800-53|AC-6(8)

Title

PRIVILEGE LEVELS FOR CODE EXECUTION

Description

The information system prevents [Assignment: organization-defined software] from executing at higher privilege levels than users executing the software.

Supplemental

In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by organizations.

Reference Item Details

Category: ACCESS CONTROL

Parent Title: LEAST PRIVILEGE

Family: ACCESS CONTROL

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.3.17.5 Set 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
2.3.5.1 Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)WindowsCIS Microsoft Windows Server 2022 v1.0.0 L1 DC
2.3.5.1 Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only) - DisabledWindowsCIS Microsoft Windows Server 2019 DC L1 v1.3.0
2.3.17.4 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
2.3.17.4 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2019 DC L1 v1.3.0
2.3.17.4 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2022 v1.0.0 L1 DC
2.3.17.4 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2019 MS L1 v1.3.0
2.3.17.4 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
2.3.17.4 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + NG
2.3.17.4 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL
2.3.17.4 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL + NG
2.3.17.4 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1
2.3.17.5 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
2.3.17.5 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2019 MS L1 v1.3.0
2.3.17.5 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2019 DC L1 v1.3.0
2.3.17.5 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2022 v1.0.0 L1 DC
2.3.17.5 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + NG
2.3.17.5 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
2.3.17.5 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL
2.3.17.5 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL + NG
2.3.17.5 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1
2.9 Isolate BIND with chroot'ed SubdirectoryUnixCIS BIND DNS v3.0.1 Caching Only Name Server
2.9 Isolate BIND with chroot'ed SubdirectoryUnixCIS BIND DNS v3.0.1 Authoritative Name Server
2.16.1 - General permissions management - 'no SUID or SGID files exist'UnixCIS AIX 5.3/6.1 L2 v1.1.0
4.1.12 Ensure use of privileged commands is collectedUnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
4.1.12 Ensure use of privileged commands is collectedUnixCIS SUSE Linux Enterprise Workstation 11 L2 v2.1.0
4.1.12 Ensure use of privileged commands is collectedUnixCIS SUSE Linux Enterprise Server 11 L2 v2.1.0
4.1.12 Ensure use of privileged commands is collectedUnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
4.16.1 General Permissions Management - suid and sgid files and programsUnixCIS IBM AIX 7.1 L2 v1.1.0
6.1.11 Audit SUID executablesUnixCIS SUSE Linux Enterprise Workstation 11 L1 v2.1.0
6.1.11 Audit SUID executablesUnixCIS SUSE Linux Enterprise Server 11 L1 v2.1.0
6.1.12 Audit SGID executablesUnixCIS SUSE Linux Enterprise Workstation 11 L1 v2.1.0
6.1.12 Audit SGID executablesUnixCIS SUSE Linux Enterprise Server 11 L1 v2.1.0
6.1.13 Audit SUID executablesUnixCIS Amazon Linux v2.1.0 L1
12.10 Find SUID System ExecutablesUnixCIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
12.10 Find SUID System ExecutablesUnixCIS Debian Linux 7 L1 v1.0.0
12.11 Find SGID System ExecutablesUnixCIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
12.11 Find SGID System ExecutablesUnixCIS Debian Linux 7 L1 v1.0.0
18.6.2 Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'WindowsCIS Microsoft Windows Server 2022 v1.0.0 L1 MS
18.6.2 Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + NG
18.6.2 Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'WindowsCIS Microsoft Windows Server 2022 v1.0.0 L1 DC
18.6.2 Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'WindowsCIS Microsoft Windows Server 2019 MS L1 v1.3.0
18.6.2 Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL + NG
18.6.2 Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + NG
18.6.2 Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1
18.6.2 Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL + NG
18.6.2 Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'WindowsCIS Microsoft Windows Server 2019 DC L1 v1.3.0
18.6.2 Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL
18.6.2 Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1
18.6.2 Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL