Guidance

Systems administration architectures

Created:  25 Sep 2016
Updated:  25 Sep 2016
There are a number of different architectural models that can be used to design the administration approach for IT systems. This section describes some common approaches and the risks associated with each.
Note
Some models carry much more risk than others, and their use is discouraged. The most insecure approaches are identified with an exclamation sysmbol

Administration Model

Description

Associated risk

 

Dedicated devices on a segregated network

The service is administered from dedicated devices on a segregated management network. 

The devices are solely for service management, and not for general purpose use, such as email and web browsing.

With this approach, the management devices and segregated network are difficult to attack. 

This approach may also help support personnel security measures for higher security systems. For example, where the service provider wishes to demonstrate that only staff that have been subject to stringent security screening (or hold appropriate security clearances) have access to system administration functions.

 

Dedicated devices for community service administration

Devices are dedicated to managing services for a single community (e.g. UK public sector). The management network is segregated from all other networks.

The devices are used solely for service management, and not for general purpose use, such as email and web browsing.

When managing multiple services there is a risk that a more vulnerable service could be compromised and used as a staging platform to attack the management network. Managing services with similar security postures together will help reduce this risk.

This approach may also help support personnel security measures for higher security systems. For example, where the service provider wishes to demonstrate that only staff that have been subject to stringent security screening (or hold appropriate security clearances)have access to system administration functions.

 

Dedicated devices for multiple community service administration

Devices are dedicated to service management, but are used to manage multiple services across multiple communities of users. 

The devices are used solely for service management, and not for general purpose use, such as email and web browsing.

In this model the devices themselves remain difficult targets to attack, but the larger and wider ranging scope of the management network may make it more exposed to attacks.

 

Service administration via bastion hosts

This model (also known as ‘browse-up’) is where a service is managed using devices from a less trusted network (such as a corporate business network), but only by authorised management staff. Those staff have access to specific management hosts, known as bastions, from which all management actions on the service are conducted.

Corporate systems tend to process a wide range of content types and are more vulnerable to attack using typical techniques. 

Bastion hosts provide some protection against threats from corporate networks, but attackers with access to corporate devices used by service administrators are likely to still be able to access the service management environment as if they were legitimate administrators.

Malware capable of performing session hijacking is becoming increasingly common, so the risks associated with this model are also increasing.

!

Direct service administration

The service is managed directly from devices which are also used for normal business (web browsing, viewing external email, etc.)

In this model, there is little protecting the service from unauthorised access to management interfaces. Services managed in this way are at a significant risk of compromise.

!

Securing devices used for management

End user devices used for management of services are incredibly valuable targets to an attacker, so it's vital that you protect them. We recommend you build upon our End User Devices Security Guidance but go further to protect the integrity of those devices. 

In particular, administrators should:

  • Have separate user accounts for administration and normal user activities. They should not user their administration accounts for normal business activities. This reduces the exposure of privileged accounts and reduces their risk of compromise.
  • Not be able to browse the internet or open their external email in the same processing context as they manage systems. To do so would mean that a successful spear-phishing or watering-hole attack against an administrator would yield access to their system in the same context that the administrator can perform their privileged duties.
  • Be strongly authenticated before being able to carry out any service management functions. 

In Windows environments we recommend you follow Microsoft's advice on Securing Privileged Access.

Was this guidance helpful?

We need your feedback to improve this content.

Yes No