Page 1260 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1260
added to these groups.
It is possible to use automated methods to monitor membership in
privileged accounts so that attempts to add unauthorized users
automatically fail. Audit logs will also record this action, and an
entitlement review can check for these events. Auditors can examine
the audit trail to determine who attempted to add the unauthorized
account.
Personnel can also create additional groups with elevated privileges.
For example, administrators might create an ITAdmins group for
some users in the IT department. They would grant the group
appropriate privileges based on the job requirements of these
administrators, and place the accounts of the IT department
administrators into the ITAdmins group. Only administrators from the
IT department should be in the group, and a user entitlement audit
can verify that users in other departments are not in the group. This is
one way to detect creeping privileges.
A user entitlement audit can also detect whether processes
are in place to remove privileges when users no longer need them
and if personnel are following these processes. For example, if an
administrator transferred to the Sales department of an
organization, this administrator should no longer have
administrative privileges.
Dual Administrator Accounts
Many organizations require administrators to maintain two accounts.
They use one account for regular day-to-day use. A second account has
additional privileges and they use it for administrative work. This
reduces the risk associated with this privileged account.
For example, if malware infects a system while a user is logged on, the
malware can often assume the privileges of the user’s account. If the
user is logged on with a privileged account, the malware starts with
these elevated privileges. However, if an administrator uses the
