IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.38 Division of administrator roles in PC
networks
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
Many networked systems offer the possibility to divide the administrator role
and to allocate administrator activities to various users.
Thus, for instance, the following administrator roles can be set up under
Novell Netware 3.11: Workgroup Manager, User Account Manager, File
Server Console Operator, Print Server Operator, Print Queue Operator.
Defined administrator roles can be created under Windows NT for individual
users or better for groups by the controlled allocation of user privileges.
Besides the administrator group, the following must be mentioned: power
users (i.e. administrators with restricted privileges), backup-operators, printoperators,
server-operators and replicator-operators. Additionally, further roles
can be defined via the explicit allocation of user privileges (see also S 4.50
Structured system administration under Windows NT).
Where administrator roles exist for specialised tasks, they should be made use
of. Especially when in large systems where administration tasks must be
entrusted to a number of persons, the risk of the administrator roles holding
excessive powers of control can be reduced by an appropriate division of
responsibilities so that administrators will not be able, without being subject to
control, to make unauthorised or unintentional changes to the system.
Despite the division of administrator roles, the system will in most cases
automatically set up an account for an administrator not subject to any
restrictions, i.e. the supervisor. The supervisor password may be known only
to a small number of people. It must not be known to any of the subadministrators
so as to prevent the latter from expanding their rights in this
way. The password must be safely deposited (see S 2.22 Depositing of
passwords). The supervisor log-in can be additionally protected by the
application of the two-person rule, e.g. by means of organisational measures
such as a split password. In that case, the password must have an extended
minimum length (12 characters or more). It must be ensured that the
password, in its full minimum length, will be checked by the system.
Additional controls:
- To which persons is the supervisor password known?
- Have administrator roles been divided up?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000