Today, I will be going over Control 4 from version 7 of the top 20 CIS Controls – Controlled Use of Administrative Privileges. I will go through the nine requirements and offer my thoughts on what I’ve found.
Key Takeaways for Control 4
- Get this control right. Attackers would love to get their hands on your admin credentials. Control 4 is in the top five for that very reason. Administrative credentials are as valuable than the data you are trying to protect. Provide the level of care with those as you would with your organization’s most sensitive data.
- Follow best practices. Every compliance framework and hardening benchmark has guidance on handling credentials, not just those of administrators. Look to those for inspiration on what to do in your own environment.
- Think seriously about two-factor authentication: There is guidance on enabling MFA for administrative users, but why not all users? Not just when accessing the VPN but all the time. There is going to be a cost/resource issue, but we’re well overdue for making this a requirement.
Requirement Listing for Control 4
1. Maintain Inventory of Administrative Accounts
Description: Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges.
Notes: Attackers are going to go after administrative accounts. With admin access, there’s no need to burn costly zero-days and create a bunch of noise in the environment. Know what the attackers are after so you can create appropriate controls and implement detection mechanisms.
2. Change Default Passwords
Description: Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.
Notes: Note the fact that all default passwords should be changed with administrative-level password recommendations. Granted, most default accounts do have admin level access. If possible, remove or rename the default account as well to avoid a brute force scenario.
3. Ensure the Use of Dedicated Administrative Accounts
Description: Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.
Notes: This sure does sound a lot like control 11.6 and 11.7. These are all the sides of the same triangle. Limiting exposure to administrative accounts will reduce the likelihood that an attacker can grab domain admin credentials when hunting for them on the network.
4. Use Unique Passwords
Description: Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.
Notes: It would be nice if they stated unique passwords should be used everywhere, but that is more of a guideline for the Internet in general. If an attacker were to steal a password on one device, you don’t want them being able to laterally move around the network on those same set of credentials.
5. Use Multifactor Authentication For All Administrative Access
Description: Use multi-factor authentication and encrypted channels for all administrative account access.
Notes: This sure does sound a lot like control 11.5. The same recommendations apply here. First, make sure encrypted channels are being used. Then implement MFA wherever possible.
6. Use Dedicated Workstations for All Administrative
Description: Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring administrative access. This machine will be segmented from the organization’s primary network and not be allowed Internet access. This machine will not be used for reading email, composing documents, or browsing the internet.
Notes: This is actually a complete copy of the description from 11.6, but it replaces network engineers with administrators. I think that they should just merge both of these since there is no difference in how you would go about securing them.
7. Limit Access to Scripting Tools
Description: Limit access to scripting tools (such as Microsoft PowerShell and Python) to only administrative or development users with the need to access those capabilities.
Notes: Why drop a piece of malware if you can live off the LAN? Since Windows is called out directly here, I’d like to mention that you can limit who has access to run PowerShell and other scripting languages quite easily with AppLocker. Our MITRE ATT&CK content can quickly assess and provide guidance on locking your endpoints down to this level of security.
8. Log and Alert on Changes to Administrative Group Membership
Description: Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.
Notes: Both Windows and Unix systems have the capability to enable this level of logging. Another layer of defense is to actually audit the accounts on a regular interval as well. Use a tool such as Tripwire Enterprise to validate the auditing configuration as well as check the users level of access.
9. Log and Alert on Unsuccessful Administrative Account Login
Description: Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
Notes: Look towards CIS and DISA for guidance on what auditing options to enable, including this one. There are many more attack vectors besides brute force that can be detected with the proper auditing enabled.
See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.
Read more about the 20 CIS Controls here:
Control 20 – Penetration Tests and Red Team Exercises
Control 19 – Incident Response and Management
Control 18 – Application Software Security
Control 17 – Implement a Security Awareness and Training Program
Control 16 – Account Monitoring and Control
Control 15 – Wireless Access Control
Control 14 – Controlled Access Based on the Need to Know
Control 13 – Data Protection
Control 12 – Boundary Defense
Control 11 – Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
Control 10 – Data Recovery Capabilities
Control 9 – Limitation and Control of Network Ports, Protocols, and Services
Control 8 – Malware Defenses
Control 7 – Email and Web Browser Protections
Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs
Control 5 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Control 4 – Controlled Use of Administrative Privileges
Control 3 – Continuous Vulnerability Management
Control 2 – Inventory and Control of Software Assets
Control 1 – Inventory and Control of Hardware Assets
You can also learn more about the CIS controls here.