CIS Control 4

CIS Control 4: Controlled Use of Administrative Privileges

This article highlights CIS Control 4: Controlled Use of Administrative Privileges and the nine requirements associated with the fourth basic CIS Control.

If an attacker is able to hijack an admin-level account, the potential for damage is severe. Not only is the hacker provided with high-privilege access to systems, but they may also be able to subvert other security controls such as clearing logs and disabling other protective measures.

As such, protection of credentials in the first place is important, but limiting the re-use and lifespan of credentials is essential, as well as monitoring their usage, as secondary security controls in cases of theft or misuse.

Let’s jump right into the nine sub controls of CIS Control 4

4.1: Maintain Inventory of Administrative Accounts

  • Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges.

Centralized account administration and authentication services are essential. For both local and domain amikacins, a strong password policy with appropriate short/medium term password ageing will ensure even ‘lost’ accounts will only be operational for a limited time period. CIS Benchmark secure configuration guidance provides a suitable policy and can be audited and policed using NNT Change Tracker.

4.2: Change Default Passwords

  • Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.

Default local accounts and passwords should be renamed and/or disabled where possible. NNT Vulnerability Tracker runs ‘brute force’ attacks using common default credentials to ensure this control is being observed.

4.3: Ensure the Use of Dedicated Administrative Accounts

  • Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not Internet browsing, email, or similar activities

By limiting the usage of admin-level accounts, you significantly reduce the risk of cyber criminals harvesting admin credentials. Since most attacks begin with phishing-oriented attacks, admin-level accounts should only be used for admin tasks, with standard personal computer work under a secondary personal account.

4.4: Use Unique Passwords

  • Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.

If an attacker successfully compromises a password from one device, make sure they are not able to move laterally across the network using that same set of credentials.

4.5: Use Multi-Factor Authentication for All Administrative Access

  • Use multi-factor authentication and encrypted channels for all administrative account access.

Again, CIS Benchmark secure configuration guidance provides a suitable hardened build standard including strong password and account lockout policies and secure encrypted channels only for admin access.

4.6: Use Dedicated Workstations For All Administrative Tasks

  • Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring administrative access. This machine will be segmented from the organization’s primary network and not be allowed Internet access. This machine will not be used for reading email, composing documents, or browsing the Internet.

A ‘Jump Server’ or Privileged Access Workstation (PAW) ensures admin tasks cannot be conducted from standard User Workstations. Organizations are better placed to protect against phishing attacks, application and operating system vulnerabilities, impersonation attacks, and credential theft attacks.

4.7: Limit Access to Scripting Tools

  • Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or development users with the need to access those capabilities.

Attackers will often use scripts. Standard users should never need to operate scripts so restricting operation to admin-level users only reduces the attack surface of the enterprise. Solutions like AppLocker and software restriction policies as part of a hardened Group Policy can be used to protect systems.

4.8: Log and Alert on Changes to Administrative Group Membership

  • Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.

Change Control applies to account administration as much as application and platform management. CIS Benchmark guidance will determine a strong audit policy for all systems, NNT Log Tracker will analyze and report/alert on Account creation/privilege change.

4.9: Log and Alert on Unsuccessful Administrative Account Login

  • Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.

Similarly to Control 4.8, CIS Benchmark guidance will determine a strong audit policy for all systems, NNT Log Tracker will analyze and report/alert on all Successful and Failed logons to systems. Failed logons are often an indicator of brute force activity. An Account Lockout policy will provide protection and an unusual level of Failed Logons should be treated as a security incident.

Summary

The ultimate goal of CIS Control 4 is to protect your organization’s information and assets from theft and misuse. Employees must only have rights, privileges, and permissions that they need in order to do their job – no more, no less. This goes beyond computers – this must also include devices like phones, printers, tablets, and more.

This basic CIS Control has become increasingly necessary to defend against outside attackers, but also to protect against rough insider threats.

This control can be best summarized in four points:

  • Keep an up to date inventory of all users on the network
  • Minimize the use of administrator accounts
  • Implement multi-factor authentication and strong password policies
  • Require admins to use dedicated administrative accounts

Figure: System Entity Relationship Diagram

CIS Control 5
USA Offices
New Net Technologies LLC
Naples
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
Atlanta
1175 Peachtree St NE
Atlanta, Georgia, 30361.
Portland
4145 SW Watson, Suite 350
Beaverton, Oregon, 97005.

Tel: (844) 898-8358
email [email protected]
UK Office
New Net Technologies Ltd
Rivers Lodge, West Common
Harpenden, Hertfordshire
AL5 2JD

Tel: 01582 287310
email [email protected]
CIS benchmarking SEWP Cybersecurity 500Sans Institute Now Certified IBM Security
Copyright 2019, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.