Restrict administrative access
Summary
If the system has an administration mechanism, it must only be accessible from administrative network segments.
Description
Network access to modules or system management mechanisms must be limited to the parties that require access to them (administrators). Personnel that does not have administrative needs, tasks or obligations should not have access to these mechanisms. Following this recommendation helps to fulfill the objective of reducing the attack surface of the above mentioned systems (since malicious third parties cannot attempt to directly access the system administration settings), and increases the level of confidentiality and availability of the system.
References
- CWE-419. Unprotected primary channel
- OWASP10-A1. Broken access control
- BIZEC-APP-04. Improper authorization (missing, broken, proprietary, generic)
- NYSHIELD-5575_B_6. Personal and private information
- MITRE-M1026. Privileged account management
- MITRE-M1030. Network segmentation
- MITRE-M1031. Network intrusion prevention
- MITRE-M1035. Limit access to resource over network
- PADSS-3_1. Support and enforce the use of unique user IDs and secure authentication for all administrative access
- PADSS-5_2_8. Improper access controls
- PADSS-12_1. Encrypt all nonconsole administrative access with strong cryptography
- CMMC-AC_L1-3_1_1. Authorized access control
- CMMC-AC_L2-3_1_4. Separation of duties
- CMMC-AC_L2-3_1_6. Non-privileged account use
- CMMC-CM_L2-3_4_5. Access restrictions for change
- CMMC-IA_L2-3_5_4. Replay-resistant authentication
- HITRUST-01_c. Privilege management
- HITRUST-01_n. Network connection control
- HITRUST-05_k. Addressing security in third party agreements
- FEDRAMP-AC-6_1. Least privilege - Authorize access to security functions
- FEDRAMP-AC-6_3. Least privilege - Network access to privileged commands
- ISO27002-8_3. Information access restriction
- OSSTMM3-11_15_3. Data networks security (privileges audit) - Escalation
- ISSAF-S_5_1. Web server security - Countermeasures (secure administrative access)
- NIST800115-3_5. Network sniffing
- SWIFTCSC-1_2. Operating system privilege account control
- PCI-2_2_7. System components are configured and managed securely
- SIG-U_1_9_20. Server security
- OWASPAPI-API1. Broken Object Level Authorization
- SANS25-22. Improper Privilege Management
- SANS25-24. Incorrect Authorization
- ISO27001-8_3. Information access restriction
- OWASPMASVS-AUTH-1. The app uses secure authentication and authorization protocols and follows the relevant best practices
- CWE25-269. Improper Privilege Management
- CWE25-863. Incorrect Authorization
- NIST-PR_AA-02. Identities are proofed and bound to credentials based on the context of interactions
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Supported In
This requirement is verified in following services
Essential Plan
Advanced Plan