Page 1259 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1259
privileges they need to perform their job and no more.
Although access controls attempt to enforce the principle of least
privilege, there are times when users are granted excessive privileges.
User entitlement reviews can discover when users have excessive
privileges, which violate security policies related to user entitlement.
Audits of Privileged Groups
Many organizations use groups as part of a Role Based Access Control
model. It’s important to limit the membership of groups that have a
high-level of privileges, such as administrator groups. It’s also
important to make sure group members are using their high-privilege
accounts only when necessary. Audits can help determine whether
personnel are following these policies.
Access review audits, user entitlement audits, and audits
of privileged groups can be performed manually or automatically.
Many identity and access management (IAM) systems include the
ability to perform these audits using automation techniques.
High-Level Administrator Groups
Many operating systems have privileged groups such as an
Administrators group. The Administrators group is typically granted
full privileges on a system, and when a user account is placed in the
Administrators group, the user has these privileges. With this in mind,
a user entitlement review will often review membership in any
privileged groups, including the different administrator groups.
Some groups have such high privileges that even in organizations with
tens of thousands of users, their membership is limited to a very few
people. For example, Microsoft domains include a group known as the
Enterprise Admins group. Users in this group can do anything on any
domain within a Microsoft forest (a group of related domains). This
group has so much power that membership is often restricted to only
two or three high-level administrators. Monitoring and auditing
membership in this group can uncover unauthorized individuals
