Control 8: Controlled Use of Administrative Privileges

Gaining access to administrative accounts is often the goal of an attacker. What can you do to ensure that only the appropriately trained and fully accountable people have and maintain administrative access on your systems? This effort must start with an accurate inventory of every account with elevated access and must be strictly maintained. The change control board should approve every new account that requires persistent administrative access. Maintaining strict admission guidelines for administrative access will help curb the desire for everyone to be an administrator. Implement an annual renewal process that requires each administrator to justify his or her continued need for elevated access.

Encourage administrators to maintain different passwords for administrator accounts where clear differences in system type exist, such as on workstations and individual server types. This will help deter unintentional access to collateral systems for which system administrators are not explicitly authorized to use.  Encourage this practice by requiring more frequent password expiry and increased complexity rules for these accounts.

Accounts with elevated access must be used only when administrative activities are required. Normal web browsing and email usage should never be permitted from accounts that have elevated access. The damage that could occur is much greater than the convenience gained by allowing a system administrator to check their Twitter account.

Where feasible, require all administrative access to be achieved by elevating their access from a regular user account. Examples to facilitate this to create a Microsoft Management Console (MMC) that includes all tools needed for administration. Open this with a Run As command that uses the credentials of the elevated account.

Accurate and timely recording and distributing all activities performed by members of elevated access groups as found in system and security logs could help deter misuse and increase accountability. Configure a daily automated report that lists all administrative activities from the previous day to the entire team.

Look for default accounts on workstations and servers that can be removed or disabled. It is up to you to explain and justify every account on your system. The faster you can identify new accounts on the system, the better.

The underling goal must be to do everything in your power to not allow untrained or unauthorized people to gain administrative access on your networks or systems.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.