Users with administrative privilege must be documented and have separate accounts for administrative duties and normal operational tasks.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-1140 | 1.006 | SV-24997r3_rule | High |
| Description |
|---|
| Using a privileged account to perform routine functions makes the computer vulnerable to malicious software inadvertently introduced during a session that has been granted full privileges. The rule of least privilege must always be enforced. |
| STIG | Date |
|---|---|
| Windows 7 Security Technical Implementation Guide | 2018-02-12 |
Details
| Check Text ( C-62059r2_chk ) |
|---|
| Verify the following: The necessary documentation that identifies members of the Administrators group exists with the ISSO. Each user with administrative privileges has been assigned a unique administrator account, separate from the built-in "Administrator" account. Each user with administrative privileges has a separate account for performing normal (non-administrative) functions. Administrators must be properly trained before being permitted to perform administrator duties. Use of the built-in Administrator account must not be allowed. If any of these conditions are not met, this is a finding. |
| Fix Text (F-66957r2_fix) |
|---|
| Create necessary documentation that identifies members of the Administrators group, to be maintained with the ISSO. Create unique administrator accounts, separate from the built-in "Administrator" account for each user with administrative privileges. Create separate accounts for performing normal (non-administrative) functions for each user with administrative privileges. Properly train users with administrative privileges. Do not allow the use of the built-in Administrator account. |