Preface on Sub-Controls 4.2 and 4.3

The two metrics for sub-control 4.2 are:

  • What percentage of credentials have been changed from the default value?

  • What percentage of collected password policies comply with the organization’s password policies?

Sub-control 4.3 specifically checks that each user has a separate Administrator account to perform those functions. While there is no method for determining if each user is assigned a separate Administrator level account, the methods of enumerating user accounts for sub-control 4.2 help organizations to meet the requirements of sub-control 4.3.

Sub-control 4.2 has inputs and processes that dive deep into calculating a score around the number of default account credentials per endpoint. Steps include manually creating a database of known default passwords, hashing these passwords, and comparing them to hashes on each endpoint for each account. Then, you can calculate a score for each endpoint. Manually locating a trusted database of default credentials, creating hashed passwords, and comparing them to existing password hashes is a time consuming endeavor for any organization.

The ultimate goal of these sub-controls is to have a score (or ratio) of zero (The number of default accounts on each end point is zero, there are no default credentials). Active and passive scanning with Tenable products allow the organization to query a variety of systems. Organizations can verify whether or not default credentials exist and are installed on managed systems. Additionally, active scanning can provide organizations with a consistent, repeatable process that can be used to identify credentials that have fallen out of policy guidelines (password complexity and password age). If all endpoints meet defined password guidelines, there is little to no “manual” scoring requirements as part of sub-control 4.2 as all ratios would be zero. Any systems found with default credentials, or credentials out of policy compliance, would be easily identified. The effort to capture and calculate the Inputs, Operations, and Measurements of the following sub-control would greatly be reduced, reducing overall cost and workload.

Helpful plugins for this subcontrol are:

  • Nessus plugin 10860 SMB Use Host SID to Enumerate Local Users
  • 95928 Linux User List Enumeration
  • 95929 macOS and Mac OS X User List Enumeration

Nessus uses these plugins to enumerate all the users on a Windows, Linux, or MacOS endpoint, providing the following plugin output. Follow the guidance if you need to alter the ID range.

Additional plugins to validate password policies are:

  • 10900/10914 Microsoft Windows - User Information: Passwords Never Expire

  • 10898 Microsoft Windows - User Information: Never Changed Password

  • 83303 Unix/Linux - Local Users Information: Passwords Never Expire

Additionally, Nessus has compliance checks for password length, and min/max password age for Linux, Solaris, HP-UX, Mac OS X. Windows systems can be audited against password history, and forced logoff.