Restriction of Administrative Privileges
Restricting administrative privileges is one of the most effective mitigation strategies in ensuring the security of systems. Users with administrative privileges within an organisation’s ICT enterprise are able to make significant changes to their configuration and operation, bypass critical security settings and access sensitive information. Domain administrators have similar capability for an entire network domain, including all workstations, servers and services on an organisation’s network.
Restricting Administrative Privileges
It is recommended that administrative privileges are validated when first requested.
It is recommended that the organisation implements a written policy to define the role and responsibilities of the administrator, that prohibits administrators from reading email, browsing the web and obtaining files via online services.
Administrative privileges should not be granted to all users within the domain and should be limited to those personnel who require administrative access. Further, it is recommended that administrative privileges are re-validated on an annual basis.
Local administrative privileges should not be granted to users on their local machine and should be limited to those personnel who require administrative access. Further, it is recommended that administrative privileges are re-validated on an annual basis.
Implementation Outcome
Privileged access to systems, applications and data repositories is validated when first requested. Policy security controls are used to prevent privileged users from reading emails, browsing the web and obtaining files via online services