Critical Control 8: Controlled Use of Administrative Privileges

How do attackers exploit the lack of this control?

According to some Blue Team personnel as well as investigators of large-scale Personally Identifiable Information (PII) breaches, the misuse of administrator privileges is the number one method for attackers to spread inside a target enterprise. Two very common attacker techniques take advantage of uncontrolled administrative privileges. In the first, a workstation user is fooled into opening a malicious email attachment, downloading and opening a file from a malicious web site, or simply surfing to a website hosting attacker content that can automatically exploit browsers. The file or exploit contains executable code that runs on the victim's machine either automatically or by tricking the user into executing the attacker's content. If the victim user's account has administrative privileges, the attacker can take over the victim's machine completely and install keystroke loggers, sniffers, and remote control software to find administrator passwords and other sensitive data.

The second common technique used by attackers is elevation of privileges by guessing or cracking a password for an administrative user to gain access to a target machine. If administrative privileges are loosely and widely distributed, the attacker has a much easier time gaining full control of systems, because there are many more accounts that can act as avenues for the attacker to compromise administrative privileges. One of the most common of these attacks involves the domain administration privileges in large Windows environments, giving the attacker significant control over large numbers of machines and access to the data they contain.

How can this control be implemented, automated, and its effectiveness measured?

1. QW: Organizations should inventory all administrative passwords and validate that each person with administrative privileges on desktops, laptops, and servers is authorized by a senior executive and that his/her administrative password has at least 12 semi-random characters, consistent with the Federal Desktop Core Configuration (FDCC) standard.
2. QW: Before deploying any new devices in a networked environment, organizations should change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to a difficult-to-guess value.
3. QW: Organizations should configure all administrative-level accounts to require regular password changes on a 30-, 60-, or 90-day interval.
4. QW: Organizations should ensure all service accounts have long and difficult-to-guess passwords that are changed on a periodic basis as is done for traditional user and administrator passwords.
5. QW: Passwords for all systems should be stored in a hashed or encrypted format. Furthermore, files containing these encrypted or hashed passwords required for systems to authenticate users should be readable only with superuser privileges.
6. QW: Organizations should ensure that administrator accounts are used only for system administration activities, and not for reading e-mail, composing documents, or surfing the Internet.
7. QW: Through policy and user awareness, organizations should require that administrators establish unique, different passwords for their administrator accounts and their non-administrative accounts. On systems with unsalted passwords, such as Windows machines, this approach can be verified in a password audit by comparing the password hashes of each account used by a single person.
8. QW: Organizations should configure operating systems so that passwords cannot be re-used within a certain time frame, such as six months.
9. Vis/Attrib: Organizations should implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior (e.g., system reconfigurations during night shift)
10. Vis/Attrib: Organizations should configure systems to issue a log entry and alert when an account is added to or removed from a domain administrators group
11. Config/Hygiene: All administrative access, including domain administrative access, should utilize two-factor authentication
12. Config/Hygiene: Remote access directly to a machine should be blocked for administrator-level accounts. Instead, administrators should be required to access a system remotely using a fully logged and non-administrative account. Then, once logged in to the machine without admin privileges, the administrator should then transition to administrative privileges using tools such as sudo on Linux/UNIX, runas on Windows, and other similar facilities for other types of systems
13. Config/Hygiene: Organizations should conduct targeted spear-phishing tests against both administrative personnel and non-administrative users to measure the quality of their defense against social engineering
14. Advanced: Organizations should segregate administrator accounts based on defined roles within the organization. For example, "Workstation admin" accounts should only be allowed administrative access of workstations, laptops, etc.

Associated NIST SP 800-53 Rev 3 Priority 1 Controls:

AC-6 (2, 5), AC-17 (3), AC-19, AU-2 (4)

Procedures and tools for implementing this control:

Built-in operating system features can extract lists of accounts with superuser privileges, both locally on individual systems and on overall domain controllers. To verify that users with high-privileged accounts do not use such accounts for day-to-day web surfing and e-mail reading, security personnel could periodically gather a list of running processes in an attempt to determine whether any browsers or e-mail readers are running with high privileges. Such information gathering can be scripted, with short shell scripts searching for a dozen or more different browsers, e-mail readers, and document editing programs running with high privileges on machines. Some legitimate system administration activity may require the execution of such programs over the short term, but long-term or frequent use of such programs with administrative privileges could indicate that an administrator is not adhering to this control.

Additionally, to prevent administrators from accessing the web using their administrator accounts, administrative accounts can be configured to use a web proxy of 127.0.0.1 in some operating systems that allow user-level configuration of web proxy settings. Furthermore, in some environments, administrator accounts do not require the ability to receive e-mail. These accounts can be created without an e-mail box on the system.

To enforce the requirement for password length of 12 or more characters, built-in operating system features for minimum password length can be configured, which prevent users from choosing short passwords. To enforce password complexity (requiring passwords to be a string of pseudo-random characters), built-in operating system settings or third-party password complexity enforcement tools can be applied.

Control 8 Metric:

The system must be configured to comply with password policies at least as stringent as those described in the controls above. Additionally, security personnel must be notified via an alert or e-mail within 24 hours of the addition of an account to a super user group, such as a domain administrator. Every 24 hours after that point, the system must alert or send e-mail about the status of administrative privileges until the unauthorized change has been corrected or authorized through a change management process. While the 24 hour timeframes represent the current metric to help organizations improve their current state of security, in the future, organizations should strive for even more rapid alerting, with notification about new additions to super-use groups being sent within two minutes.

Control 8 Test:

To evaluate the implementation of Control 8 on a periodic basis, an evaluation team must verify that the organization's password policy is enforced by creating a temporary, disabled, limited privilege test account on ten different systems and then attempting to change the password on the account to a value that does not meet the organization's password policy. The selection of these systems must be as random as possible and include a cross-section of the organization's systems and locations. After completion of the test, this account must be removed. Furthermore, the evaluation team must add a temporary disabled test account to a super user group (such as a domain administrator group) to verify that an alert or e-mail is generated within 24 hours. After this test, the account must be removed from the group and disabled.

Finally, on a periodic basis, the evaluation team must run a script that determines which browser and e-mail client programs are running on a sample of ten test systems, including five clients and five servers. Any browsers or mail client software running with Windows administrator or Linux/Unix UID 0 privileges must be identified.

List Of Controls

• Critical Control 1: Inventory of Authorized and Unauthorized Devices
• Critical Control 2: Inventory of Authorized and Unauthorized Software
• Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
• Critical Control 5: Boundary Defense
• Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
• Critical Control 7: Application Software Security
• Critical Control 8: Controlled Use of Administrative Privileges
• Critical Control 9: Controlled Access Based on Need to Know
• Critical Control 10: Continuous Vulnerability Assessment and Remediation
• Critical Control 11: Account Monitoring and Control
• Critical Control 12: Malware Defenses
• Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services
• Critical Control 14: Wireless Device Control
• Critical Control 15: Data Loss Prevention

Additional Security Controls

The following sections identify additional controls that are important but cannot be fully automatically or continuously monitored to the same degree as the controls covered earlier in this document.

• Critical Control 16: Secure Network Engineering
• Critical Control 17: Penetration Tests and Red Team Exercises
• Critical Control 18: Incident Response Capability
• Critical Control 19: Data Recovery Capability
• Critical Control 20: Security Skills Assessment and Appropriate Training to Fill Gaps