems in the internal network is accessed via a public data network, a secured Virtual Private Network (VPN) SHOULD be used.
OPS.1.2.5.A9 Selection and Procurement of Suitable Remote Maintenance Tools (S)
The selection of suitable remote maintenance tools SHOULD result from the operational, security-related, and data protection requirements of the institution. All procurement decisions SHOULD be coordinated with the system and application responsible persons as well as the ISO.
OPS.1.2.5.A10 Handling of Remote Maintenance Tools (S)
Organizational management processes SHOULD be established for handling the selected remote maintenance tools. Operating instructions for handling the remote maintenance tools SHOULD be available. In addition to the general training measures, sample procedures for passive and active remote maintenance SHOULD be created and communicated. In addition to the general training measures, IT Operations SHOULD be particularly sensitized and trained in handling the remote maintenance tools. A contact person for all technical questions on remote maintenance tools SHOULD be named.
OPS.1.2.5.A11 DISCONTINUED (S)
This requirement has been discontinued.
OPS.1.2.5.A12 DISCONTINUED (S)
This requirement has been discontinued.
OPS.1.2.5.A13 DISCONTINUED (S)
This requirement has been discontinued.
OPS.1.2.5.A15 DISCONTINUED (S)
This requirement has been discontinued.
OPS.1.2.5.A16 DISCONTINUED (S)
This requirement has been discontinued.
OPS.1.2.5.A17 Authentication Mechanisms in Remote Maintenance (S)
Multi-factor procedures SHOULD be used for authentication in remote maintenance. The choice of authentication method and the reasons that led to the choice SHOULD be documented. Remote maintenance access SHOULD be taken into account in the institution’s identity and authorization management.
OPS.1.2.5.A18 DISCONTINUED (S)
This requirement has been discontinued.
OPS.1.2.5.A19 Remote Maintenance by Third Parties (S)
If remote maintenance is performed by external parties, all remote maintenance activities SHOULD be observed by internal employees. All remote maintenance operations by third parties SHOULD be recorded.
Contractual arrangements on the security of the affected IT systems and information MUST be concluded with external maintenance personnel. The obligations and competencies of the external maintenance personnel SHOULD be recorded in the contractual arrangements.
If service providers remotely maintain several customers, it MUST be ensured that the networks of the customers are not connected to each other. The remote maintenance interfaces SHOULD be configured so that it is only possible for service providers to access the IT systems and network segments required for their work.
OPS.1.2.5.A20 Operation of Remote Maintenance (S)
A reporting process for support and remote maintenance requests SHOULD be established.
Mechanisms for detecting and defending against high-volume attacks, TCP state exhaustion attacks, and application-level attacks SHOULD be implemented.
All remote maintenance operations SHOULD be logged.
OPS.1.2.5.A21 Creation of a Contingency Plan for Failure of Remote Maintenance (S)
A concept SHOULD be developed for how the consequences of a failure of remote maintenance components can be minimized. This SHOULD specify how to respond in the event of a failure. The contingency plan SHOULD ensure that disruptions, damages, and consequential damages are minimized. Furthermore, it SHOULD be determined how a timely restoration of normal operations can take place.
OPS.1.2.5.A24 Securing Integrated Remote Maintenance Systems (S)
When procuring new IT systems, it SHOULD be checked whether these IT systems or individual components of the IT systems have functions for remote maintenance. If these functions are not used, they SHOULD be deactivated. The functions SHOULD also be deactivated if they are threatened by known security vulnerabilities.
If remote maintenance functions that are integrated into the firmware of individual components are used, their functions and access to them SHOULD be restricted as much as possible. The remote maintenance functions SHOULD only be reachable from a separate management network.
OPS.1.2.5.A25 Decoupling Communication in Remote Maintenance (S)
Direct remote maintenance access from a remote maintenance client outside the management networks to an IT system SHOULD be avoided. If such access is necessary, the communication SHOULD be decoupled. Jump servers SHOULD be used for this purpose. Access to jump servers SHOULD only be possible from trusted IT systems.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. The proposals SHOULD be considered for high protection needs. The specific determination is made within the framework of an individual risk analysis.
OPS.1.2.5.A14 Dedicated Clients and Accounts in Remote Maintenance (H)
IT systems that are used exclusively for the administration of other IT systems SHOULD be used for remote maintenance. All other functions on these IT systems SHOULD be deactivated. The network communication of the administration systems SHOULD be restricted so that only connections to IT systems that are to be administered are possible.
Dedicated accounts SHOULD be used for remote maintenance access.
OPS.1.2.5.A22 Redundant Communication Connections (H)
Redundant communication connections SHOULD be set up for remote maintenance access. The institution SHOULD maintain connections for out-of-band management.
OPS.1.2.5.A23 DISCONTINUED (H)
This requirement has been discontinued.
Additional Information
Good to Know
The Federal Office for Information Security describes in its publication “Basic Rules for Securing Remote Maintenance Access” how remote maintenance access can be operated securely.
The Federal Office for Information Security describes in its publication “Remote Maintenance in the Industrial Environment” how remote maintenance access can be operated securely in the industrial environment.