Fluid Attacks logo
Login
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us
GET A DEMO

R033. Restrict administrative access

This document contains the details of the security requirements related to the definition and management of systems in the organization. This requirement establishes the importance of limiting administrative access to applications to authorized users only, in order to avoid several common attacks.

Requirement

If the system has an administration mechanism, it must only be accessible from administrative network segments.

Description

Network access to modules or system management mechanisms must only be limited to the parties that require access to them (administrators). Personnel that does not have administrative needs, tasks or obligations must not have access to these mechanisms. Following this recommendation fulfills the objective of reducing the attack surface of the above mentioned systems (since malicious third parties can not attempt to directly access the system administration settings) and increases the level of confidentiality and availability of the system.

Implementation

  1. Principle of least privilege: For each system in the organization it must be guaranteed that each module (process, user or program) can access only to the information and resources required to accomplish its legitimate purpose.

Attacks

  1. An anonymous attacker attempts to access to an exposed administrator interface by brute force, which may cause a denial of service, account lockouts or an interface/system lockout.

  2. An anonymous attacker and/or registered user exploits a known vulnerability in the management system which may allow the access to the system settings, a denial of service or privileges elevation for system users or processes.

  3. An anonymous attacker obtains system technical information through data analysis of the administrator interface in order to perform deeper and more detailed attacks.

Attributes

  • Layer: Application Layer

  • Asset: System management

  • Scope: Confidentiality

  • Phase: Operation

  • Type of Control: Recommendation

References

  1. CWE-419: Unprotected Primary Channel. The software uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.

  2. OWASP-ASVS v3.1-2.32 Verify that access to administrative interfaces is strictly controlled and not allowed for untrusted parties.


Service status - Terms of Use