Skip to contentCYBERINFO
|

Control 8.18 : Use of Privileged Utility Programs

Summary

The use of utility programs that can be capable of overriding system and application controls should be restricted and tightly controlled. These powerful tools (e.g., registry editors, packet sniffers) can be used to bypass security if not properly managed.

Applicability

In-Scope: Essential for protecting the inner workings of systems. It prevents unauthorized users from using administrative tools to escalate privileges or hide malicious activity.

Out-of-Scope: Only partially reducible for non-technical users, but the restriction must be technically enforced for everyone.

Implementation Guidance

Microsoft 365 / Entra ID

  • Application Control: Use Microsoft Intune to deploy AppLocker or Windows Defender Application Control (WDAC) to block the execution of unauthorized utility programs on endpoints.

  • Least Privilege: Ensure that standard users do not have local administrative rights, preventing the execution of many powerful utility programs that require elevation.

  • Admin Justification: Use Entra ID Privileged Identity Management (PIM) to ensure that tools requiring administrative rights can only be used after a formal just-in-time request.

Evidence Checklist

  • Utility Program Policy: A list of authorized privileged utility programs and the specific roles permitted to use them.

  • Application Block Logs: Evidence from Intune or Defender showing that unauthorized utility programs were blocked from executing.

  • Access Logs: Audit trails showing when a privileged utility was accessed and by whom.

Practical Audit Advice

Here are some questions the auditor might ask:

  • How does the organization identify which utility programs are considered privileged and therefore require restriction?

  • What technical controls prevent a standard employee from installing a packet sniffer or a password recovery tool on their laptop?

  • Can you demonstrate how you monitor for the use of built-in privileged tools (like PowerShell) for potentially malicious activities?

  • What is the process for granting temporary access to a privileged utility for a specific, time-bound troubleshooting task?