Policy must require that no web browser be run by an administrative user account, except as necessary for local service administration. Administrative accounts must not be used for email.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-36660 | WN08-00-000005-03 | SV-48277r1_rule | ECLP-1 | High |
| Description |
|---|
| If a web browser flaw is exploited while running as a privileged user, the entire system could be compromised. Since administrative user accounts may generally change or work around technical restrictions for running the web browser, it is essential that policy requires web browsers not run by administrative users. Email is also a common attack vector for introducing malicious code and must not be run with an administrative user account. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. |
| STIG | Date |
|---|---|
| Windows 8 Security Technical Implementation Guide | 2013-02-15 |
Details
| Check Text ( C-44955r1_chk ) |
|---|
| Determine if site policy prohibits the use of web browsers by administrative user accounts, except as necessary for local service administration. Determine if site policy prohibits the use of email clients by administrative user accounts. If it does not, this is a finding. |
| Fix Text (F-41412r1_fix) |
|---|
| Establish site policy to prohibit the use of web browsers and email clients by administrative user accounts. Ensure the policy is enforced. |