800-53|AC-6(5)

Title

PRIVILEGED ACCOUNTS

Description

The organization restricts privileged accounts on the information system to [Assignment: organization-defined personnel or roles].

Supplemental

Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information/functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control information system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.

Reference Item Details

Related: CM-6

Category: ACCESS CONTROL

Parent Title: LEAST PRIVILEGE

Family: ACCESS CONTROL

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.2 Ensure that the API server pod specification file ownership is set to root:rootUnixCIS Kubernetes v1.20 Benchmark v1.0.0 L1 Master
1.1.3 Ensure that between two and four global admins are designatedmicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v1.4.0
1.1.3.17.1 Set 'User Account Control: Admin Approval Mode for the Built-in Administrator account' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.4 Ensure that the controller manager pod specification file ownership is set to root:rootUnixCIS Kubernetes v1.20 Benchmark v1.0.0 L1 Master
1.1.6 Ensure that the scheduler pod specification file ownership is set to root:rootUnixCIS Kubernetes v1.20 Benchmark v1.0.0 L1 Master
1.1.7 Set 'aaa accounting' to log all privileged use commands using 'commands 15'CiscoCIS Cisco IOS 15 L2 v4.1.1
1.1.8 Ensure that the etcd pod specification file ownership is set to root:rootUnixCIS Kubernetes v1.20 Benchmark v1.0.0 L1 Master
1.1.10 Ensure that the Container Network Interface file ownership is set to root:rootUnixCIS Kubernetes v1.20 Benchmark v1.0.0 L1 Master
1.1.14 Ensure that the admin.conf file ownership is set to root:rootUnixCIS Kubernetes v1.20 Benchmark v1.0.0 L1 Master
1.1.16 Ensure that the scheduler.conf file ownership is set to root:rootUnixCIS Kubernetes v1.20 Benchmark v1.0.0 L1 Master
1.1.18 Ensure that the controller-manager.conf file ownership is set to root:rootUnixCIS Kubernetes v1.20 Benchmark v1.0.0 L1 Master
1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictiveUnixCIS Kubernetes v1.20 Benchmark v1.0.0 L1 Master
1.2.1 Set 'privilege 1' for local users - 'All users have encrypted passwords'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.1 Set 'privilege 1' for local users - 'No users with privileges 2-15'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.4 Ensure no 'root' user account access key exists - 'Access Key 1'amazon_awsCIS Amazon Web Services Foundations L1 1.4.0
1.4 Ensure no 'root' user account access key exists - 'Access Key 2'amazon_awsCIS Amazon Web Services Foundations L1 1.4.0
1.4.1 Set 'password' for 'enable secret'CiscoCIS Cisco IOS 17 L1 v1.0.0
1.4.1 Set 'password' for 'enable secret'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.5 Ensure Interactive Login is DisabledUnixCIS MySQL 8.0 Enterprise Linux OS L2 v1.2.0
1.6 Ensure Administrative accounts are separate, unassigned, and cloud-onlymicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v1.4.0
1.7 Eliminate use of the 'root' user for administrative and daily tasksamazon_awsCIS Amazon Web Services Foundations L1 1.4.0
1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'microsoft_azureCIS Microsoft Azure Foundations v1.3.1 L2
1.11 Do not setup access keys during initial user setup for all IAM users that have a console passwordamazon_awsCIS Amazon Web Services Foundations L1 1.4.0
1.21 Ensure that no custom subscription owner roles are created - Action Typesmicrosoft_azureCIS Microsoft Azure Foundations v1.3.1 L2
1.21 Ensure that no custom subscription owner roles are created - Assignable Scopemicrosoft_azureCIS Microsoft Azure Foundations v1.3.1 L2
10.3 Set Default Group for root AccountUnixCIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
13.5 Verify No UID 0 Accounts Exist Other Than rootUnixCIS Debian Linux 7 L1 v1.0.0
13.5 Verify No UID 0 Accounts Exist Other Than rootUnixCIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed - DllNameWindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + NG
18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed - DllNameWindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1
18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed - DllNameWindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL + NG
18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed - DllNameWindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL
18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed - DllNameWindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL + NG
18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed - DllNameWindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1
18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed - DllNameWindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL
18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed - DllNameWindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + NG
18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)WindowsCIS Microsoft Windows Server 2019 MS L1 v1.3.0
18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)WindowsCIS Microsoft Windows Server 2022 v1.0.0 L1 MS
18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1
18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1
18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL
18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + NG
18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL + NG
18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL
18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL + NG
18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + NG
18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only) - EnabledWindowsCIS Microsoft Windows Server 2022 v1.0.0 L1 MS
18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only) - EnabledWindowsCIS Microsoft Windows Server 2019 MS L1 v1.3.0
18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + NG
18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL + NG