Account Separation / Unique Admin Requirements

We are often asked about account separation and external support companies sharing accounts and the simple answer is, it's not acceptable. Local Admins can be shared, only under specific circumstances.

The requirements of Cyber Essentials (as of March 2022) is that you have account separation for your administrative accounts (the keys to your crown jewels, your data and systems) and that each of these administrative accounts should be unique per person and not shared.

Ideally, each of these admin accounts should be MFA/2FA protected with a complex password of at least 12 characters and for cloud services, MUST be protected by MFA/2FA.

Cloud services MUST have unique admin accounts, not shared in any way.

WHAT IS A CLOUD SERVICE

MFA/2FA REQUIREMENTS FOR CLOUD

WHAT ABOUT LOCAL ADMIN ACCOUNTS

You can "share" a local admin account with a limited and select number of administrators, but only if the password on that device is unique to the device and not used across the enterprise. Solutions such as LAPS can help with this, but its a requirement that you ensure the passwords are not shared across devices.

I OUTSOURCE IT TO AN MSP

The requirement is for a unique account per person, this includes external support companies as they are still users, and in this case, admin users on your systems, therefore, you should have an account per engineer who is accessing your systems.

You should have these accounts MFA/2FA enforced as well (especially if cloud accounts) and should ensure you have a process to check those accounts and ensure any "exited" employee's from your MSP have been removed.

WE USE PRIVILEDGE ACCESS MANAGEMENT

The requirement of the standard (as of March 2022) is account separation and systems that provide elevation (just in time, or similar) are not delivering account separation, therefore are not compliant with the standard and cannot be used.

You must have a separate admin account for each admin that is not the same as their day-to-day use account.

MY DEVELOPERS OR OTHERS NEED LOCAL ADMIN ACCESS

We often hear that admin access is needed for those individuals to complete their "day job", however, this is NOT the case, it's needed perhaps for them occasionally on a daily basis, but the risk of being logged in at the admin level all the time is too high to be allowed.

There is ABSOLUTELY NO ISSUE in providing anyone local admin access, if you have trained them as to when they can use the account, they don't use it for web browsing or email access and only use it when really required - ideally not interactively (don't log in) but elevation (when prompted for admin creds, they use those provided).

The point here, is, subject to your policies, anyone can have an admin account, you need to know who, they need to know when it can be used and it needs to be secure and controlled and of course, unique.