Privileged Accounts and Service Accounts (S-15)
Standard: S-15
Responsible Executive: Vice President for Information Technology and System Chief Information Officer
Responsible Office: Office of the Vice President for Information Technology
Date Issued: July 15, 2019
Date Last Revised: N/A
TABLE OF CONTENTS
Contacts
Individuals and Entities Affected by this Standard
Statement of Standard
Responsibilities
Definitions (defined terms are capitalized throughout the document)
Related Documents, Forms and Tools
History and Updates
Appendix
CONTACTS
Title/Office |
Telephone |
Email/Webpage |
---|---|---|
ITaP Security and Policy |
765-494-4000 |
INDIVIDUALS AND ENTITIES AFFECTED BY THIS STANDARD
All Purdue University centralized and departmental IT units and the associated IT Resources under their control or support on behalf of the University. This standard also covers individually managed IT Resources.
STATEMENT OF STANDARD
Controlled access to IT Resources is essential for Purdue University to continue its mission of learning, discovery and engagement while ensuring the security and functionality of IT Resources, as defined in the policy on Information Security and Privacy (VII.B8), and the data stored or transmitted by those resources. Because of their greater access to IT Resources relative to general user accounts, Privileged Accounts and Service Accounts pose a higher risk to the University. This standard defines the controls necessary to reduce the overall risk of using these accounts.
Privileged Account Controls
Creation of Privileged Accounts requires authorization of an IT Resource Owner, who must maintain an inventory of all Privileged Accounts, including the account name, purpose and responsible party for the account. The IT Resource Owner must review each Privileged Account at least annually to confirm the account is still necessary for University business and remove accounts no longer needed. The IT Resource Owner must immediately disable Privileged Accounts used by vendors or third parties upon contract end.
Privileged Account creation, deletion, and use must be logged according to the standard on IT Resource Logging (S-11). Center for Internet Security (CIS) Benchmarks for platform-specific configuration of Privileged Accounts must be followed unless they are in conflict with Purdue published standards. Accounts with privileged access in a system must follow the Principle of Least Privilege. Where possible, Privileged Accounts must use facilities such as sudo (Linux) or RunAs (Windows) to provide temporary privilege elevation.
Where implemented, Privileged Accounts must use multi-factor authentication, such as “BoilerKey,” or certificate authentication.
Privileged Accounts must be separate and use a different password from general user accounts and Career Accounts. Privileged Account passwords must meet, and where possible, exceed the minimum password requirements outlined in the standard on User Credentials (S-16). Passwords for Privileged Accounts must change at least every 90 days, and passwords for shared Privileged Accounts must be changed upon a personnel change in the group managing the account or with access to the password. Privileged Account passwords must not be coded into programs or stored on disk without approved encryption (see the Related Documents, Forms and Tools section for the NIST Approved Security Function publication). When Privileged Account credentials must be stored for shared administrative use, a password management solution that enforces approved encryption, as referenced above, must be utilized.
Service Account Controls
Creation of Service Accounts requires authorization of an IT Resource Owner, who must maintain an inventory of Service Accounts, including the account name, purpose and responsible party for the account. All Service Accounts must be configured following the Principle of Least Privilege to run the service or process. Service Account creation, deletion, and use must be logged according to the standard on IT Resource Logging (S-11).
Service Account passwords must meet, and where possible, exceed the minimum password requirements outlined in the standard on User Credentials (S-16). Service Account passwords must not be coded into programs or stored on disk without approved encryption (see the Related Documents, Forms and Tools section for the NIST Approved Security Function publication). Vendor-supplied Default Passwords must be changed immediately upon initial configuration of the system and follow the password requirements noted above. Where the capability exists, limit interactive login capabilities (e.g., prohibit console/terminal access, configure restricted shell, enforce network access restrictions, etc.). Service Account passwords must be changed at least annually or upon a personnel change in the group managing the account or with access to the password.
Exceptions
Requests for exceptions to this standard must be submitted to IT Security and Policy via the Security Policy Exception Procedure. Compensating or mitigating controls to further reduce risk in exceptions may be required and the requesting unit or IT Resource Owner will be responsible for implementation and maintenance of compensating or mitigating controls approved by IT Security and Policy. Compliance with this requirement may be audited at any time.
RESPONSIBILITIES
IT Security and Policy/Identity and Access Management Office
- Maintain this standard and any associated procedures.
- Review/approve requests for exceptions to this standard.
IT Resource Owners
- Configure and maintain Privileged Accounts and Service Accounts according to this standard.
University students, faculty, staff and all other individuals or entities granted use of IT Resources
- Comply with the requirements of this standard and any related policies, standards or security guidelines and procedures that may be issued by their departmental IT units and/or owners of the IT Resource(s) they access.
DEFINITIONS
All defined terms are capitalized throughout the document. Additional defined terms may be found in the policy on Information Security and Privacy (VII.B.8) and in the central Policy Glossary.
Career Account
A general user account assigned at first affiliation with the University that gives an individual electronic access to a number of services at Purdue University, including but not limited to, services for email, instructional, research and departmental use, with basic access to these different services based on the individual’s affiliation with the University.
IT Resource
See definition in the policy on Information Security and Privacy (VII.B.8).
IT Resource Owner
Any person, IT unit or department assigned to or otherwise providing the administrative and physical control and technical support of IT Resources, either on campus or otherwise using University resources, or providing the oversight of third-party hosted or managed IT Resources.
Principle of Least Privilege
A principle that each subject in a system be granted only the most restrictive set of privileges needed for the performance of authorized tasks. The application of this privilege limits the damage that can result from accident, error or unauthorized use.
Privileged Account
An account that has elevated or administrative system or application privileges beyond those of a general user. Root, local administrator, domain admin, organizational unit (OU) admin, and emergency or ”break glass” accounts are examples of Privileged Accounts that have elevated access beyond that of a general user.
Service Account
A local or domain computer account not generally associated with human use that is used by an automated process, executable service or application to interact with the operating system or access databases, run batch jobs or scripts, or provide access to other applications, such as application programming interface (API) calls. A Service Account can also be a Privileged Account if it has higher privileges than a general user or has full access within an application.
Vendor-supplied Default Password
Vendor-supplied passwords to accounts used by operating systems or software that often provide high-level privileges for deployment, security services, application or system processes.
RELATED DOCUMENTS, FORMS AND TOOLS
This standard is issued in support of the policy on Information Security and Privacy (VII.B.8), as amended or superseded.
Security Policy Exception Procedures
NIST Approved Security Function for FIPS PUB 140-2 – Security Requirements for Cryptographic Modules
HISTORY AND UPDATES
July 15, 2019: This is the first standard to address this issue.
APPENDIX
There are no appendices to this standard.