Please enable JavaScript.
Coggle requires JavaScript to display documents.
:star: G5 Administrative Privilege Control (:checkered_flag: G5-4…
:star: G5 Administrative Privilege Control
:checkered_flag:
G5-1
Minimize administrative privileges
and only use administrative accounts when they are required.
Implement focused auditing
on the use of administrative privileged functions
and monitor for anomalous behavior.
:checkered_flag:
G5-2
Use automated tools
to inventory all administrative accounts
and validate that each person with administrative privileges on
desktops
laptops
and servers
is authorized by a senior executive.
:checkered_flag:
G5-3
Before deploying any new devices to the environment,
change all default passwords for
applications
operating systems
routers
firewalls
wireless access points
and other systems to have values consistent with administration-level accounts.
:checkered_flag:
G5-4
Configure systems
to issue a log entry
and alert when an account is added to or removed from a domain administrators' group
or when a new local administrator account is added on a system.
:checkered_flag:
G5-5
Configure systems
to issue a log entry
and alert on any unsuccessful login to an administrative account.
:checkered_flag:
G5-6
Use multi-factor authentication for
all administrative access
including domain administrative access.
Multi-factor authentication can include
a variety of techniques
to include the use of
smart cards
certificates
One Time Password (OTP) tokens
biometrics
or other similar authentication methods.
:checkered_flag:
G5-7
Where multi-factor authentication is not supported
user accounts shall be required
to use long passwords on the system (longer than 14 characters).
:checkered_flag:
G5-8
Administrators should be required to access a system
using a fully logged and non-administrative account.
Then, once logged on to the machine without administrative privileges,
the administrator should transition to administrative privileges
using tools such as
Sudo on Linux/UNIX
RunAs on Windows
and other similar facilities for other types of systems.