Summary

If the system has an administration mechanism, it must only be accessible from administrative network segments.

Description

Network access to modules or system management mechanisms must be limited to the parties that require access to them (administrators). Personnel that does not have administrative needs, tasks or obligations should not have access to these mechanisms. Following this recommendation helps to fulfill the objective of reducing the attack surface of the above mentioned systems (since malicious third parties cannot attempt to directly access the system administration settings), and increases the level of confidentiality and availability of the system.

Supported In

This requirement is verified in following services

References

• CWE™-419. Unprotected primary channel
• OWASP TOP 10-A1. Broken access control
• BIZEC-APP-APP-04. Improper authorization (missing, broken, proprietary, generic)
• NY SHIELD Act-5575_B_6. Personal and private information
• MITRE ATT&CK®-M1026. Privileged account management
• MITRE ATT&CK®-M1030. Network segmentation
• MITRE ATT&CK®-M1031. Network intrusion prevention
• MITRE ATT&CK®-M1035. Limit access to resource over network
• PA-DSS-3_1. Support and enforce the use of unique user IDs and secure authentication for all administrative access
• PA-DSS-5_2_8. Improper access controls
• PA-DSS-12_1. Encrypt all nonconsole administrative access with strong cryptography
• CMMC-AC_L1-3_1_1. Authorized access control
• CMMC-AC_L2-3_1_4. Separation of duties
• CMMC-AC_L2-3_1_6. Non-privileged account use
• CMMC-CM_L2-3_4_5. Access restrictions for change
• CMMC-IA_L2-3_5_4. Replay-resistant authentication
• HITRUST CSF-01_c. Privilege management
• HITRUST CSF-01_n. Network connection control
• HITRUST CSF-05_k. Addressing security in third party agreements
• FedRAMP-AC-6_1. Least privilege - Authorize access to security functions
• FedRAMP-AC-6_3. Least privilege - Network access to privileged commands
• ISO/IEC 27002-8_3. Information access restriction
• OSSTMM3-11_15_3. Data networks security (privileges audit) - Escalation
• ISSAF-S_5_1. Web server security - Countermeasures (secure administrative access)
• NIST 800-115-3_5. Network sniffing
• SWIFT CSCF-1_2. Operating system privilege account control
• PCI DSS-2_2_7. System components are configured and managed securely
• SIG Core-U_1_9_20. Server security
• OWASP API Security Top 10-API1. Broken Object Level Authorization
• SANS 25-22. Improper Privilege Management
• SANS 25-24. Incorrect Authorization
• ISO/IEC 27001-8_3. Information access restriction
• OWASP MASVS-AUTH-1. The app uses secure authentication and authorization protocols and follows the relevant best practices
• CWE TOP 25-269. Improper Privilege Management
• CWE TOP 25-863. Incorrect Authorization
• NIST CSF-PR_AA-02. Identities are proofed and bound to credentials based on the context of interactions

Vulnerabilities

• 054.Exposed administrative services
• 405.Excessive privileges - Access Mode

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.