Following changes to the Cyber Essentials Scheme earlier this year, we’ve discussed the new changes with customers. Many of them are concerned by two elements of the User Access Controls requirements - Account Separation and Shared Accounts. So, we want to explore these two elements further.
Account Privilege Separation
Under this control theme, applicants are required to use separate accounts to perform administrative activities only. This means not using privileges for general email clients, web browsing or other standard user activities that may expose administrative privileges to avoidable risks. This also applies to third parties such as contractors or Managed Service Providers (MSPs).
Why is this important? Based on the Cyber Security Breaches Survey 2022, phishing attacks including email attacks are the source of approximately 83% of all cyber-attacks. If your users are receiving and responding to emails while authenticated as a privileged account, any malware or malicious links will also be able to leverage this same level of privilege.
Account privilege separation can be implemented using any combination of policy, process, and training. Although the changes brought into effect do not mandate that businesses implement privilege separation using technical measures, we would advise that using technical controls is likely to be the most effective means to ensure this control is achieved.
Implementing within a Windows domain environment
If you are implementing this control for a Windows domain environment, you could use the following steps:
- Create separate accounts – One for standard activities and one for privileged use.
- Apply local administrative privileges to the privileged account. This can be tied to a specific device or applied generally through the use of the ‘Local Users and Groups’ options in Group Policy Preferences.
- Prevent the privilege accounts from logging in Interactively. This can be achieved by defining a “Custom User Interface” targeted to these accounts and setting the interface to ‘logoff.exe’.
User accounts should not be shared and must be unique to the user and also provide access to only those applications, computers and networks required for the user to perform their role. This includes service companies such as MSPs, IT Support or Development companies.
This has caused some controversy since the IASME changes went live however, it’s important to note that this is not a new requirement to the scheme, but it’s been brought into focus by the Account Privilege Separation.
Where there are no shared authentication platforms e.g. Active Directory, Azure AD, unique local administrator accounts can only be used per device.
Where there is a shared authentication platform, user accounts must be unique to individuals.
Whatever you decide to implement, these controls are vital to reduce your attack surface and comply with the latest cyber security practices. If you would like advice or would like to undergo a Cyber Essentials Assessment, please contact our cyber team firstname.lastname@example.org for more information. We can also provide advice and support to implement controls that also meets the needs of your environment.
A piece by Michael Taylor, Cyber Team Lead