20.69 Ensure 'Users with Administrative privileges have separate accounts for administrative duties and normal operational tasks'

Information

This policy setting ensures that users with administrative privileges must have separate accounts for administrative duties and normal user tasks.

Allowing a user with administrative privileges to perform normal user tasks such as checking email or accessing the Internet is a security risk. If an attacker gains control of administrate privileges, this makes the computer and network vulnerable to malicious software due to having full administrative privileges.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

If a standard user account is found to have administrative privileges, remove the privileges from the standard user account, and create an administrative account for the user.

Impact:

A user with administrative privileges will have two accounts, one for normal user tasks and one for administrative duties.

See Also

https://workbench.cisecurity.org/benchmarks/15301