5.6 Ensure 'CREATE USER' is Not Granted to Non-Administrative Users

Information

The CREATE USER privilege governs the right of a given user to add or remove users, change existing users' names, or revoke existing users' privileges.

Rationale:

Reducing the number of users granted the CREATE USER right minimizes the number of users able to add/drop users, alter existing users' names, and manipulate existing users' privileges.

Impact:

Users that are denied the CREATE USER privilege will not only be unable to create a user, but they may be unable to drop a user, rename a user, or otherwise revoke a given user's privileges.

Solution

Perform the following steps to remediate this setting:

Enumerate the non-administrative users found in the result set of the audit procedure

For each user, issue the following SQL statement (replace <user> with the non-administrative user):

REVOKE CREATE USER ON *.* FROM '<user>';

See Also

https://workbench.cisecurity.org/files/3848