20 Critical Security Controls: Control 4 – Controlled Use of Administrative Privileges

Today, I will be going over Control 4 from version 7 of the CIS top 20 Critical Security Controls – Controlled Use of Administrative Privileges. I will go through the nine requirements and offer my thoughts on what I’ve found.Key Takeaways for Control 4Get this control right. Attackers would love to get their hands on your admin credentials. Control 4 is in the top five for that very reason. Administrative credentials are as valuable than the data you are trying to protect. Provide the level of care with those as you would with your organization’s most sensitive data.Follow best practices. Every compliance framework and hardening benchmark has guidance on handling credentials, not just those of administrators. Look to those for inspiration on what to do in your own environment.Think seriously about two-factor authentication: There is guidance on enabling MFA for administrative users, but why not all users? Not just when accessing the VPN but all the time. There is going to be a cost/resource issue, but we’re well overdue for making this a requirement.Requirement Listing for Control 41. Maintain Inventory of Administrative AccountsDescription: Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges.Notes: Attackers are going to go after administrative accounts. With admin access, there’s no need to burn costly zero-days and create a bunch of noise in the environment. Know what the attackers are after so you can create appropriate controls and implement detection mechanisms.2. Change Default PasswordsDescription: Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.Notes: Note the fact that all default passwords should be changed with administrative-level password recommendations. Granted, most default accounts do have admin level access. If possible, remove or rename the default account as well to avoid a brute force scenario.3. Ensure the Use of Dedicated Administrative AccountsDescription: Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.Notes: This sure does sound a lot like control 11.6 and 11.7. These are all the sides of the same triangle. Limiting exposure to administrative accounts will reduce the likelihood that an attacker can grab domain admin credentials when hunting for them on the network.4. Use Unique PasswordsDescription: Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.Notes: It would be nice if they stated unique passwords should be used everywhere, but that is more of a guideline for the Internet in general. If an attacker were to steal a password on one device, you don’t want them being able to laterally move around the network on those same set of credentials.5. Use Multifactor Authentication For All Administrative AccessDescription: Use multi-factor authentication and encrypted channels for all administrative account access.Notes: This sure does sound a lot like control 11.5. The same recommendations apply here. First, make sure encrypted channels are being used. Then implement MFA wherever possible.6. Use Dedicated Workstations for All AdministrativeDescription: Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring administrative access. This machine will be segmented from the organization’s primary network and not be allowed Internet access. This machine will not be used for reading email, composing documents, or browsing the internet.Notes: This is actually a complete copy of the description from 11.6, but it replaces network engineers with administrators. I think that they should just merge both of these since there is no difference in how you would go about securing them.7. Limit Access to Scripting ToolsDescription: Limit access to scripting tools (such as Microsoft PowerShell and Python) to only administrative or development users with the need to access those capabilities.Notes: Why drop a piece of malware if you can live off the LAN? Since Windows is called out directly here, I’d like to mention that you can limit who has access to run PowerShell and other scripting languages quite easily with AppLocker. Our MITRE ATT&CK content can quickly assess and provide guidance on locking your endpoints down to this level of security.8. Log and Alert on Changes to Administrative Group MembershipDescription: Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.Notes: Both Windows and Unix systems have the capability to enable this level of logging. Another layer of defense is to actually audit the accounts on a regular interval as well. Use a tool such as Tripwire Enterprise to validate the auditing configuration as well as check the users level of access.9. Log and Alert on Unsuccessful Administrative Account LoginDescription: Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.Notes: Look towards CIS and DISA for guidance on what auditing options to enable, including this one. There are many more attack vectors besides brute force that can be detected with the proper auditing enabled. See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.Read more about the 20 Critical Security Controls here:Control 20 – Penetration Tests and Red Team ExercisesControl 19 – Incident Response and ManagementControl 18 – Application Software SecurityControl 17 – Implement a Security Awareness and Training ProgramControl 16 – Account Monitoring and ControlControl 15 – Wireless Access ControlControl 14 – Controlled Access Based on the Need to KnowControl 13 – Data ProtectionControl 12 – Boundary DefenseControl 11 – Secure Configuration for Network Devices, such as Firewalls, Routers, and SwitchesControl 10 – Data Recovery CapabilitiesControl 9 – Limitation and Control of Network Ports, Protocols, and ServicesControl 8 – Malware DefensesControl 7 – Email and Web Browser ProtectionsControl 6 – Maintenance, Monitoring, and Analysis of Audit LogsControl 5 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and ServersControl 4 – Controlled Use of Administrative Privileges