M_User Access Control : FAQ
- Joe Checketts
The below will appear on the Refined page at User Access Control : FAQ
QUESTION | ANSWER |
|---|---|
What is the difference between a user and an admin account? | A user account is a standard account with limited control over a device or system. An admin (administrator) account is an account which has a high level of access and control (for example it can create, modify or delete accounts, change system settings, and install software). |
What happens if a member of staff needs an admin account for their job role? | They can be provided with an admin account as long as you ensure the following:
|
Why is user access control important? | Every person with an account in your organisation has some level of access to your data and services. By controlling how much access they have you can reduce the risk of data being stolen or damaged. |
What is meant by a ‘user account’? | A user account is a standard account with a low level of privilege. This means that it cannot, for example, install software, change system settings, or create new accounts. Such privileges are reserved for admin accounts. |
What is meant by an ‘admin account’? | An admin or administrator account is an account with a high level of control over a system. This means that the potential for damage is higher if such an account is compromised. Therefore you should treat this type of account with care and only use them for necessary purposes. |
Why should I not use my admin account for day-to-day work or accessing the internet? | A common cyber attack involves trying to install malicious software (malware) onto a device. This can be done by tricking the user into opening an email attachment or visiting a website. However, only admin accounts are allowed to install software and if this is attempted with a user account, the attack is unlikely to succeed. This is why you should not use your admin account to access email or websites - if you make a mistake and accidentally click on something malicious, the risk of compromise is far higher. |
Are PIM and PAM considered compliant for Cyber Essentials? | PIM and PAM are ways of controlling user access to systems. PIM (Privileged Identity Management) is concerned with who has access to what. PAM (Privileged Access Management) is concerned with how access is granted. There are many ways of implementing PIM and PAM and many different vendors provide solutions which carry out these functions. When PIM and PAM are used, it is usually in the context of elevating a user’s privileges in order to carry out an administrative task. A machine running with admin privileges poses significant risks to security. Admin privileges means that users can install software, change configurations, and make other changes to a system that may impact security. Consider the case of a user inadvertently clicking on a malicious link which attempts to install malware. If the machine is running in user mode, it will not have the required privileges to install software, and the attack will fail. On the other hand, if the machine is running in admin mode, malicious software such as ransomware or spyware could be installed with potentially disastrous consequences. The important difference for Cyber Essentials is the difference between ‘just enough’ access and ‘just in time’ access.  Just enough is considered an acceptable approach, whereas just in time is not. Assessors must check how a PIM or PAM solution is configured to ascertain whether or not it is compliant with the Cyber Essentials Requirements. |
Is password complexity a requirement for Cyber Essentials? | No. Using password complexity is not a requirement but we would encourage the use of three random words. |
Is brute force device locking now mandatory? What are the requirements if so? | You'll need to use either throttling or account locking after 10 attempts to protect against brute force attacks. |
Are shared accounts permissible under certain circumstances, such as a shared third-party web application account? Or are they not allowed at all? | Shared accounts are not compliant with Cyber Essentials scheme. The use of unique accounts is required by all users and administrators. As stated in the Cyber Essentials Requirements you need to ensure that user accounts are assigned to authorised individuals only and provide access to only those applications, computers and networks required for the user to perform their role. |
When using third-party cloud services (such as MS365) is it acceptable to use one centralised mobile device owned by one user to retrieve the authentication code, even if there are various users using the system? | It's acceptable but perhaps not advisable. For example - what happens if you lose the phone? You would need to consider various scenarios and what might happen if problems occurred. |
Why the need for controls on personally-owned devices accessing virtual desktops as clients? | Client access software needs to be on a supported operating system and that client access software must be kept up to date and updated with all their latest security updates. There are known commodity attacks against devices trying to access those sessions and screen recording those sessions, so therefore they must remain in scope. |
Why is it important to have separate user and admin accounts? | Because admin accounts provide far greater control over the device, any attack which compromises an admin account can have more serious effects. Consider the scenario where a user is logged in to a user account and clicks on a malicious link. The link may attempt to install malicious software such as ransomware or spyware onto the device. However, because a user account does not have sufficient privileges to install software, the attempt would fail. But if the logged in account was an admin account, the software installation could succeed and the attacker could then take control of the machine and carry out any number of damaging activities. That is why day-to-day activities should be done using a user account, and admin accounts must not access the internet or emails. |
If an organisation has a policy that we do not allow personally-owned devices, is a technical control needed to stop unauthorised devices from connecting? | A common solution is to monitor your cloud services and not allow them to connect unless they are authorised devices supplied by the organisation. Asset management can play a role here as you would need to understand how and which devices are connecting to your cloud services. |
Why the need for controls on personally-owned devices accessing virtual desktops as clients? | There are known commodity attacks against such devices which try to access or screen record sessions, so therefore they must remain in scope. Client access software must be running on a supported operating system and the software must be kept up to date with the latest security updates. |
While admin accounts shouldn't be used on a day-to-day basis, what about when admin privileges are temporarily needed to install software or run scripts? | All admin accounts need to be approved by a person of authority. |
Some developers need local admin access to compile, debug and check-in source code changes using their standard account. Would this fail the Cyber Essentials assessment and if so, how do organisations manage their local admin privilege needs for development team members? | It would not automatically fail a Cyber Essentials assessment, but would be an issue if certifying for Cyber Essentials Plus. Account separation is a core control and if this can't be achieved, we would suggest de-scoping the developer network by creating a subset using a firewall or VLAN. |
If we have a generic account used by a few people, which is managed using an auto-lock and a fingerprint reader, would this be compliant with Cyber Essentials? | Shared accounts are not compliant with the Cyber Essentials scheme. The use of unique accounts is required by all users and administrators - you need to ensure that user accounts are assigned to authorised individuals only and provide access to only those applications, devices and networks required for them to perform their role. |
Does a 'break glass' account need to have MFA applied or would it be out of scope? | Break glass accounts should still have a form of MFA applied, but should use an alternative method of MFA to other users. An example of MFA for a break glass account could be logging into it from a trusted managed device. |
Â