IG1 IG2 IG3

Restrict Administrator Privileges to Dedicated Administrator Accounts

Control Group: 5. Account Management

Asset Type: Users

Security Function: Protect

Description

Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Configure email authentication (SPF, DKIM, DMARC)

7

Deploy email security gateway with filtering

8

Configure attachment and URL scanning

Tool Recommendations

CyberArk Privileged Access Manager Gartner MQ Leader, PAM 2024

Privileged access management platform for securing, managing, and auditing privileged credentials and sessions

CyberArk · Per-user subscription

BeyondTrust Privilege Management Gartner MQ Leader, PAM 2024

Privileged access management with endpoint privilege management, secure remote access, and password vaulting

BeyondTrust · Per-user subscription

Delinea Secret Server Gartner MQ Leader, PAM 2024

Privileged access management with password vaulting, session recording, and just-in-time privilege elevation

Delinea · Per-user subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Phishing-Compromised Admin Account Full Domain Takeover

Confidentiality

An administrator using their privileged account for daily email and web browsing is phished, and the compromised credentials grant the attacker immediate domain admin access.

Drive-By Download Executing with Admin Privileges

Integrity

A user browsing the web with an account that has administrative privileges encounters a drive-by download exploit that executes malware with full admin rights on the system.

Credential Theft via Admin Account Browser Session

Confidentiality

Attackers steal browser-cached credentials from a session running under an administrative account, obtaining tokens or saved passwords that grant elevated access across the enterprise.

Vulnerabilities (When Safeguard Absent)

Administrative Privileges Used for Daily Activities

Administrators using their privileged accounts for email, browsing, and general work expose their elevated credentials to phishing, malware, and credential theft attacks.

No Separation Between Admin and Standard User Accounts

Without dedicated admin accounts separate from daily-use accounts, compromise of any admin user's session immediately grants the attacker full administrative access.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Technical	Email security configuration (SPF, DKIM, DMARC records)	Verified quarterly
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Account and Credential Management Policy

Control 5, Control 6

Privileged Access Management Policy

Control 5, Control 6

Related Safeguards in Control 5

5.1 Establish and Maintain an Inventory of Accounts

5.2 Use Unique Passwords

5.3 Disable Dormant Accounts

5.5 Establish and Maintain an Inventory of Service Accounts

5.6 Centralize Account Management