CIS Control 4: Controlled Use of Administrative Privileges
This article highlights CIS Control 4: Controlled Use of Administrative Privileges and the nine requirements associated with the fourth basic CIS Control.
If an attacker is able to hijack an admin-level account, the potential for damage is severe. Not only is the hacker provided with high-privilege access to systems, but they may also be able to subvert other security controls such as clearing logs and disabling other protective measures.
As such, protection of credentials in the first place is important, but limiting the re-use and lifespan of credentials is essential, as well as monitoring their usage, as secondary security controls in cases of theft or misuse.
Let’s jump right into the nine sub controls of CIS Control 4
4.1: Maintain Inventory of Administrative Accounts
- Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges.
Centralized account administration and authentication services are essential. For both local and domain amikacins, a strong password policy with appropriate short/medium term password ageing will ensure even ‘lost’ accounts will only be operational for a limited time period. CIS Benchmark secure configuration guidance provides a suitable policy and can be audited and policed using NNT Change Tracker.
4.2: Change Default Passwords
- Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.
Default local accounts and passwords should be renamed and/or disabled where possible. NNT Vulnerability Tracker runs ‘brute force’ attacks using common default credentials to ensure this control is being observed.
4.3: Ensure the Use of Dedicated Administrative Accounts
- Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not Internet browsing, email, or similar activities
By limiting the usage of admin-level accounts, you significantly reduce the risk of cyber criminals harvesting admin credentials. Since most attacks begin with phishing-oriented attacks, admin-level accounts should only be used for admin tasks, with standard personal computer work under a secondary personal account.
4.4: Use Unique Passwords
- Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.
If an attacker successfully compromises a password from one device, make sure they are not able to move laterally across the network using that same set of credentials.
4.5: Use Multi-Factor Authentication for All Administrative Access
- Use multi-factor authentication and encrypted channels for all administrative account access.
Again, CIS Benchmark secure configuration guidance provides a suitable hardened build standard including strong password and account lockout policies and secure encrypted channels only for admin access.
4.6: Use Dedicated Workstations For All Administrative Tasks
- Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring administrative access. This machine will be segmented from the organization’s primary network and not be allowed Internet access. This machine will not be used for reading email, composing documents, or browsing the Internet.
A ‘Jump Server’ or Privileged Access Workstation (PAW) ensures admin tasks cannot be conducted from standard User Workstations. Organizations are better placed to protect against phishing attacks, application and operating system vulnerabilities, impersonation attacks, and credential theft attacks.
4.7: Limit Access to Scripting Tools
- Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or development users with the need to access those capabilities.
Attackers will often use scripts. Standard users should never need to operate scripts so restricting operation to admin-level users only reduces the attack surface of the enterprise. Solutions like AppLocker and software restriction policies as part of a hardened Group Policy can be used to protect systems.
4.8: Log and Alert on Changes to Administrative Group Membership
- Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.
Change Control applies to account administration as much as application and platform management. CIS Benchmark guidance will determine a strong audit policy for all systems, NNT Log Tracker will analyze and report/alert on Account creation/privilege change.
4.9: Log and Alert on Unsuccessful Administrative Account Login
- Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
Similarly to Control 4.8, CIS Benchmark guidance will determine a strong audit policy for all systems, NNT Log Tracker will analyze and report/alert on all Successful and Failed logons to systems. Failed logons are often an indicator of brute force activity. An Account Lockout policy will provide protection and an unusual level of Failed Logons should be treated as a security incident.
The ultimate goal of CIS Control 4 is to protect your organization’s information and assets from theft and misuse. Employees must only have rights, privileges, and permissions that they need in order to do their job – no more, no less. This goes beyond computers – this must also include devices like phones, printers, tablets, and more.
This basic CIS Control has become increasingly necessary to defend against outside attackers, but also to protect against rough insider threats.
This control can be best summarized in four points:
- Keep an up to date inventory of all users on the network
- Minimize the use of administrator accounts
- Implement multi-factor authentication and strong password policies
- Require admins to use dedicated administrative accounts
Figure: System Entity Relationship Diagram
- CIS Control 1: Inventory and Control of Hardware Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Continuous Vulnerability Management
- CIS Control 4: Controlled Use of Administrative Privileges
- CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CIS Control 7: Email and Web Browser Protections
- CIS Control 8: Malware Defenses
- CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
- CIS Control 10: Data Recovery Capabilities
- CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- CIS Control 12: Boundary Defense
- CIS Control 13: Data Protection
- CIS Control 14: Controlled Access Based on the Need to Know
- CIS Control 15: Wireless Access Control
- CIS Control 16: Account Monitoring and Control
- CIS Control 17: Implement a Security Awareness and Training Program
- CIS Control 18: Application Software Security
- CIS Control 19: Incident Response and Management
- CIS Control 20: Penetration Tests and Red Team Exercises