Restrict administrative access

Summary

If the system has an administration mechanism, it must only be accessible from administrative network segments.

Description

Network access to modules or system management mechanisms must be limited to the parties that require access to them (administrators). Personnel that does not have administrative needs, tasks or obligations should not have access to these mechanisms. Following this recommendation helps to fulfill the objective of reducing the attack surface of the above mentioned systems (since malicious third parties cannot attempt to directly access the system administration settings), and increases the level of confidentiality and availability of the system.

Supported In

This requirement is verified in following services

Plan	Supported
Machine	🔴
Squad	🟢

References

• CWE™-419. Unprotected primary channel
• OWASP TOP 10-A1. Broken access control
• NIST Framework-PR_AC-6. Identities are proofed and bound to credentials and asserted in interactions
• BIZEC-APP-APP-04. Improper authorization (missing, broken, proprietary, generic)
• NY SHIELD Act-5575_B_6. Personal and private information
• MITRE ATT&CK®-M1026. Privileged account management
• MITRE ATT&CK®-M1030. Network segmentation
• MITRE ATT&CK®-M1031. Network intrusion prevention
• MITRE ATT&CK®-M1035. Limit access to resource over network
• PA-DSS-3_1. Support and enforce the use of unique user IDs and secure authentication for all administrative access
• PA-DSS-5_2_8. Improper access controls
• PA-DSS-12_1. Encrypt all nonconsole administrative access with strong cryptography
• CMMC-AC_L1-3_1_1. Authorized access control
• CMMC-AC_L2-3_1_4. Separation of duties
• CMMC-AC_L2-3_1_6. Non-privileged account use
• CMMC-CM_L2-3_4_5. Access restrictions for change
• CMMC-IA_L2-3_5_4. Replay-resistant authentication
• HITRUST CSF-01_c. Privilege management
• HITRUST CSF-01_n. Network connection control
• HITRUST CSF-05_k. Addressing security in third party agreements
• FedRAMP-AC-6_1. Least privilege - Authorize access to security functions
• FedRAMP-AC-6_3. Least privilege - Network access to privileged commands
• ISO/IEC 27002-8_3. Information access restriction
• OSSTMM3-11_15_3. Data networks security (privileges audit) - Escalation
• ISSAF-S_5_1. Web server security - Countermeasures (secure administrative access)
• NIST 800-115-3_5. Network sniffing
• SWIFT CSCF-1_2. Operating system privilege account controls
• PCI DSS-2_2_7. System components are configured and managed securely
• SIG Core-U_1_9_20. Server security
• OWASP API Security Top 10-API1. Broken Object Level Authorization
• SANS 25-16. Missing Authorization
• SANS 25-18. Missing Authentication for Critical Function
• ISO/IEC 27001-8_3. Information access restriction

Vulnerabilities

• 054. Exposed administrative services
• 405. Excessive privileges - Access Mode

free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.