Standards Group:
YALE-MSS-9: Authentication and Authorization
YALE-MSS-9.12: Ensure authentication events are associated with an individual and not just an administrative or service account
Low Risk Endpoint
Required for IA
Moderate Risk Endpoint
Required for IA
High Risk Endpoint
Required for IA
Low Risk Server
Required for IA
Moderate Risk Server
Upcoming
Required for IA
High Risk Server
Upcoming
Required for IA
Low Risk Mobile Device
Not Required
Moderate Risk Mobile Device
Not Required
High Risk Mobile Device
Not Required
Low Risk Network Printer
Required for IA
Moderate Risk Network Printer
Upcoming
Required for IA
High Risk Network Printer
Upcoming
Required for IA
Details
This standard applies to administrative accounts and service accounts.
Administrative accounts - a username and password that grants an individual privileged access to the IT System. Privileged access is access to make changes to the overall IT System.
Service accounts - special user accounts that an application, service or system uses to interact with the operating system. These types of accounts are typically used for automation.
Controls
- YALE-MSS-9.12.1: Disable direct login with generic, shared account names ("root", "administrator", "dba", "sa"). The login accounts must meet the account requirements outlined in Yale-MSS-9.3.
- YALE-MSS-9.12.2: Do not allow direct logins to accounts with administrative privileges. Require users to log in with an individual account and escalate privileges.