Critical Security Control 4 – Controlled use of Administrative Access
System admin level permissions seem to be everywhere. These permissions are commonly required to install applications, to make changes to a computer, and do much of anything. Satisfying Control 4’s requirements can be achieved by following some common-sense, yet rarely implemented, actions. Understanding and controlling what user accounts within a given computer network should have administrative access, reconciling those that do have administrative access, and ensuring that changes to those groups are systematically audited and logged. Using automated tools meets most of Control 4’s demands. Incorporating best-practices such as requiring dedicated systems to perform system administration, implementing a multi-factor authentication requirement for administrative tasks, and eliminating unrestricted access to commonly uses scripting languages further drives compliance with the sub-controls of control 4.
Control 4 requires that system admin create and automatically maintain a centralized and automatically discovered list of all administrative accounts for every device in the scope of a given network system. On each of these devices ensuring that there are no default passwords in place and wherever possible multi-factor authentication is implemented for administrative access. These basic best-practices can be supplemented with script control policies to restrict or disable powershell, python, and related scripting languages from executing. Control 4 delivers identification and the bounds of the user accounts with the ability to make administrative-level changes to computer systems. Through the systematic identification of these accounts, strong authentication, auditing, and access controls can be implemented to provide one of the first CSC-derived levels of protection.
For a deeper understanding of CSC Control 4, check out CIT’s CSC Controls 4 blog.