The Critical Security Controls – Control 4

Control 4:  A framework for an offense-informed defense. 

 

As we discussed in our earlier blog posts on the 20 Critical Security Controls, they provide an offense-informs-defense framework through which an organization can effectively defend against cyberattacks.  In this installment, we’re examining Control Four. This control is a ‘Basic control’ and represents one which every organization, regardless of size, in which information (or their client’s/customer’s/partner’s information) is considered an asset should be meaningfully adopted. Control 4 advances the framework beyond systems and software and onto the configuration of those assets. Control 4 is in our collective experience one of the most commonly mis-applied and misinterpreted controls of the Basic Controls. 

Critical Control #4

Administrative accounts must be used for just that, system administration. Segregate user accounts with these permissions from regular user accounts and ensure administrators use a dedicated machine for all system-administrative tasks.” 

System admin level permissions seem to be everywhere. They’re commonly required to install applications, to make changes to a computer, and do much of anything. Microsoft introduced User Access Control (UAC) to further isolate and inform users when administrative permissions were needed. Yet with what seems like the widespread need for Administrative Permissions, the requirement to contain and minimize their use exists in nearly every information security compliance document. From a network system administrators perspective the tightening of permissions increases help-desk ticket load while simultaneously increasing many users’ frustration level. Identifying the balance between functionality and security comes into focus when evaluating Control 4. 

Satisfying Critical Control Four’s requirements can be achieved by following some common-sense, yet rarely implemented, actions. Understanding and controlling what user accounts within a given computer network should have administrative access, reconciling those that do have administrative access, and ensuring that changes to those groups are systematically audited and logged using automated tools meets most of Control 4’s demands. Incorporating best-practices such as requiring dedicated systems to perform system administration, implementing a multi-factor authentication requirement for administrative tasks (and/or accounts), and eliminating unrestricted access to commonly uses scripting languages further drives compliance with the sub-controls of Control 4. 

 

Critical Control 4: Controlled use of Administrative Privileges

Sub-control Applies to: Security Function (intention) Sub-control Title Description
4.1 Users Detect Maintain Inventory of Administrative Accounts Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges.
4.2 Users Protect Change Default Passwords Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.
4.3 Users Protect Ensure the Use of Dedicated Administrative Accounts Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.
4.4 Users Protect Use Unique Passwords Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.
4.5 Users Protect Use Multi-factor Authentication For All Administrative Access Use multi-factor authentication and encrypted channels for all administrative account access.
4.6 Users Protect Use of Dedicated Machines For All Administrative Tasks Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring administrative access. This machine will be segmented from the organization’s primary network and not be allowed Internet access. This machine will not be used for reading e-mail, composing documents, or browsing the Internet.
4.7 Users Protect Limit Access to Script Tools Limit access to scripting tools (such as Microsoft PowerShell and Python) to only administrative or development users with the need to access those capabilities.
4.8 Users Detect Log and Alert on Changes to Administrative Group Membership Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.
4.9 Users Detect Log and Alert on Unsuccessful Administrative Account Login Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.

 

Making application: Control 4

Control Four requires that system administrators create and automatically maintain a centralized and automatically discovered list of all administrative accounts for every device in the scope of a given network system. That scope is derived from those identified in Control 1. On each of these devices ensuring that there are no default passwords in place and wherever possible multi-factor authentication is implemented for administrative access. These basic best-practices can be supplemented with script control policies to restrict or (where possible) disable powershell, python, and related scripting languages from executing. Control 4 serves as one of the gateways into log management and monitoring through sub-control 4.8, a requirement to log failed administrative logon attempts. Implementing best-practice Group Policy (Windows) directives can realize compliance with most of Control 4’s requirements. 

Conclusion

Critical Control 4 delivers identification and the bounds of the user accounts with the ability to make administrative-level changes to computer systems. Through the systematic identification of these accounts strong authentication, auditing, and access controls can be implemented to provide one of the first CSC-derived levels of protection. 

Missed previous 20 CSC Controls, check out CIT’s blog page.

 

Who is Corporate Information Technology (CIT):

Corporate Information Technologies provides small to mid-market organizations with expert I.T. services including Critical Control centric Managed and Co-Managed technology services, information security policy creation & assessment, cybersecurity services, penetration tests, and comprehensive business continuity planning services. Corporate Information Technologies can help organizations maximize and optimize their technology systems while identifying and mitigating cybersecurity risks presented by those very systems. 

Contact us to learn more and let us show you how good I.T. can be!

All references to tools or other products in this document are provided for informational
purposes only, and do not represent the endorsement by CIT of any particular company,
product, or technology.
This material has been compiled using material licensed for public use under the Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License. The link to the license terms can be found at Creative Commons