Cyber Essentials Access Control Explained
To minimise the potential damage that could be done if an account is misused or stolen, staff accounts should have just enough access to software, settings, online services, and device connectivity functions for them to perform their role. Extra permissions should only be given to those who need them.
Check what privileges your accounts have. Accounts with administrative privileges should only be used to perform administrative tasks, and standard accounts should be used for general work. By ensuring that your staff don’t browse the web or check emails from an account with administrative privileges, you cut down on the chance that an admin account will be compromised. This is important because an attacker gaining unauthorised access to an administrative account can be far more damaging than one accessing a standard user account.
Access Control—What Cyber Essentials Requires
Cyber Essentials Certification requires that you control access to your data through user accounts, that administration privileges are only given to those that need them, and that what an administrator can do with those accounts is controlled.
User access control
This applies to: Desktop computers, laptop computers, tablets, mobile phones, and email, web, and application servers
Ensure user accounts:
- Are assigned to authorised individuals only
- Provide access to only those applications, computers, and networks actually required for the user to perform their role
Every active user account in your organisation facilitates access to devices, applications, and sensitive business information. By ensuring that only authorised individuals have user accounts, and that they are granted only as much access as they need to perform their role, you reduce the risk of information being stolen or damaged.
Compared to normal user accounts, accounts with special access privileges have enhanced access to devices, applications, and information. When such accounts are compromised, their greater freedoms can be exploited to facilitate large-scale corruption of information, disruption to business processes, and unauthorised access to other devices in the organisation.
Administrative accounts are especially highly privileged, for example. Such accounts typically allow:
- Execution of software that has the ability to make significant and security relevant changes to the operating system
- Changes to the operating system for some or all users
- Creation of new accounts and allocation of their privileges.
All types of administrator will have such accounts, including domain administrators and local administrators.
Now consider that if a user opens a malicious URL or email attachment, any associated malware is typically executed with the privilege level of the account that user is currently operating. This is why organisations must take special care over the allocation and use of privileged accounts.
Jody is logged in with an administrative account. If Jody opens a malicious URL or email attachment, any associated malware is likely to acquire administrative privileges.
Unfortunately, this is exactly what happens. Using Jody's administrative privileges, a type of malware known as ransomware encrypts all of the data on the network and then demands a ransom.
The ransomware was able to encrypt far more data than would have been possible with standard user privileges, making the problem that much more serious.
Requirements under this technical control theme
The applicant must be in control of its user accounts and the access privileges granted to each user account. It must also understand how user accounts authenticate and control the strength of that authentication. This means the applicant must:
- Have a user account creation and approval process
- Authenticate users before granting access to applications or devices, using unique credentials (see NCSC guidance)
- Remove or disable user accounts when no longer required (when a user leaves the organisation or after a defined period of account inactivity, for example)
- Implement two-factor authentication, where available
- Use administrative accounts to perform administrative activities only (no emailing, web browsing, or other standard user activities that may expose administrative privileges to avoidable risks)
- Remove or disable special access privileges when no longer required (when a member of staff changes role, for example).