Cyber Essentials Admin Accounts

[Walda Caesar]

Ithink the accepted solution is the admin person(s) has two accounts. e.g. asm...@company.com that they use for day to day work, including email access but is not an admin account. But when required, they use a second account e.g.asm...@company.com to carry out any tasks that require admin access. This second account may have neither an email account or might be blocked from web browsing by filtering to block the access. You can also create a policy document/training sheet that states admin accounts should not be used for email access/web browsing. This is what I did for CE and it was compliant.

I know what the wording of the question is. But the AIM of the question, or more specifically the intent behind the question, is to establish that admin accounts are NOT able to engage in high risk behaviours.

It is still a requirement even for a single PC company, but it would be difficult/impossible to demonstrate a technical measure in such a setup. It is still worth demonstrating a policy based measure that avoids admin account emailing & browsing e.g. having a user account with user permissions distinct from an admin account and that the admin account is used ONLY for admin tasks, not day to day business.

The requirements of Cyber Essentials, Evendine, are set out by a working group including many different parties, however, the key input comes from Subject Matter Experts from the National Cyber Security Centre, part of GCHQ and they determine the requirements of the standard which Certification Bodies are here to apply.

The first issue with PAM is that you are not delivering account separation (a minimum requirement of Cyber Essentials) therefore, you are not compliant with the standard when using this method of admin access.

Providing access via PAM you are providing access for a user for many different functions, which, perhaps they are not considering, whilst in elevated mode, thus, the enhanced risk of using PAM and one of the reasons it is not supported - with account separation, indeed, even better when used with elevation, you are accessing an admin function, just for that moment, not for a period of time, without elevation, you are accessing the function in a known manner without any user baggage, whereby the user may have been compromised.

If your support provider (MSP) has 20 engineers that all access your systems, then they should have 20 accounts on your system, one for each of those engineers; each of those accounts should be appropriately secured with a 12 character password and ideally MFA.

This is one issue that isn't open for any discussion, any workaround, any compromise, its a requirement of the standard, that you have a unique admin account per person/admin and that these are not shared with anyone. These accounts are not to be used for any day-to-day access and should be used only for admin functions where required, ideally using elevation and not interactive login. Just-In-Time Access / Privilege Access Management is not acceptable, as they do not deliver account separation.

To minimise the potential damage that could be done if an account is misused or stolen, staff accounts should have just enough access to software, settings, online services, and device connectivity functions for them to perform their role. Extra permissions should only be given to those who need them.

Cyber Essentials Certification requires that you control access to your data through user accounts, that administration privileges are only given to those that need them, and that what an administrator can do with those accounts is controlled.

Every active user account in your organisation facilitates access to devices, applications, and sensitive business information. By ensuring that only authorised individuals have user accounts, and that they are granted only as much access as they need to perform their role, you reduce the risk of information being stolen or damaged.

Compared to normal user accounts, accounts with special access privileges have enhanced access to devices, applications, and information. When such accounts are compromised, their greater freedoms can be exploited to facilitate large-scale corruption of information, disruption to business processes, and unauthorised access to other devices in the organisation.

Now consider that if a user opens a malicious URL or email attachment, any associated malware is typically executed with the privilege level of the account that user is currently operating. This is why organisations must take special care over the allocation and use of privileged accounts.

The applicant must be in control of its user accounts and the access privileges granted to each user account. It must also understand how user accounts authenticate and control the strength of that authentication. This means the applicant must:

Protecting user accounts and helping prevent misuse of privileged accounts is essential for any cyber-secure system or network. User accounts, particularly those with special access privileges (e.g. administrative accounts), should be assigned only to authorised individuals, managed effectively, and provide the minimum level of access to applications, computers and networks.

Any organisation whose employees connect to the Internet needs some level of access control in place. Access controls authenticate and authorise individuals to obtain information that they are permitted to see and use. Without appropriate access control there is no data security.

To be effective, access control requires the enforcement of robust policies. This can be difficult when most organisations operate in hybrid environments where data is mobile and moves between on-premises servers to the Cloud, offices and beyond.

Accounts with privileged access are a prime target for cyber criminals. This is because they offer more access compared to normal users, enabling unrestricted access to sensitive information as well as administrative rights to gain control of the network.

Convenience sometimes results in many users having administrative rights, which can create opportunities for exploitation. User accounts with special access privileges should only be assigned to authorised individuals and managed effectively.

Certification to the scheme provides numerous benefits, including reduced insurance premiums, improved investor and customer confidence, and the ability to tender for business where certification to the scheme is a prerequisite.

When we perform Cyber Essentials and IASME Cyber Assurance assessments and consultancy with our customers. One of the main areas that we see where people fail on is that they are not using account separation in their daily operations. Meaning that they are not using a separate standard user account with their administrative account as per best practice.

When we bring this up with the customer, a lot of people ask why do we need to use separate accounts? As it just makes our lives harder, this is especially if they are working in IT or are software developers or are management. A lot of IT departments are also afraid to restrict their senior management, thinking that removing administrative access from their machines, will increase their complaints to IT or will receive the wrath of management.

However, by implementing separate accounts for everyone and defaulting their access to a standard account on their devices within the business (and at home), you are protecting your information and with very little impact or overhead when it comes to requiring account separation.

When setup correctly, people can continue with their everyday operations as they used to, only when, they require an administrative action, such as installing software, configuring devices and so forth will they then be prompted for an administrative login. When prompted all the user then needs to do is enter in the credentials for the separate administrative account, if they know it, or contact IT for access and continue with their tasks.

By having this type of account separation in place, you are making sure that if your device ever got compromised, that the amount of access to the device is limited. That the attacker would not have full access to the device and would generally not be able to go any further without having administrative access.

Staff should be trained to understand these methods of working and be on the lookout for unexpected access requests from the device. For example, if a user is working and then is suddenly prompted for administrative access, why is this? They should contact IT to see what is going on and should not simply give access if it was not expected.

Under Cyber Essentials, there are various controls that are related to administrative accounts and their use, writes Cyber Security Technologist Tyson McGuirk. The scheme makes it very clear that user accounts and admin accounts should be separate and only used for their intended purpose.

Users must keep email access away from admin accounts. Imagine clicking on a malicious program that had the ability to turn off the virus checker, access all your files, and install further malicious programs onto your device. Clicking on the same link as a standard user reduces the damage as many of the bad things attempted would require elevated privileges.

This is applicable to all accounts including cloud accounts. For example, if you were working within an IT department and had an account within Office365 that was able to create and manage users, it would be expected that you would have a separate day-to-day user account for your general use.

While privilege management encompasses many strategies, a central goal is enforcement of least privilege, defined as the restriction of access rights and permissions for users, accounts, applications, systems, devices (such as IoT) and computing processes to the absolute minimum necessary to perform routine, authorized activities.

Alternatively referred to as privileged account management, privileged identity management (PIM), or just privilege management, PAM is considered by analysts and technologists as one of the most important security projects for reducing cyber risk, addressing compliance initiatives, and qualifying for cyber insurance.

3a8082e126