Check: 1.006-01
Windows XP STIG:
1.006-01
(in versions v6 r1.32 through v1 r0)
Title
Policy must require that administrative user accounts not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email. (Cat I impact)
Discussion
Using applications that access the internet or have potential internet sources using administrative privileges exposes a system to compromise. If a flaw in an application is exploited while running as a privileged user, the entire system could be compromised. Web browsers and email are common attack vectors for introducing malicious code and must not be run with an administrative user account. Since administrative user accounts may generally change or work around technical restrictions for running a web browser or other applications, it is essential that policy requires administrative users not access the internet or use applications, such as email. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices.
Check Content
Determine if site policy prohibits the use of applications that access the internet, such as web browsers, or with potential internet sources, such as email, by administrative user accounts, except as necessary for local service administration. If it does not, this is a finding.
Fix Text
Establish a site policy to prohibit the use applications that access the internet, such as web browsers, or with potential internet sources, such as email, by administrative user accounts. Ensure the policy is enforced.
Additional Identifiers
Rule ID: SV-47861r1_rule
Vulnerability ID: V-36451
Group Title: Accounts with administrative privileges Internet access
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |