UCF STIG Viewer Logo

ECPA-1 Privileged Account Control


All privileged user accounts are established and administered in accordance with a role-based access scheme that organizes all system and network privileges into roles (e.g., key management, network, system administration, database administration, web-administration). The IAM tracks privileged role assignments.

MAC / CONF Impact Subject Area
High Enclave Computing Environment


An organization’s network and the integrity of stored information are at risk if the control of actions, functions, applications and operations of legitimate users are not managed with a role-based access scheme.  The unnecessary allocation and use of system privileges significantly increases the vulnerability of systems.  Role-based systems are designed to minimize the potential for inside security violations by providing greater control over users' access to information and resources.  Also, by assigning individuals to predefined roles, the administrative process of establishing privileges is streamlined and management time for reviewing privilege assignments is reduced.

1. An analysis of how an organization operates shall be accomplished for the basis of defining user roles and privileges.
2. Systems shall employ a role-based access scheme that enforces separation of duties and network privileges.
3. Privileged user accounts (administrators, root/super users on UNIX, routers and LAN servers, SANs, etc) shall be limited to the absolute minimum number needed to manage the system, and the IAM shall document all privileged role assignments.
4. Privileged user accounts shall be limited to the minimum number of privileges needed to perform their assigned duties.
5. Where technically possible, privileged users should initially log on with a personal user ID and only be granted privileged access by way of group assignment.
6. Privileged and guest accounts shall be renamed from any default.


  • CJCSM 6510. 01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 25 March 2003
  • NSA Guide to Securing Windows 2000 – Policy Toolsets, 05 March 2003
  • NSA Guide to Securing Windows XP, 22 October 2004
  • DISA Unix STIG, Version 4, Release 4, 15 September 2003
  • DISA UNISYS STIG, 22 July 2003
  • NSA Windows 2000 Security Recommendations Guide 16 January 2004
  • NSA Windows NT Security Recommendations Guide 18 September 2001
  • DISA Database STIG, Version 7, Release 1, 29 October 2004
  • http://csrc.nist.gov/rbac/