158 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
with the explicit purpose of subverting security are both undesirable. e access
control policy should restrict the number of privileged accounts and the assignment
of privileged accounts to qualied users, and restrict their use in operations.
Users without an explicit need for a privileged account should not be assigned
one. Any user assigned a privileged account should be vetted through an approval
process that includes multiple people reviewing and approving the account assign-
ment. Each person who possesses a privileged account should have at least one other
account with normal user capability. ey will then use the privileged account
for tasks explicitly requiring the inherent permissions of that account and use the
regular user account in everyday, normal activities. e number of existing privi-
leged accounts, the password strength associated with them, and the actual use of
privileged accounts should be part of the security audit process.
By default, privileged accounts have standard names like Administrator. A good
practice to hinder casual misuse attempts is to rename these default accounts as
something else that blends in with the structure of usual user accounts. For example,
if the practice is to use the rst letter of the rst name coupled with the rst seven
letters of the last name, then rename the privileged account using a ctitious name,
and make it an innocuous ctitious name like jsmith, not something associated with
privilege like gwizard. ere are relatively simple ways around this for a knowledge-
able hacker, but there are simple ways around a front door lock to a knowledgeable
thief. Simple deterrents deter the simple, but they are deterrents nonetheless.
One way to bypass the above is to be aware of security identication numbers
(SIDs). Windows creates a SID for each user and computer account. UNIX uses a
unique identication number (UID). e same SID is used for all Administrator
accounts, and there are other commonly known SIDs that can aid a hacker in iden-
tifying accounts. e URL http://support.microsoft.com/kb/243330 has a list of
commonly known SIDs. e Windows user account control (UAC) function runs
all applications in user mode, regardless of the privileges of the user executing the
command. Knowledge of these technical specics will help articulate access con-
trol standards, e.g., all enterprise nancial systems operating under the Windows
operating system will activate and enforce the use of a UAC to limit the running
of applications under privileged accounts. Policy states the intent, and standards
describe what to use to implement and enforce the intent. e section on Access
Control provides more details.
Remote Access Control
e access control policy should include a section on remote access. e remote
access policy applies to all employees, contractors, vendors, business partners, and
agents that connect to the enterprise network from outside enterprise-owned facili-
ties. Access may occur using a personally owned device or a company-issued device.
e policy should restrict remote access privileges according to job function and
business need. Access to e-mail may be the only necessary remote access. Others