4: Controlled Use of Administrative Privileges

Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges.

Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.

Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.

Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.

Use multi-factor authentication and encrypted channels for all administrative account access.

Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring administrative access. This machine will be segmented from the organization's primary network and not be allowed Internet access. This machine will not be used for reading e-mail, composing documents, or browsing the Internet.

Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or development users with the need to access those capabilities.

Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.

Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.