Knowing who has credentials, how those credentials are granted, and how they are being used is the foundation of any secure environment. It begins with user accounts and the credentials they use. Maintaining a thorough inventory of all accounts and verifying any changes to those accounts as authorized and intentional vs unintended is paramount to establishing a secure environment and this includes service accounts.
Establishing and maintaining visibility on all accounts can protect assets in multiple ways. If an adversary is able to attack from a different vector that we do not have any visibility into, like a new zero day vulnerability or a successful phishing attack, the adversary may first attempt to establish persistence and one of the most common ways to maintain that persistence is through an addition or modification of an account. If we maintain good account management, we may be able to detect an attack before they are able to establish that persistence, even if the initial vector of the attack was not the account itself (such as brute force attack).
Account Management also includes password requirements, lock outs on failed log in attempts, logging out after a period of inactivity as well as never using default passwords or sharing accounts. Privileged accounts should only be used for tasks that require it.
Key Takeaways for Control 5
- Policy. Have a policy in place that specifies all the parameters of creating an account including password strength, etc.
- Have an inventory and track changes. Establish an inventory and use Active Directories or other technologies and tools to centralize management of accounts. Track any changes to the accounts.
Safeguards for Control 5
5.1) Establish and Maintain an Inventory of Accounts
Description: Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. Validate that all active accounts are authorized on a recurring schedule at a minimum quarterly or more frequently.
Notes: All accounts should be valid accounts. New accounts and changes to existing accounts should be tracked and verified as legitimate additions. Service accounts also need to be scrutinized to ensure they are only being used as intended. The unauthorized creation or changing of an account is often the first task an adversary does in order maintain persistence.
5.2) Use Unique Passwords
Description: Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using multi-factor authentication (MFA) and a 14-character password for accounts not using MFA.
Notes: This isn’t just for the enterprise. If you reuse passwords and there is a data breach, they can use your password for other accounts. Always choose unique passwords, and always change default passwords
5.3) Disable Dormant Accounts
Description: Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.
Notes: A future data breach could spell real trouble if old accounts are not disabled. Disabling accounts can also be automatic by creating expiration dates for the account if the system supports it.
5.4) Restrict Administrator Privileges to Dedicated Administrator Accounts
Description: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Notes: Administrator and root accounts should only be used for the tasks that require them. Using email, a web browser, etc. should always be done with non-privileged accounts.
5.5) Establish and Maintain an Inventory of Service Accounts
Description: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized on a recurring schedule at a minimum quarterly, or more frequently.
Notes: Tracking what is happening with accounts includes service accounts, not just user accounts
5.6) Centralize Account Management
Description: Centralize account management through a directory or identity service.
Notes: This means use Active Directory and domains or some other centralized system for management
Read more about the 18 CIS Controls here:
CIS Control 5: Account Management