SANS Critical Control 12: Controlled Use of Administrative Privileges

In a system there is no privilege that is higher than administrative privileges. In Unix and Linux world, this is often referred as having “root” privileges with UID 0. In the Windows world, this is referred as having “local Admin” or “Domain Admin” privileges.

Due to their powerful permissions, these administrative credentials are sought after by the bad guys. These are indeed the final goal for all well determined attackers.

Administrative credentials can be obtained in different ways, including:

  • Obtain privileges of a non-privileges account and then escalate privileges to administrative account via an exploit or a default password;
  • Discover a default easily-guessable password for a default account with administrative privileges;
  • Exploit a vulnerability on a server running as a privileged account- usually a database.
  • Capturing password hashes for an administrative account over the network or compromising another host in the network and “passing” those hashes to gain administrative privileges.

The SANS Control #12 deals with “The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.”

The following five steps are those to implement the Control # 12:

Step 1: Production systems use proper authentication systems

Step 2: Standard and administrative user accounts use proper authentication systems

Step 3: Standard and administrative user accounts properly managed via group memberships

Step 4: Administrative access to systems properly logged via log management systems

Step 5: Password assessment system validates the strength of the authentication systems.

Unified VRM has many powerful ways to verify that the implementation of controls of administrative credentials has been carried out, including:

  • Through the Unified VRM Configuration module, best-practice configuration baselines can be tested on key organization’s infrastructure servers, including Domain Controllers, Active Directory Servers, DNS Servers, DHCP servers and more to make sure that the Group Policy are appropriately applied so to limit the administrative privileges to only a few custom accounts, that the default account “Administrator” is disabled, that appropriate password policies in implemented in terms of length, complexity and enforcing change period.
  • Through the Unified VRM Internal assessment module, vulnerabilities in Unix / Linux and Windows platforms can be discovered so that they can be fixed prior to the bad guys taking advantage of them.
  • Through network assessment modules, scan templates can be configured to test the strength of passwords for particular privileged accounts, including root via SSH and the infamous account “Administrator” which should be disabled in production environments.
  • Detect and monitor the usage of default privileged accounts, including the MS SQL Server “sa” account, which might be un-passworded or having an easily guessable password.
  • Through the web application module, test the strength of web application administrative front-end password.
  • Through an appropriately configured scan template, periodically scanning key system for password files modifications which might an indication of host compromise.