YALE-MSS-9.11: Disable direct logins for generic or administrative accounts

Standards Group:
YALE-MSS-9: Authentication and Authorization

YALE-MSS-9.11: Disable direct logins for generic or administrative accounts

Low Risk Endpoint Required for IA Moderate Risk Endpoint Required for IA High Risk Endpoint Required for IA Low Risk Server Required for IA Moderate Risk Server Upcoming Required for IA High Risk Server Upcoming Required for IA Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Required for IA Moderate Risk Network Printer Upcoming Required for IA High Risk Network Printer Upcoming Required for IA

Details

Generic or administrative accounts are predictable targets for brute force attempts. They are widely known to attackers and usually have elevated privileges.

The risk of account compromise increases when the system is accessible to the internet and direct login is enabled.

Direct logins to generic or default administrative accounts (e.g., root, admin, sa) are prohibited. All system access must use individually assigned identifiers to ensure attribution and non-repudiation.

Privileged actions must be performed by escalating permissions from an individual user account using controlled mechanisms (e.g., sudo, RBAC).