Young hacker smiling

We hack your software

zero false positives

Expert intelligence + specialized technology

REQ.033 Restrict administrative access

This document contains the details of the security requirements related to the definition and management of systems in the organization. This requirement establishes the importance of limiting administrative access to applications only to authorized users, in order to avoid several common attacks.

Requirement

If the system has an administration mechanism, it must be accessible only from administrative network segments.

Description

Network access to modules or system management mechanisms must be limited only to the parties that require access to them (administrators), personnel that do not have needs, tasks or administrative obligations must not access to these mechanisms. Following this recommendation fulfills the objective of reducing the attack surface of the above mentioned systems (thus a malicious third parties can not attempt to access directly to the system administration settings) and increases the level of confidentiality and availability of the system.

Implementation

  1. Principle of least privilege: For each system in the organization it must be guaranteed that each module (process, user or program) can access only to the necessary information and resources to accomplish its legitimate purpose.

Attacks

  1. An anonymous attacker attempts to access by brute force to an exposed administrator interface, which may cause system denial, account lockouts, or interface/system lockout.

  2. An anonymous attacker and/or registered user exploits a known vulnerability in the management system which may allow the access to the system settings, system denial or elevation of privilege for system users or processes.

  3. An anonymous attacker obtains system technical information through data analysis of the administrator interface in order to perform deeper and more detailed attacks.

Attributes

  • Layer: Application Layer

  • Asset: System management

  • Scope: Confidentiality

  • Phase: Operation

  • Type of Control: Recommendation

References

  1. CWE-419: Unprotected Primary Channel.

  2. CWE CATEGORY: Permissions, Privileges, and Access Controls.

  3. Category:Access Control.

  4. Top 10 2013-A5-Security Misconfiguration.

  5. OWASP-ASVS v3.1-2.32 Verify that access to administrative interfaces are strictly controlled and not accessible to untrusted parties.


Service status - Terms of Use