The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
CSC5: Controlled Use of Administrative Privileges
Family | CSC | Control Description | Foundational | Advanced |
---|---|---|---|---|
System | 5.1 | Minimise administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behaviour | Y | |
System | 5.2 | Use automated tools to inventory all administrative accounts and validate that each person with administrative privileges on desktops, laptops, and servers is authorised by a senior executive. | Y | |
System | 5.3 | Before deploying any new devices in a networked environment, change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to have values consistent with administration-level accounts. | Y | |
System | 5.4 | Configure systems to issue a log entry and alert when an account is added to or removed from a domain administrators’ group, or when a new local administrator account is added on a system. | Y | |
System | 5.5 | Configure systems to issue a log entry and alert on any unsuccessful login to an administrative account. | Y | |
System | 5.6 | Use multi-factor authentication for all administrative access, including domain administrative access. Multi-factor authentication can include a variety of techniques, to include the use of smart cards, certificates, One Time Password (OTP) tokens, biometrics, or other similar authentication methods. | Y | |
System | 5.7 | Where multi-factor authentication is not supported, user accounts shall be required to use long passwords on the system (longer than 14 characters). | Y | |
System | 5.8 | Administrators should be required to access a system using a fully logged and non-administrative account. Then, once logged on to the machine without administrative privileges, the administrator should transition to administrative privileges using tools such as Sudo on Linux/UNIX, RunAs on Windows, and other similar facilities for other types of systems. | Y | |
System | 5.9 | Administrators shall use a dedicated machine for all administrative tasks or tasks requiring elevated access. This machine shall be isolated from the organisation's primary network and not be allowed Internet access. This machine shall not be used for reading email, composing documents, or surfing the Internet. | Y |