.png)
Organizations need to implement system utility access controls to protect and ensure standard, non-administrative users do not have the access permissions that are required to modify system utilities that have been implemented, or their respective configuration settings.
Changing system utility settings could potentially alter, or intentionally subvert, technical security controls that have been planned and implemented to protect information systems. Controlling the use of system utilities is the focus of pitfall #34 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
The use of system utility programs that might be capable of overriding information system or application control settings should be restricted and tightly controlled. Your organization should ensure that the processes for identification, authentication, and authorization of users are in place to limit the use or modification of utilities.
If standard user accounts have permissions to modify systems or application utility programs, they could have the ability to change application or database settings, disable anti-malware software, disable restrictions on the use of USB storage devices, modify backup configurations, or perform other actions that could exponentially increase risk for your organization.
It takes time, planning, resources, as well as budget dollars to implement system tools and utilities that provide appropriate protection for your organization. Once these solutions have been successfully implemented, your organization likely (and reasonably) considers that the original control purpose or control requirement that has fostered their implementation has been satisfied. Unauthorized changes to these implemented technical controls will likely present unforeseen risks to the organization – without anyone knowing the additional risk has been introduced. There is a reason your organization has invested in the implementation of in-place controls. Do not let the mismanagement of access permissions subvert the protection provided by the System Utility Access Control Protection your organization has implemented.