095 – Define users with privileges

Summary

The users that will access the system with administrator or root privileges must be defined.

Description

Systems should have a set of roles with different levels of privilege to access resources. The privileges of each role must be clearly defined and the role of each user should also be clearly stated. That includes the set of users that will have administrator or root privileges, as this should not be a default role.

Supported In

Essential: True

Advanced: True

References

• CAPEC-122. Privilege abuse
• CAPEC-233. Privilege escalation
• CIS-5_1. Establish and maintain an inventory of accounts
• CWE-250. Execution with unnecessary privileges
• CWE-266. Incorrect privilege assignment
• CWE-276. Incorrect default permissions
• CWE-285. Improper authorization
• CWE-497. Exposure of sensitive system information to an unauthorized control sphere
• HIPAA-164_308_a_3_i. Standard: workforce security
• HIPAA-164_310_a_2_iii. Access control and validation procedures (addressable)
• NIST80053-AC-2_6. Dynamic privilege management
• NIST80053-AC-2_7a. Establish and administer privileged user accounts
• NIST80053-AC-2_7b. Monitor privileged role or attribute assignments
• NIST80053-AC-2_7c. Monitor changes to roles or attributes
• OWASP10-A1. Broken access control
• SOC2-CC6_2. Logical and physical access controls
• BIZEC-APP-04. Improper authorization (missing, broken, proprietary, generic)
• CERTC-FIO32-C. Do not perform operations on devices that are only appropriate for files
• NYSHIELD-5575_B_2. Personal and private information
• MITRE-M1024. Restrict registry permissions
• MITRE-M1026. Privileged account management
• MITRE-M1052. User account control
• MITRE-M1056. Pre-compromise
• CMMC-AC_L1-3_1_1. Authorized access control
• CMMC-AC_L2-3_1_4. Separation of duties
• CMMC-AC_L2-3_1_15. Privileged remote access
• CMMC-AU_L2-3_3_9. Audit management
• CMMC-SC_L2-3_13_3. Role separation
• HITRUST-01_c. Privilege management
• HITRUST-05_c. Allocation of information security responsibilities
• HITRUST-09_r. Security of system documentation
• FEDRAMP-AC-2_7. Account management - Role-based schemes
• FEDRAMP-CA-6. Security authorization
• FEDRAMP-PS-3_3. Personnel screening - Information with special protection measures
• FEDRAMP-RA-5_4. Privileged access
• ISO27002-8_2. Privileged access rights
• LGPD-23_I. Rules
• LGPD-46. Security and Secrecy of Data
• OSSTMM3-10_15_2. Telecommunications security (privileges audit) - Authorization
• OSSTMM3-11_9_2. Data networks security - Common configuration errors
• FERPA-D_35_a_2. Conditions of prior consent required to disclose information
• MVSP-4_2. Operational controls - Logical access
• OWASPSCP-5. Access control
• BSAFSS-IA_2-1. Policies to control access to data and processes
• NIST800171-1_4. Separate the duties of individuals
• NIST800171-1_7. Prevent non-privileged users from executing privileged functions
• SWIFTCSC-1_2. Operating system privilege account control
• C2M2-2_3_d. Management activities for the THREAT domain
• C2M2-3_5_d. Management activities for the RISK domain
• C2M2-4_1_h. Establish identities and manage authentication
• C2M2-9_5_h. Implement data security for cybersecurity architecture
• PCI-3_7_7. Prevention of unauthorized substitution of cryptographic keys
• PCI-6_5_4. Changes to all system components are managed securely
• PCI-8_2_4. User identification for users and administrators are strictly managed
• SIGLITE-SL_76. Are staff able to access client scoped data?
• SIG-H_2_15. Access control
• SIG-H_4_6_1. Access control
• SIG-H_4_6_3. Access control
• SIG-H_6_1. Access control
• SIG-I_1_18_3. Application security
• SIG-I_3_2_10. Application security
• SIG-P_8_2. Privacy
• SIG-U_1_6_1. Server security
• OWASPAPI-API1. Broken Object Level Authorization
• ISO27001-8_2. Privileged access rights
• CASA-13_1_4. Generic Web Service Security
• RESOLSB-Art_26_11_d. Information Security
• RESOLSB-Art_26_11_e. Information Security
• RESOLSB-Art_27_18. Security in Electronic Channels
• FISMA-AC-2_6. Dynamic privilege management
• FISMA-AC-2_7a. Establish and administer privileged user accounts
• FISMA-AC-2_7b. Monitor privileged role or attribute assignments
• FISMA-AC-2_7c. Monitor changes to roles or attributes
• CWE25-269. Improper Privilege Management
• CWE25-862. Missing authorization
• CWE25-863. Incorrect Authorization
• SANS25-11. Missing authorization
• SANS25-22. Improper Privilege Management
• SANS25-24. Incorrect Authorization

Weaknesses

• 159 – Excessive privileges
• 160 – Excessive privileges - Temporary Files
• 266 – Excessive Privileges - Docker
• 267 – Excessive Privileges - Kubernetes
• 325 – Excessive privileges - Wildcards
• 346 – Excessive privileges - Mobile App
• 430 – Serverless - one dedicated IAM role per function
• 031 – Excessive privileges - AWS

Last updated

2024/02/05