IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.32 Establishment of a restricted user
environment
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
Where users only have specific tasks to perform, it often will not be necessary
to grant them all the rights associated with their own log-in (possibly even
Administrator rights). Examples are certain activities of routine system
administration (such as making backups, designating a new user) which are
carried out using a menu-driven program, or activities for which the user
needs only a single application program.
For these users, a restricted user environment should be established. This can
be achieved, for instance, under UNIX with a restricted shell (rsh) and the
restriction of access paths with the UNIX command chroot. For a user needing
only one application program, this can be entered as a log-in shell so that it is
started directly after he logs on, and he is automatically logged off on exiting
the program.
The available range of functions of the IT system may be restricted for
individual users or user groups. Use of editors or compilers should be
prevented unless the user actually needs these to perfom his tasks. This can be
achieved on stand-alone systems by the removal of such programs and, on
networked systems, by the allocation of rights.
Additional controls:
- What user environment and what start-up procedure have been defined for
the respective users?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Use restricted shell and
chroot
Restrict use of editors
and compilers