Security Control 12:
Controlled Use of Administrative Privileges

Protect and validate administrative accounts on desktops, laptops, and servers to prevent two common types of attack: (1) enticing users to open a malicious e-mail, attachment, or file, or to visit a malicious website; and (2) cracking an administrative password and thereby gaining access to a target machine. Use robust passwords.

Key: REQ = Required, REC = Recommended, OPT = Optional

IDDetailsHighMedLow

12.1

Before deploying any new devices in a networked environment, change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to a difficult-to-guess value.

REQ REQ REQ

12.2

Passwords for all systems should be stored in a well-hashed or encrypted format, with weaker formats such as Windows LANMAN hashes eliminated from the environment.

[additional details]

Files containing these encrypted or hashed passwords required for systems to authenticate users should be readable only with super-user privileges.

REQ REQ REQ

12.3

Ensure that administrator accounts are used only for system administration activities, and not for reading e-mail, composing documents, or surfing the Internet.

[additional details]

When possible, use automated scripts for assurance. Web browsers and e-mail clients especially should be configured to never run as administrator.

REQ REQ REQ

12.4

Require that administrators establish unique, different passwords for their administrator and non-administrative accounts.

[additional details]

Each person requiring administrative access should be given his/her own separate account. Administrative accounts should never be shared. Users should only use the default administrator accounts (e.g., Windows “administrator” or Unix “root”) in emergency situations. Domain administration accounts should be used when required for system administration instead of local administrator accounts.

REQ REQ REQ

12.5

Access to a machine (either remotely or locally) should be blocked for administrator-level accounts.

[additional details]

Instead, administrators should be required to access a system using a fully logged and non-administrative account. Then, once logged in to the machine without administrative privileges, the administrator should then transition to administrative privileges using tools such as sudo on Linux/UNIX, Run as on Windows, and other similar facilities for other types of systems.

REQ REQ REQ

12.6

If services are outsourced to third parties, language should be included in the contracts to ensure that they properly protect and control administrative access. It should be validated that they are not sharing passwords and have accountability to hold administrators liable for their actions.

REQ REQ REQ

12.7

Segregate administrator accounts based on defined roles.

[additional details]

For example, "Workstation admin" accounts should only be allowed administrative access of workstations, laptops, etc.

REQ REQ REQ

12.8

Configure systems to issue a log entry and alert when an account is added to or removed from an administrators group.

REQ REQ REC

12.9

Inventory all administrative accounts and validate that each person with administrative privileges on desktops, laptops, and servers is authorized.

[additional details]

When possible, use automated tools.

REQ REQ REC

12.10

Audit the use of administrative privileged functions and monitor for anomalous behavior.

REQ REQ REC

12.11

All administrative passwords must have at least 12 pseudo-random characters.

REQ REQ REC

12.12

Configure all administrative-level accounts to require regular password changes on a frequent interval of no longer than 180 days.

REQ REC OPT

12.13

Ensure that all service accounts have long and difficult-to-guess passwords that are changed on a periodic basis at a frequent interval of no longer than annually.

REQ REC OPT

12.14

Configure operating systems so that passwords cannot be re-used.

REQ REC OPT

12.15

All administrative access must use two-factor authentication where possible.

REQ REC OPT

Additional Reading