QW: Audit passwords to ensure previously used passwords are not being authorized for re-use within a certain time frame (e.g., 6 months).
Vis/Attrib: Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior (e.g., system reconfigurations during night shift)
Config/Hygiene: Remote access directly to a machine should be blocked for administrator-level accounts. Instead, administrators should be required to access a system remotely using a fully logged and non-administrative account. Then, once logged in to the machine without admin privileges, the administrator should then transition to administrative privileges using tools such as sudo on Linux/UNIX, runas on Windows, and other similar facilities for other types of systems.
Config/Hygiene: Conduct targeted spear-phishing attacks against both administrative personnel and non-administrative users to measure the quality of their defense against social engineering and to test whether they are using administrator privileges while reading e-mail or surfing the Internet.
Config/Hygiene: Ensure all domain administrator accounts are accessible only with two-factor authentication.
Advanced: Segregate admin accounts based on roles (in policy). For example, “Workstation admin” accounts are the only admin accounts capable of logging into workstations, laptops, etc. Domain admin accounts are not allowed to log into workstations and are only allowed to log into servers. The benefit here is that the domain admin accounts (what the bad guys want) will not get cached on the workstations. Makes privilege to domain admin much harder.
Procedures and tools for implementing this control:
Built-in operating system features can extract lists of accounts with superuser privileges, such as those in the administrators group on Windows machines and those with UID or GID 0 on Linux and Unix systems. In Active Directory environments, personnel can use Microsoft Group Policy to dump lists of such users from machines and domain controllers so that these accounts can be reconciled against an inventory of users with legitimate and approved needs for such access.
To verify that users with such high-privileged accounts do not use such accounts for day-to-day web surfing and e-mail reading, security personnel periodically (often sampling weekly) can gather a list of running processes in an attempt to determine