10 Steps: Managing User Privileges
Updated 16 January 2015
1. Summary
It is good practice for an organisation to manage the access privileges that users have to an Information and Communications Technologies (ICT), the information it holds and the services it provides. All users of ICT systems should only be provided with the privileges that they need to do their job. This principle is often referred to as ‘Least Privilege’. A failure to manage user privileges appropriately may result in an increase in the number of deliberate and accidental attacks.
2. What is the risk?
Businesses and organisations should understand what access employees need to information, services and resources in order to do their job. Otherwise they will not be able to grant ICT system rights and permissions to individual users or groups of users that are proportionate to their role within the organisation. Failure to effectively manage user privileges could result in the following risks being realised:
Misuse of privileges
Authorised users can misuse the privileges assigned to them to either deliberately or accidentally compromise ICT systems. For example to make unauthorised changes to the configuration of systems, leading to a loss of the confidentiality, integrity or availability of information or ICT systems
Increased attacker capability
Attackers will use unused or compromised user accounts to carry out their attacks and, if allowed to, they will return and reuse the compromised account on numerous occasions, or sell the access to others. The system privileges provided to the original user of the compromised account will be available to the attacker to use. Ultimately attackers will seek to gain access to root or administrative accounts to allow them full access to all system information, services and resources
Negating established security controls
Where attackers have privileged access to ICT systems they will attempt to cover their tracks by making changes to security controls or deleting accounting and audit logs so that their activities are not detected
3. How can the risk be managed?
3.1 Set up a personnel screening process
All users need to undergo some form of pre-employment screening to a level that is commensurate with the sensitivity of the information they will have access to.
3.2 Establish effective account management processes
Corporate processes and procedures should manage and review user accounts from creation and modification through to eventual deletion when a member of staff leaves. Unused or dormant accounts, perhaps provided for temporary staff or for testing purposes, should be removed or suspended in-line with corporate policy.
3.3 Establish policy and standards for user identification and access control
The quality of user passwords and their lifecycle should be determined by a corporate policy. Ideally they should be machine generated, randomised passwords. If this is not possible, password complexity rules should be enforced by the system. For some ICT systems an additional authentication factor (such as a physical token) may be necessary and this should be identified in the risk assessment. Access controls should be allocated on the basis of business need and ‘Least Privilege’.
3.4 Limit user privileges
Users should only be provided with the rights and permissions to systems, services, information and resources that they need to fulfil their business role.
3.5 Limit the number and use of privileged accounts
Strictly control the number of privileged accounts for roles such as system or database administrators. Ensure that this type of account is not used for high risk or day to day user activities, for example to gain access to external email or browse the Internet. Provide administrators with normal accounts for business use. The requirement to hold a privileged account should be reviewed more frequently than ‘standard user’ accounts.
3.6 Monitor all users
Monitor user activity, particularly all access to sensitive information and the use of privileged account actions, such as the creation of new user accounts, changes to user passwords or the deletion of accounts and audit logs.
3.7 Limit access to the audit system and the system activity logs
Activity logs from network devices should be sent to a dedicated accounting and audit system that is separated from the core network. Access to the audit system and the logs should be strictly controlled to preserve the integrity and availability of the content and all privileged user access recorded.
3.8 Educate users and maintain their awareness
Without exception, all users should be aware of the policy regarding acceptable account usage and their personal responsibility to adhere to corporate security policies and the disciplinary measures that could be applied for failure to do so.