5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts

Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.

Asset Type

Security Function

Implementation Groups

Users

Protect

1, 2, 3

Dependencies

  • Safeguard 5.1: Establish and Maintain an Inventory of Accounts

Inputs

  1. GV22: Inventory of accounts

  2. List of users identified as administrators

Assumptions

  1. For the purpose of this control, it is assumed that users identified as administrators that have an active administrative and non-administrative account have properly dedicated accounts for administrative privileges.

Operations

  1. Using GV22 and Input 2

    1. Identify and enumerate users identified as administrators with active administrator accounts (M1)

    2. Identify and enumerate users identified as administrators without active administrator accounts (M2)

    3. Identify and enumerate users not identified as administrators with active administrator accounts (M3)

  2. Using GV22 and output of Operation 1.1

    1. Identify and enumerate users identified as administrators that have an active non-administrative user account (M4)

    2. Identify and enumerate users identified as administrators that do not have an active non-administrative user account (M5)

Measures

  • M1 = Count of authorized administrative users with active administrator accounts

  • M2 = Count of authorized administrative users without active administrator accounts

  • M3 = Count of non-administrative users with active administrator accounts

  • M4 = Count of authorized administrative users with an active administrative and non-administrative account

  • M5 = Count of authorized administrative users without an active administrative and non-administrative account

  • M6 = Count of Input 2

Metrics

Administrative User Accounts

Metric
The perecentage of administrative users with both an administrative account
and non-administrative acount.

Calculation

M4/ M6

Unauthorized Administrative Accounts

Metric
The percentage of unauthorized administrative accounts

Calculation

M3 / (M1 + M3)