4.3: Ensure the Use of Dedicated Administrative Accounts
Sub-control 4.3 states that you must ensure all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not Internet browsing, email, or similar activities.
|Asset Type||Security Function||Implementation Groups|
|Users||Protect||1, 2, 3|
The list of users defined as Administrators: All users who are Administrators.
The list of user accounts for the users defined in Input 1: A list of all user accounts for I1.
The list of users NOT defined as Administrators: All users who are not administrators.
The list of user accounts for the users defined in Input 3: A list of all user accounts for I3.
The list of all user accounts.: A list of all user accounts.
The list of all Administrative user accounts: A list of all Administrative user accounts.
The list of non-Administrative user accounts: Aa list of user accounts that do not have administrator access.
For each user defined in I1, collect the Administrative user account for that user from I6 and the non-Administrative user account from I7.
For each user defined in I3, collect any Administrative user account for that user from I6 and the non-Administrative user account from I7.
|M1 = List of Admin users||
A list of all administrative users.
|M2 = Count of items in M1||A count of the total number of items in M1.|
M3 = List of users from Operation 1
A list of all users identified from Operation 1.
|M4 = Count of items in M3||
A count of the total number of items in M3.
|M5 = List of users from Operation 2||A list of all users identified from Operation 2.|
|M6 = Count of items in M5||A count of the total number of items in M5.|
Administrative User Accounts
|Determines whether those users identified as Administrative-level have at least one Administrative-level and one non-Administrative level user account.||The mapping performed by Operation 1 must show that, for each Administrative-level user, at least 1 Administrative-level user account and at least 1 non-Administrative-level user account are available. Otherwise, this metric is a FAIL|
Unauthorized User Accounts
|Illustrates any non-Administrative-level users that have been assigned an Administrative-level user account.||If M6 > 0, then FAIL; otherwise PASS|