Usage of administrative accounts must be monitored for suspicious and anomalous activity.
An XCCDF Rule
Description
<VulnDiscussion>Monitoring the usage of administrative accounts can alert on suspicious behavior and anomalous account usage that would be indicative of potential malicious credential reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-243490r959010_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Monitor account usage events for administrative accounts. This includes events related to approved administrative accounts as well as accounts being added to privileged groups such as Administrators, Domain and Enterprise Admins and other organization defined administrative groups. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools.
Monitor for the events listed below, at minimum.
Account Lockouts (Subcategory: User Account Management)
4740 - A user account is locked out.