4.3: Ensure the Use of Dedicated Administrative Accounts
Sub-control 4.3 states that you must ensure all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not Internet browsing, email, or similar activities.
Asset Type | Security Function | Implementation Groups |
---|---|---|
Users | Protect | 1, 2, 3 |
Dependencies
- None
Inputs
-
The list of users defined as Administrators: All users who are Administrators.
-
The list of user accounts for the users defined in Input 1: A list of all user accounts for I1.
-
The list of users NOT defined as Administrators: All users who are not administrators.
-
The list of user accounts for the users defined in Input 3: A list of all user accounts for I3.
-
The list of all user accounts.: A list of all user accounts.
-
The list of all Administrative user accounts: A list of all Administrative user accounts.
-
The list of non-Administrative user accounts: Aa list of user accounts that do not have administrator access.
Operations
-
For each user defined in I1, collect the Administrative user account for that user from I6 and the non-Administrative user account from I7.
-
For each user defined in I3, collect any Administrative user account for that user from I6 and the non-Administrative user account from I7.
Measures
Measure | Definition |
---|---|
M1 = List of Admin users |
A list of all administrative users. |
M2 = Count of items in M1 | A count of the total number of items in M1. |
M3 = List of users from Operation 1 |
A list of all users identified from Operation 1. |
M4 = Count of items in M3 |
A count of the total number of items in M3. |
M5 = List of users from Operation 2 | A list of all users identified from Operation 2. |
M6 = Count of items in M5 | A count of the total number of items in M5. |
Metrics
Administrative User Accounts
Metric | Calculation |
---|---|
Determines whether those users identified as Administrative-level have at least one Administrative-level and one non-Administrative level user account. | The mapping performed by Operation 1 must show that, for each Administrative-level user, at least 1 Administrative-level user account and at least 1 non-Administrative-level user account are available. Otherwise, this metric is a FAIL |
Unauthorized User Accounts
Metric | Calculation |
---|---|
Illustrates any non-Administrative-level users that have been assigned an Administrative-level user account. | If M6 > 0, then FAIL; otherwise PASS |