Title

Users with administrative privilege must be documented and have separate accounts for administrative duties and normal operational tasks. (Cat I impact)

Discussion

Using a privileged account to perform routine functions makes the computer vulnerable to malicious software inadvertently introduced during a session that has been granted full privileges. The rule of least privilege must always be enforced.

Check Content

Verify the following: The necessary documentation that identifies members of the Administrators group exists with the ISSO. Each user with administrative privileges has been assigned a unique administrator account, separate from the built-in "Administrator" account. Each user with administrative privileges has a separate account for performing normal (non-administrative) functions. Administrators must be properly trained before being permitted to perform administrator duties. Use of the built-in Administrator account must not be allowed. If any of these conditions are not met, this is a finding.

Fix Text

Create necessary documentation that identifies members of the Administrators group, to be maintained with the ISSO. Create unique administrator accounts, separate from the built-in "Administrator" account for each user with administrative privileges. Create separate accounts for performing normal (non-administrative) functions for each user with administrative privileges. Properly train users with administrative privileges. Do not allow the use of the built-in Administrator account.

Additional Identifiers

Rule ID: SV-24997r3_rule

Vulnerability ID: V-1140

Group Title: Users with Administrative Privilege

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.