033 – Restrict administrative access

Summary

If the system has an administration mechanism, it must only be accessible from administrative network segments.

Description

Network access to modules or system management mechanisms must be limited to the parties that require access to them (administrators). Personnel that does not have administrative needs, tasks or obligations should not have access to these mechanisms. Following this recommendation helps to fulfill the objective of reducing the attack surface of the above mentioned systems (since malicious third parties cannot attempt to directly access the system administration settings), and increases the level of confidentiality and availability of the system.

Supported In

Advanced: True

References

• CWE-419. Unprotected primary channel
• OWASP10-A1. Broken access control
• BIZEC-APP-04. Improper authorization (missing, broken, proprietary, generic)
• NYSHIELD-5575_B_6. Personal and private information
• MITRE-M1026. Privileged account management
• MITRE-M1030. Network segmentation
• MITRE-M1031. Network intrusion prevention
• MITRE-M1035. Limit access to resource over network
• PADSS-3_1. Support and enforce the use of unique user IDs and secure authentication for all administrative access
• PADSS-5_2_8. Improper access controls
• PADSS-12_1. Encrypt all nonconsole administrative access with strong cryptography
• CMMC-AC_L1-3_1_1. Authorized access control
• CMMC-AC_L2-3_1_4. Separation of duties
• CMMC-AC_L2-3_1_6. Non-privileged account use
• CMMC-CM_L2-3_4_5. Access restrictions for change
• CMMC-IA_L2-3_5_4. Replay-resistant authentication
• HITRUST-01_c. Privilege management
• HITRUST-01_n. Network connection control
• HITRUST-05_k. Addressing security in third party agreements
• FEDRAMP-AC-6_1. Least privilege - Authorize access to security functions
• FEDRAMP-AC-6_3. Least privilege - Network access to privileged commands
• ISO27002-8_3. Information access restriction
• OSSTMM3-11_15_3. Data networks security (privileges audit) - Escalation
• ISSAF-S_5_1. Web server security - Countermeasures (secure administrative access)
• NIST800115-3_5. Network sniffing
• SWIFTCSC-1_2. Operating system privilege account control
• PCI-2_2_7. System components are configured and managed securely
• SIG-U_1_9_20. Server security
• OWASPAPI-API1. Broken Object Level Authorization
• SANS25-22. Improper Privilege Management
• SANS25-24. Incorrect Authorization
• ISO27001-8_3. Information access restriction
• OWASPMASVS-AUTH-1. The app uses secure authentication and authorization protocols and follows the relevant best practices
• CWE25-269. Improper Privilege Management
• CWE25-863. Incorrect Authorization
• NIST-PR_AA-02. Identities are proofed and bound to credentials based on the context of interactions

Weaknesses

• 405 – Excessive privileges - Access Mode
• 054 – Exposed administrative services

Last updated

2024/03/05