Description: (1) Servers MUST be operated in locations that may only be accessed by authorised persons. (2) Servers MUST therefore be set up and installed in data centres, computer rooms, or lockable server rooms (see the corresponding modules in the INF Infrastructure layer). (3) Servers MUST NOT be used as personal computers (4) IT systems used as workstations MUST NOT be used as servers.
Levels:Automated: no
No rules selected
Description: (1) Authentication methods adequate for the protection needs at hand MUST be used when users and services log into servers. (2) This SHOULD be taken into account for administrative access in particular. (3) Central, network-based authentication services SHOULD be used whenever possible.
Levels:Automated: no
No rules selected
Description: This requirement has been eliminated.
Levels:Automated: no
No rules selected
Description: This requirement has been eliminated.
Levels:Automated: no
No rules selected
Description: (1) It MUST be ensured that only specified removable storage media and other devices can be connected to servers. All interfaces that are no longer needed must be disabled.
Levels:Automated: yes
Selections:Description: (1) All unnecessary services and applications — particularly network services — MUST be disabled or uninstalled. (2) All unused functions in firmware MUST also be disabled. (3) On servers, the disk space allotted to both individual users and applications SHOULD be restricted appropriately. (4) The decisions taken in this regard SHOULD be documented in a way that makes it clear which configuration and software equipment was chosen for servers.
Levels:Automated: no
Selections:Description: This requirement has been eliminated.
Levels:Automated: no
No rules selected
Description: This requirement has been eliminated.
Levels:Automated: no
No rules selected
Description: (1) Whether virus protection programs can and should be used MUST be checked depending on the operating system installed, the services provided, and other existing protection mechanisms of the server in question. (2) Where available, concrete statements from the relevant operating system modules of the IT-Grundschutz Compendium on whether virus protection is necessary MUST be considered.
Levels:Automated: yes
Selections:Description: (1) In general, all security-relevant system events MUST be logged, including the following at minimum: • (2) System starts and reboots • (3) Successful and failed login attempts (operating system and application software) • (4) Failed authorisation checks • (5) Blocked data flows (violations of ACLs or firewall rules) • (6) Creation of or changes to users, groups, and authorisations • (7) Security-relevant error messages (e.g. hardware defects, exceeded capacity limits) • (8) Warnings from security systems (e.g. virus protection)
Levels:Automated: yes
Selections:Description: (1) Based on the general security policy of the organisation in question, the requirements for servers SHOULD be specified in a separate security policy. (2) This policy SHOULD be known to all administrators and other persons involved in the procurement and operation of servers and be integral to their work. (3) The implementation of the policy's requirements SHOULD be checked at regular intervals. (4) The results SHOULD be appropriately documented.
Levels:Automated: no
No rules selected
Description: Each server system SHOULD be suitably planned. In this process, the following points SHOULD be taken into account at minimum: • Selection of the hardware platform, operating system, and application software • Hardware capacity (performance, memory, bandwidth, etc) • Type and number of communication interfaces • Power consumption, thermal load, space requirements, and structural shape • Administrative access points (see SYS.1.1.A5 Protection of Administration Interfaces) • User access • Logging (see SYS.1.1.A10 Logging). • Updates for operating systems and applications • Integration into system and network management, backups, and protection systems (virus protection, IDS, etc) All decisions taken in the planning phase SHOULD be documented in such a way that they can be understood at any future point in time.
Levels:Automated: no
No rules selected
Description: Prior to procuring one or more servers, a requirements list SHOULD be drawn up that can be used to evaluate the products available on the market.
Levels:Automated: no
No rules selected
Description: This requirement has been eliminated.
Levels:Automated: no
No rules selected
Description: (1) Every server SHOULD be connected to an uninterruptible power supply (UPS).
Levels:Automated: no
No rules selected
Description: (1) The basic settings of servers SHOULD be checked and, where necessary, adapted to the specifications of the security policy at hand. (2) Clients SHOULD only be connected to the Internet after the installation and configuration have been completed.
Levels:Automated: no
No rules selected
Description: This requirement has been eliminated.
Levels:Automated: no
No rules selected
Description: This requirement has been eliminated.
Levels:Automated: no
No rules selected
Description: (1) Based on a set of rules, existing local packet filters SHOULD be designed to limit incoming and outgoing communications to the necessary communication partners, communication protocols, ports, and interfaces. (2) The identity of remote systems and the integrity of corresponding connections SHOULD be protected cryptographically.
Levels:Automated: no
Selections:Description: This requirement has been eliminated.
Levels:Automated: no
No rules selected
Description: (1) Operational tasks that are carried out on a server SHOULD be clearly documented in terms of what has been done, when, and by whom. (2) In particular, the documentation SHOULD make configuration changes transparent. (3) Security-relevant responsibilities, such as who is authorised to install new hard disks, SHOULD be documented. (4) Everything that can be documented automatically SHOULD be documented automatically. (5) The documentation SHOULD be protected against unauthorised access and loss.
Levels:Automated: no
No rules selected
Description: (1) Servers SHOULD be taken into account in business continuity management processes. (2) To this end, the contingency requirements for the system in question SHOULD be determined and appropriate contingency procedures implemented—for example, by drawing up recovery plans or securely storing passwords and cryptographic keys.
