Security Control 12:
Controlled Use of Administrative Privileges
Protect and validate administrative accounts on desktops, laptops, and servers to prevent two common types of attack: (1) enticing users to open a malicious e-mail, attachment, or file, or to visit a malicious website; and (2) cracking an administrative password and thereby gaining access to a target machine. Use robust passwords.
Key: REQ = Required, REC = Recommended, OPT = Optional
| ID | Details | High | Med | Low |
|---|---|---|---|---|
|
12.1 |
Before deploying any new devices in a networked environment, change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to a difficult-to-guess value. |
REQ | REQ | REQ |
|
12.2 |
Passwords for all systems should be stored in a well-hashed or encrypted format, with weaker formats such as Windows LANMAN hashes eliminated from the environment. Files containing these encrypted or hashed passwords required for systems to authenticate users should be readable only with super-user privileges. |
REQ | REQ | REQ |
|
12.3 |
Ensure that administrator accounts are used only for system administration activities, and not for reading e-mail, composing documents, or surfing the Internet. When possible, use automated scripts for assurance. Web browsers and e-mail clients especially should be configured to never run as administrator. |
REQ | REQ | REQ |
|
12.4 |
Require that administrators establish unique, different passwords for their administrator and non-administrative accounts. Each person requiring administrative access should be given his/her own separate account. Administrative accounts should never be shared. Users should only use the default administrator accounts (e.g., Windows “administrator” or Unix “root”) in emergency situations. Domain administration accounts should be used when required for system administration instead of local administrator accounts. |
REQ | REQ | REQ |
|
12.5 |
Access to a machine (either remotely or locally) should be blocked for administrator-level accounts. Instead, administrators should be required to access a system using a fully logged and non-administrative account. Then, once logged in to the machine without administrative privileges, the administrator should then transition to administrative privileges using tools such as sudo on Linux/UNIX, Run as on Windows, and other similar facilities for other types of systems. |
REQ | REQ | REQ |
|
12.6 |
If services are outsourced to third parties, language should be included in the contracts to ensure that they properly protect and control administrative access. It should be validated that they are not sharing passwords and have accountability to hold administrators liable for their actions. |
REQ | REQ | REQ |
|
12.7 |
Segregate administrator accounts based on defined roles. For example, "Workstation admin" accounts should only be allowed administrative access of workstations, laptops, etc. |
REQ | REQ | REQ |
|
12.8 |
Configure systems to issue a log entry and alert when an account is added to or removed from an administrators group. |
REQ | REQ | REC |
|
12.9 |
Inventory all administrative accounts and validate that each person with administrative privileges on desktops, laptops, and servers is authorized. When possible, use automated tools. |
REQ | REQ | REC |
|
12.10 |
Audit the use of administrative privileged functions and monitor for anomalous behavior. |
REQ | REQ | REC |
|
12.11 |
All administrative passwords must have at least 12 pseudo-random characters. |
REQ | REQ | REC |
|
12.12 |
Configure all administrative-level accounts to require regular password changes on a frequent interval of no longer than 180 days. |
REQ | REC | OPT |
|
12.13 |
Ensure that all service accounts have long and difficult-to-guess passwords that are changed on a periodic basis at a frequent interval of no longer than annually. |
REQ | REC | OPT |
|
12.14 |
Configure operating systems so that passwords cannot be re-used. |
REQ | REC | OPT |
|
12.15 |
All administrative access must use two-factor authentication where possible. |
REQ | REC | OPT |