IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
S 4.91 Secure installation of a system management
system
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
The installation of a system management system calls for extensive and
careful planning. After system analysis has been performed (see S 2.168), the
management strategy has been laid down (see S 2.169) and a suitable
management system has been chosen (see S 2.171), installation of the product
must be planned in detail and put into practice accordingly. The actual
management system configuration for the local network must be drawn up in
accordance with the architecture on which the management product is based,
paying particular attention to the formulated management strategy.
In order to install most management systems, management software has to be
installed on the computers concerned; this takes over communication between
the management console or servers and the local computer. Often it is also
necessary to install database systems on the central computers (servers or
gateways), in which the management information is permanently stored by the
management software. Depending on the product, it may also be possible to
link in an existing database system for this purpose. As a rule the additionally
installed software imposes extra demands on the computer’s local resources.
During planning, therefore, attention must be paid to what system resources
are available locally. It may be necessary for some systems to be upgraded.
These costs should be taken into account in the selection of the management
product.
In addition to these criteria, which are essentially intended to guarantee
regulated technical system operations, for security reasons the software
associated with the management system and the corresponding data must be
included in the determination of the protection requirements in accordance
with the IT Baseline Protection Manual (see Chapter 2), and the protection
requirements must be classified as "high" to "very high". Compromising the
management system is liable not only to cause failure of the entire network; as
well as this, unnoticed changes to the system may cause considerable damage
which can very rapidly take on existence-threatening forms.
Particular attention should be paid to the following points in relation to
installation:
- All computers on which management information is stored must be given
special protection:
- The measures specified in the IT Baseline Protection Manual
Chapters 5 and 6 must be implemented, depending on the system on
hand.
- In particular the operating system mechanisms must be configured
so as to prevent unauthorised access to locally stored management
information.
- Access to the management software must be granted only to
authorised administrators and auditors.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000