Levels:Automated: no
No rules selected
Description: (1) Server systems SHOULD be integrated into an appropriate system monitoring concept. (2) The status and functionality of these systems and the services operated on them SHOULD be continuously monitored. (3) Error conditions and defined thresholds that are exceeded SHOULD be reported to the operating personnel.
Levels:Automated: no
No rules selected
Description: (1) Servers SHOULD be subjected to regular security tests to check their compliance with the applicable security requirements and identify possible vulnerabilities. (2) In particular, these security tests SHOULD be performed on servers with external interfaces. (3) To prevent indirect attacks via infected systems in an organisation’s own network, internal server systems SHOULD also be checked accordingly at defined intervals. (4) Whether the security checks can be realised automatically—by means of suitable scripts, for example—SHOULD be examined.
Levels:Automated: no
No rules selected
Description: (1) When decommissioning a server, it SHOULD be ensured that no important data that might still be present on the storage media is lost and no sensitive data remains. (2) There SHOULD be an overview of the data stored in each location on the server. (3) Furthermore, it SHOULD be ensured that services offered by the server will be taken over by another server when necessary. (4) A checklist SHOULD be created that is to be completed when decommissioning a server. (5) This checklist SHOULD at least include aspects related to backing up data, migrating services, and subsequently deleting all data in a secure manner.
Levels:Automated: no
No rules selected
Description: (1) An operating manual SHOULD be drawn up. (2) It SHOULD document all the rules, requirements, and settings that are necessary in operating servers. (3) There SHOULD be a specific operating manual for every type of server. (4) Each operating manual SHOULD be updated at regular intervals. (5) Operating manuals SHOULD be protected against unauthorised access. (6) Operating manuals SHOULD be available in emergencies.
Levels:Automated: no
No rules selected
Description: (1) In order to prevent an attacker from accessing the operating system or other applications and prevent access from the operating system to files that are particularly sensitive, applications and operating system components (such as authentication or certificate verification) SHOULD be specially encapsulated according to their protection needs or isolated from other applications and operating system components. (2) Particular attention SHOULD be paid to security-critical applications that work with data from insecure sources (e.g. web browsers and office communication applications)
Levels:Automated: yes
Selections:Description: This requirement has been eliminated.
Levels:Automated: no
No rules selected
Description: (1) Host-based attack detection systems (also referred to as host-based intrusion detection systems, IDS, or intrusion prevention systems, IPS) SHOULD be used to monitor system behaviour for abnormalities and misuse. (2) The IDS/IPS mechanisms used SHOULD be appropriately selected, configured, and thoroughly tested. (3) If an attack has been detected, the operating personnel SHOULD be alerted in an appropriate manner. (4) Using operating system mechanisms or suitable additional products, changes made to system files and configuration settings SHOULD be checked, restricted, and reported.
Levels:Automated: no
Selections:Description: (1) Server systems with high availability requirements SHOULD be protected adequately against failures. (2) At minimum, suitable redundancies SHOULD be available and maintenance contracts concluded with the respective suppliers. (3) Whether high-availability architectures with automatic failover (across various sites, if necessary) are required in the case of very high requirements SHOULD be checked.
Levels:Automated: no
No rules selected
Description: This requirement has been eliminated.
Levels:Automated: no
No rules selected
Description: (1) Depending on the threat landscape at hand and the protection needs of services, only one service SHOULD be operated on each server.
Levels:Automated: no
No rules selected
Description: (1) Execution control SHOULD be used to ensure that only explicitly authorised programs and scripts can be executed. (2) The rules SHOULD be set as restrictively as possible. (3) If explicit specification of paths and hashes is not possible, certificate-based or path rules SHOULD be used as an alternative.
Levels:Automated: yes
Selections:Description: This requirement has been eliminated.
Levels:Automated: no
No rules selected
Description: (1) As part of the procurement and installation of a server, the root certificates that are required to operate the server SHOULD be documented. (2) Only the previously documented root certificates required for operation SHOULD be present on the server. (3) Regular checks SHOULD be performed as to whether existing root certificates still comply with the respective organisation’s requirements. (4) All certificate stores on the IT system at hand SHOULD be included in these checks.
Levels:Automated: no
Selections:Description: (1) In case of increased protection needs, a server's storage media should be encrypted using a product or procedure that is considered secure. (2) This SHOULD also apply to virtual machines containing production data. (3) Trusted Platform Module (TPM) SHOULD NOT be the only form of key protection used. (4) Recovery passwords SHOULD be stored in an appropriate and secure location. (5) In case of very high requirements (e.g. regarding confidentiality), full volume or full disk encryption SHOULD be used.
Levels:Automated: no
Selections:Description: (1) A server's boot loader and operating system kernel SHOULD be checked by self-controlled key material that is signed upon system start in a trusted chain (secure boot). (2) Unnecessary key material SHOULD be removed.
Levels:Automated: no
No rules selected
Description: The integrity of the host system should be ensured by a read-only file system (an immutable OS).
Levels:Automated: no
No rules selected