One of the most famous wizards of all time, Harry Potter, learned that he was destined to attend Hogwarts School of Witchcraft and Wizardry on his 11th birthday. It was then that Harry acquired his first wand at Ollivanders shop in Diagon Alley.
From the moment he received his first wand, Harry had to learn how to wield the power of his wand. Similarly, in the digital landscape, providing every user with administrator privileges is like handing them a wand without proper training. Just as aspiring wizards are taught and guided by experienced mentors, administrators can effectively manage and maintain enterprise assets, ensuring that power is wielded responsibly.
Administrators, who hold elevated permissions for managing and configuring systems, should use dedicated administrator accounts exclusively for those tasks. On the other hand, general computing activities like internet browsing, email communication, and productivity software usage should occur within standard user accounts.
Administrator accounts are like keys to the kingdom. They have the capability to tweak system settings, access confidential data, and modify user rights. If mismanaged, these privileges can lead to unintentional disruptions, breaches, or malicious exploitation. At its heart, Safeguard 5.4 advocates for clear demarcation: regular activities (like reading emails or browsing) and admin-related tasks should not be mingled on a single account.
To effectively integrate CIS Safeguard 5.4, organizations should establish separate profiles exclusively for administrative tasks, ensuring that these aren't used for everyday activities. Admin privileges should be judiciously granted based on job requirements, with consistent oversight and periodic reviews of these accounts. Heightened security measures, such as integrating multifactor authentication (MFA) for these pivotal accounts, are crucial. Lastly, it's vital to equip individuals with these privileges with the necessary knowledge about their responsibilities, ensuring they are aware of potential risks and the importance of their role.
Here’s a link to an Account and Credential Management Policy Template provided free of charge from the fine folks at the Center for Internet Security: https://www.cisecurity.org/insights/white-papers/account-and-credential-management-policy-template-for-cis-controls-5-and-6
Here’s some details on this specific Control/Safeguard. If you want more detail, DM me.
CIS Control 5 – Account Management
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.
Implementation Group 1
CIS Safeguard 5.4 - Restrict Administrator Privileges to Dedicated Administrator Accounts
Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, nonprivileged account.