logo

CIS Control 5: Account Management

CIS Critical Security Controls are powerful tools for helping enterprises assess their vulnerabilities, perform effective cybersecurity risk management, harden their security posture, and establish and maintain compliance with cybersecurity mandates.

CIS Control 5 offers strategies to ensure your user, administrator and service accounts are properly managed. For example, it covers setting up strong data access controls and implementing continuous monitoring to protect accounts from being exploited by attackers. This article describes these CIS benchmarks in more detail to help you avoid cybersecurity problems caused by vulnerable accounts.

(Note that some CIS controls were renumbered in version 8; previously, account management was CIS Control 16.)

5.1 Establish and Maintain an Inventory of Accounts

CIS Control 5 focuses on establishing and maintaining an inventory of the administrator and user accounts in an enterprise. The account holder’s name, start/stop dates, username and department should be documented; it can be beneficial to also document the purpose of the account.

Maintaining the inventory requires regularly verifying that all accounts currently being used are authorized. Normally, validation takes place quarterly, though it could be done more frequently if necessary. It’s important to use this process in connection with the inventory safeguards listed in other controls, such as the following:

  • 1.1: Utilize an Active Discovery Tool
  • 2.1: Maintain Inventory of Authorized Software
  • 3.2: Perform Authenticated Vulnerability Scanning
  • 5.1: Establish Secure Configurations
  • 6.6: Deploy SIEM or Log Analytic Tools
  • 16.4: Encrypt or Hash All Authentication Credentials

5.2 Use Unique Passwords

Using unique passwords for every account in your network is crucial for securing your enterprise assets against unauthorized access. Best practices outlined by CIS include:

  • Require a minimum password length of eight characters when combined with multi-factor authentication (MFA), and a length of at least 14 characters for accounts that do not use MFA.
  • Avoid using passwords that are easy for hackers to guess, like names or dates of birth.
  • Avoid reusing past passwords because they might have been leaked, which increases the risk of a data
  • Change the default passwords for all applications.

5.3 Disable Dormant Accounts

Dormant accounts are those that have not been used for at least 45 days. Regularly auditing your environment for these accounts and disabling or deleting them reduces the risk of hackers compromising them and getting into your network. You can disable these accounts automatically by setting expiration dates, if your company’s system supports it.

5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts

Privileged accounts should be used only when needed to complete administrative tasks. When administrators want to perform regular tasks like browsing the internet or working on emails, they should use their non-privileged account to minimize security risks.

5.5 Establish and Maintain an Inventory of Service Accounts

It’s important to establish an inventory of all service accounts. At a minimum, it should include the department owner’s name, the review date and the purpose of the account. The inventory should be reviewed on schedule, at least quarterly, to validate that all active accounts are still needed.

5.6 Centralize Account Management

Centralizing all account management in one place using an identity service or directory, such as Active Directory, makes the job easier and helps ensure accuracy.

Dirk Schrader is a Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. Dirk has worked on cybersecurity projects around the globe, starting in technical and support roles at the beginning of his career and then moving into sales, marketing and product management positions at both large multinational corporations and small startups. He has published numerous articles about the need to address change and vulnerability management to achieve cyber resilience.