4.3: Ensure the Use of Dedicated Administrative Accounts

Sub-control 4.3 states that you must ensure all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not Internet browsing, email, or similar activities.

Asset Type Security Function Implementation Groups
Users Protect 1, 2, 3

Dependencies

  • None

Inputs

  1. The list of users defined as Administrators: All users who are Administrators.

  2. The list of user accounts for the users defined in Input 1: A list of all user accounts for I1.

  3. The list of users NOT defined as Administrators: All users who are not administrators.

  4. The list of user accounts for the users defined in Input 3: A list of all user accounts for I3.

  5. The list of all user accounts.: A list of all user accounts.

  6. The list of all Administrative user accounts: A list of all Administrative user accounts.

  7. The list of non-Administrative user accounts: Aa list of user accounts that do not have administrator access.

Operations

  1. For each user defined in I1, collect the Administrative user account for that user from I6 and the non-Administrative user account from I7.

  2. For each user defined in I3, collect any Administrative user account for that user from I6 and the non-Administrative user account from I7.

Measures

Measure Definition
M1 = List of Admin users

A list of all administrative users.

M2 = Count of items in M1 A count of the total number of items in M1.

M3 = List of users from Operation 1

A list of all users identified from Operation 1.

M4 = Count of items in M3

A count of the total number of items in M3.

M5 = List of users from Operation 2 A list of all users identified from Operation 2.
M6 = Count of items in M5 A count of the total number of items in M5.

Metrics

Administrative User Accounts

Metric Calculation
Determines whether those users identified as Administrative-level have at least one Administrative-level and one non-Administrative level user account. The mapping performed by Operation 1 must show that, for each Administrative-level user, at least 1 Administrative-level user account and at least 1 non-Administrative-level user account are available. Otherwise, this metric is a FAIL

Unauthorized User Accounts

Metric Calculation
Illustrates any non-Administrative-level users that have been assigned an Administrative-level user account. If M6 > 0, then FAIL; otherwise PASS