CIS Control 05: Account Management

Knowing who has credentials, how those credentials are granted, and how they are being used is the foundation of any secure environment. It begins with user accounts and the credentials they use. Maintaining a thorough inventory of all accounts and verifying any changes to those accounts as authorized and intentional vs unintended is paramount to establishing a secure environment, and this includes service accounts.

Establishing and maintaining visibility on all accounts can protect assets in multiple ways. If an adversary is able to attack from a different vector that we do not have any visibility into, like a new zero-day vulnerability or a successful phishing attack, the adversary may first attempt to establish persistence, and one of the most common ways to maintain that persistence is through addition or modification of an account. If we maintain good account management, we may be able to detect an attack before they are able to establish that persistence, even if the initial vector of the attack was not the account itself (such as a brute force attack).

Account Management also includes password requirements, lockouts on failed login attempts, logging out after a period of inactivity as well as never using default passwords or sharing accounts. Privileged accounts should only be used for tasks that require it.

Key Takeaways for Control 5

Policy. Have a policy in place that specifies all the parameters of creating an account including password strength, etc.
Have an inventory and track changes. Establish an inventory and use Active Directories or other technologies and tools to centralize the management of accounts. Track any changes to the accounts.

Safeguards for Control 5

5.1) Establish and Maintain an Inventory of Accounts

Description: Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. Validate that all active accounts are authorized on a recurring schedule at a minimum quarterly or more frequently.

Notes: The security function for this safeguard is Identify. All accounts should be valid accounts. New accounts and changes to existing accounts should be tracked and verified as legitimate additions. Service accounts also need to be scrutinized to ensure they are only being used as intended. The unauthorized creation or changing of an account is often the first task an adversary does in order to maintain persistence.

5.2) Use Unique Passwords

Description: Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using multi-factor authentication (MFA) and a 14-character password for accounts not using MFA.

Notes: The security function for this safeguard is Protect. This isn’t just for the enterprise. If you reuse passwords and there is a data breach, they can use your password for other accounts. Always choose unique passwords, and always change default passwords

5.3) Disable Dormant Accounts

Description: Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.

Notes: The security function for this safeguard is Protect. A future data breach could spell real trouble if old accounts are not disabled. Disabling accounts can also be automatic by creating expiration dates for the account if the system supports it.

5.4) Restrict Administrator Privileges to Dedicated Administrator Accounts

Description: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.

Notes: The security function for this safeguard is Protect. Administrator and root accounts should only be used for the tasks that require them. Using email, a web browser, etc., should always be done with non-privileged accounts.

5.5) Establish and Maintain an Inventory of Service Accounts

Description: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain the department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized on a recurring schedule at a minimum quarterly or more frequently.

Notes: The security function for this safeguard is Identify. Tracking what is happening with accounts includes service accounts, not just user accounts

5.6) Centralize Account Management

Description: Centralize account management through a directory or identity service.

Notes: The security function for this safeguard is Govern. This means using Active Directory and domains or some other centralized system for management.

See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber-attack vectors by downloading this guide here.

Read more about the 18 CIS Controls here:

CIS Control 1: Inventory and Control of Enterprise Assets

CIS Control 2: Inventory and Control of Software Assets

CIS Control 3: Data Protection

CIS Control 4: Secure Configuration of Enterprise Assets and Software

CIS Control 5: Account Management

CIS Control 6: Access Control Management

CIS Control 7: Continuous Vulnerability Management

CIS Control 8: Audit Log Management

CIS Control 9: Email and Web Browser Protections

CIS Control 10: Malware Defenses

CIS Control 11: Data Recovery