SANS Critical Control 16: Account Monitoring and Control

Have you ever considered what is the venue most attackers use to infiltrate target systems? In terms of percentage, certainly default privileged accounts with default or easily guessable passwords get the lion’s share.

Protecting privileged user and administrative accounts is very important to prevent widespread intrusions. Domain admin accounts, default administrative accounts, guest accounts, contractors’ accounts needs to be protected with appropriate passwords, password expirations and monitored for appropriate use. Dormant accounts needs to be disabled after a reasonable amount of time and default administrative account (such as “administrator”) needs to be renamed.

SANS Critical Control 16 deals with protection and monitoring of privileged user accounts and with the domain group policies to appropriately protect and monitor such accounts.

Unified VRM internal and configuration modules can help in several ways accomplishing this control:

The internal assessment module, with its authenticated scan capabilities, helps determine the target host group policies in terms of default account enablement, no or easily guessable password on default account, password expiration, account lockout policy, policy on password renewal, activity logging and auditing. This can be accomplish with both the standard network scanner as well as with the OVAL scanning capabilities.
The configuration review module (with authenticated standard scan and XCCDF capabilities) enable the administrator to review target host configurations against best practices standards, such as XCCDF, NIST, compliance standards, and more.
Unified VRM can also help auditing password strength against various dictionary sizes, especially for the administrative privilege accounts which might allow an attacker to mount a widespread attack over the entire internal network.
Moreover, even local administrative accounts are important and worth to be protected. If a local administrative gets compromised and a domain administrative accounts ever logged into the same host, password hashes can be downloaded and passed without the need to be decrypted to allow login to the Domain Controller for example, in an attack called “Pass the Hash”.

So no account is non-important in the eyes of a motivated attacker.