CIS CSC #4 – Controlled Use of Administrative Privileges

I am working on a series of posts related to the Center for Internet Security (CIS) Critical Security Controls (CSCs). See the full listing here.

The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

This control includes nine (9) sub controls. For those of you reviewing the CIS Controls with the Implementation Groups in mind, there are two (2) IG1 controls and eight (8) IG2 controls. This means that, at a minimum, we want to:

  • Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.
  • Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.

Default credentials can wipe out all your efforts to secure your environment in an instant. This is a vulnerability I see in almost every environment I go into. Often times, this is not a wide spread issue, and is likely on a lower risk system (multi-function printers are the most common). While this is not the same as default credentials to a public-facing firewall, tools like Printer Exploitation Toolkit (PRET) can be used to exploit this vulnerability and obtain access to sensitive data. I have seen this lead to stored credentials (for other systems) as well as stored files (scan to PDF).

The use of a dedicated administrative account is a great way to further reduce the risk of a user falling for a targeted social engineering attack. Users with high-value access should not be using those accounts to browse the web or check email – two of the highest risk activities users perform.

# Example PowerShell script to generate a list of users in 
# specific administrative groups. This can be compared over
# time to identify changes
# "Domain Admins" can be replaced with any group you are monitoring

Get-ADGroupMember -Identity "Domain Admins" -Recursive | %{Get-ADUser -Identity $_.distinguishedName} | Select DistinguishedName, Name, Enabled

# Example Output

DistinguishedName                                Name           Enabled
-----------------                                ----           -------
CN=Administrator,CN=Users,,DC=local   Administrator  True
CN=John Doe,CN=Users,,DC=local        John Doe       True

# This could also be passed to Export-Csv to have a record of past queries for comparison

Related News Stories

Relevant Tools

CommercialOpen-Source & “Freemium”
Just In Time Privileged Access (CyberArk)Cat/Diff
Defend Point (Avecto)PowerShell Get-WMIObject / Get-SIMInstance
Tripwire EnterpriseSudo
Change Auditor (Quest)
System Center and Active Directory (Microsoft)
Access Auditor (SCC)
Endpoint Privilege Management (BeyondTrust)

The CIS Controls are in version 7.1 at the time of this writing. For more information on this control check out the CIS Control #4 page here.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s