M1018: User Account Management

Limit permissions to discover cloud infrastructure in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.

Ensure that CI/CD pipelines only have permissions they require to complete their operations. Additionally, limit the number of users who have write access to internal repositories to only those necessary.

Regularly review and manage domain accounts to ensure that only active, necessary accounts exist. Remove or disable inactive and unnecessary accounts to reduce the risk of adversaries abusing these accounts to gain unauthorized access or move laterally within the network.

Limit privileges of user accounts and groups so that only authorized administrators can interact with system-level process changes and service configurations.

In cloud environments, ensure that users are not granted permissions to create or modify traffic mirrors unless this is explicitly required.

Limit permissions for creating, deleting, and otherwise altering compute components in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.CitationMandiant M-Trends 2020

Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required. Ensure proper system and access isolation for critical network systems through use of account privilege separation.

Limit which users are allowed to access compute infrastructure via cloud native methods.

Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.

Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.

Limit permissions to request quotas adjustments or modify tenant-level compute setting to only those required.

Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with logging.

In cloud environments, ensure that only users who explicitly require the permissions to update instance metadata or configurations can do so.

Restrict granting of permissions related to listing objects in cloud storage to necessary accounts.

Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services.

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.

Ensure that proper policies are implemented to dictate the secure enrollment and deactivation of MFA for user accounts.

Configure user permissions groups and roles for access to cloud storage.CitationMicrosoft Azure Storage Security, 2019 Implement strict Identity and Access Management (IAM) controls to prevent access to storage solutions except for the applications, users, and services that require access.CitationAmazon S3 Security, 2019 Ensure that temporary access tokens are issued rather than permanent credentials, especially when access is being granted to entities outside of the internal security boundary.CitationAmazon AWS Temporary Security Credentials

Consider defining and enforcing a naming convention for user accounts to more easily spot generic account names that do not fit the typical schema.

Enforce the principle of least privilege by limiting container dashboard access to only the necessary users. When using Kubernetes, avoid giving users wildcard permissions or adding users to the `system:masters` group, and use `RoleBindings` rather than `ClusterRoleBindings` to limit user privileges to specific namespaces.CitationKubernetes RBAC

Consider limiting access to the BITS interface to specific users or groups.CitationSymantec BITS May 2007

Limit user account and IAM policies to the least privileges required.

Limit permissions to modify conditional access policies to only those required.

Enforce strict user account management policies on third-party service accounts to control access and limit privileges. Configure accounts with the minimum permissions necessary to perform their roles and regularly review access levels. This minimizes the risk of adversaries exploiting service accounts to execute spearphishing attacks or gain unauthorized access to sensitive resources.

By default, only administrators are allowed to connect remotely using WMI; restrict other users that are allowed to connect, or disallow all users from connecting remotely to WMI.

Limit Privileges for Shortcut Creation: While the SeCreateSymbolicLinkPrivilege is not directly related to .lnk file creation, you should still enforce least privilege principles by limiting user rights to create and modify shortcuts, especially in system-critical locations. This can be done through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create symbolic links. CitationUCF STIG Symbolic Links

Regular User Permissions Review: Regularly review and audit user permissions to ensure that only necessary accounts have write access to startup folders and critical system directories.

Limit permissions for deleting new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.CitationMandiant M-Trends 2020

An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.

Ensure proper user permissions are in place to prevent adversaries from disabling or modifying firewall settings.

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.

By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI.

An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.

Apply user account management principles to limit permissions for accounts interacting with email attachments, ensuring that only necessary accounts have the ability to open or execute files. Restricting account privileges reduces the potential impact of malicious attachments by preventing unauthorized execution or spread of malware within the environment.

Enforce authentication and role-based access control on the container service to restrict users to the least privileges required.CitationKubernetes Hardening Guide When using Kubernetes, avoid giving users wildcard permissions or adding users to the `system:masters` group, and use `RoleBindings` rather than `ClusterRoleBindings` to limit user privileges to specific namespaces.CitationKubernetes RBAC

Do not allow a user to be a local administrator for multiple systems.

Limit the ability to access and export sensitive logs to privileged accounts where possible.

Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.

Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\Windows\, to reduce places where malicious files could be placed for execution.

Regularly audit user accounts for activity and deactivate or remove any that are no longer needed.

Ensure that low-privileged user accounts do not have permission to add access keys to accounts. In AWS environments, prohibit users from calling the `sts:GetFederationToken` API unless explicitly required.CitationCrowdstrike AWS User Federation Persistence

Limit privileges of user accounts and remediate privilege escalation vectors so only authorized administrators can create container orchestration jobs.

Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.CitationWald0 Guide to GPOsCitationMicrosoft WMI FiltersCitationMicrosoft GPO Security Filtering

Use MDM to disable user's ability to install or approve kernel extensions, and ensure all approved kernel extensions are in alignment with policies specified in com.apple.syspolicy.kernel-extension-policy.CitationApple TN2459 Kernel ExtensionsCitationMDMProfileConfigMacOS

Limit remote user permissions if remote access is necessary.

Ensure that low-privileged user accounts do not have permissions to modify accounts or account-related policies.

Prevent users from installing their own launch agents or launch daemons.

Ensure proper user permissions are in place to prevent adversaries from disabling or modifying firewall settings.

Limit permissions to add, delete, or modify resource groups to only those required.

Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.

Limit user access to system utilities such as `systemctl` to only users who have a legitimate need.

In cloud environments, limit permissions to modify cloud bucket lifecycle policies (e.g., `PutLifecycleConfiguration` in AWS) to only those accounts that require it. In AWS environments, consider using Service Control policies to limit the use of the `PutBucketLifecycle` API call.

Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.

An adversary must already have root level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.

Do not allow a domain user to be in the local administrator group on multiple systems.

Implement strict user account management policies to prevent unnecessary accounts from accessing sensitive systems. Regularly audit user accounts to identify and disable inactive accounts that may be targeted by attackers to extract credentials or gain unauthorized access.

Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.CitationWald0 Guide to GPOsCitationMicrosoft WMI FiltersCitationMicrosoft GPO Security Filtering

Limit the privileges of cloud accounts to assume, create, or impersonate additional roles, policies, and permissions to only those required. Where just-in-time access is enabled, consider requiring manual approval for temporary elevation of privileges.

Enforce user account management practices for local accounts to limit access and remove inactive or unused accounts. By doing so, you reduce the attack surface available to adversaries and prevent unauthorized access to local systems.

Limit privileges of user accounts so only authorized privileged users can create and modify XDG autostart entries.

Ensure least privilege principles are applied to Identity and Access Management (IAM) security policies.CitationExpel IO Evil in AWS

Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.

If not required, restrict the permissions of users to perform Guest Operations on ESXi-hosted VMs.CitationBroadcom Virtual Machine Guest Operations Privileges

Limit remote user permissions if remote access is necessary.

In cloud environments, limit permissions to create new identity providers to only those accounts that require them. In AWS environments, consider using Service Control policies to limit the use of API calls such as `CreateSAMLProvider` or `CreateOpenIDConnectProvider`.

Limit permissions for creating snapshots or backups in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.CitationMandiant M-Trends 2020

Ensure that user accounts with administrative rights follow best practices, including use of privileged access workstations, Just in Time/Just Enough Administration (JIT/JEA), and strong authentication. Reduce the number of users that are members of highly privileged Directory Roles.CitationMicrosoft SolarWinds Customer Guidance

An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.

Azure AD Administrators apply limitations upon the ability for users to grant consent to unfamiliar or unverified third-party applications.

Implement strict user account management policies to prevent unnecessary accounts from accessing sensitive systems. Regularly audit user accounts to identify and disable inactive accounts that may be targeted by attackers to extract credentials or gain unauthorized access.

Properly manage accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party and if the party is compromised by an adversary. In Office 365 environments, partner relationships and roles can be viewed under the “Partner Relationships” page.CitationOffice 365 Partner Relationships

Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts.

Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and Bypass User Account Control opportunities can limit the exposure to this technique.

Implement robust user account management practices to limit permissions associated with software execution. Ensure that software runs with the lowest necessary privileges, avoiding the use of root or administrator accounts when possible. By restricting permissions, you can minimize the risk of propagation and unauthorized actions in the event of a supply chain compromise, reducing the attack surface for adversaries to exploit within compromised systems.

Limit which user accounts are allowed to login via SSH.

Configure default account policy to enable logging. Manage policies to ensure only necessary users have permissions to make changes to logging policies.

An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.

Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations.

Limit access/authority to execute sensitive transactions, and switch to systems and procedures designed to authenticate/approve payments and purchase requests outside of insecure communication lines such as email.

Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts.

In cloud environments, limit permissions to modify cloud bucket lifecycle policies (e.g., `PutLifecycleConfiguration` in AWS) to only those accounts that require it. In AWS environments, consider using Service Control policies to limit the use of the `PutBucketLifecycle` API call.