Vulnerability Discussion
Accounts with administrative privileges using applications that access the internet, or have potential internet sources, expose a system to compromise. If a flaw in an application is exploited while running as a privileged user, the entire system could be compromised. Web browsers and email are common attack vectors for introducing malicious code and must not be run with an administrative account.
Because administrative accounts could change or work around technical restrictions for running a web browser or other applications, it is essential that a policy prohibits administrative accounts accessing the internet or using public-facing applications such as email.
The policy must define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices.
Technical methods (such as allow listing) must be used to enforce the policy, except as approved by the authorizing official (AO).
Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000205-GPOS-00083Check
Determine whether organization policy, at a minimum, prohibits administrative accounts from using applications that access the internet or other public-facing networks. These applications include web browsers or applications with potential internet sources, such as email, except as necessary for local service administration.
The policy must define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices.
Determine whether the organization uses technical means, such as allow listing via AppLocker or Software Restriction Policies (SRPs), to prevent administrative accounts' use of browsers and email applications.
Note: Allow list tools facilitate defining rules that explicitly permit approved applications to run while blocking all others by default.
Administrative accounts that do not have technical restrictions to applications that access public-facing networks must be documented and approved by the information system security officer (ISSO) or AO.
If administrative access to applications that access public-facing networks is not blocked by technical means (except as approved by the AO), this is a finding.Fix
Establish a policy, at minimum, to prohibit administrative accounts from using applications that access public-facing networks or the internet, such as web browsers, or applications with potential internet sources, such as email.
Ensure the policy is enforced by technical means, such as allow listing via AppLocker or SRPs.
Document any exceptions to technical enforcement with the ISSO.