No shared admin credentials
Demonstrate that all administrative accounts are uniquely assigned to individual users and that no credentials providing elevated privileges are shared among multiple personnel or systems.
Description
What this control does
This control prohibits the use of shared administrative credentials across multiple users or systems. Each administrator must be assigned a unique, individually attributable account for privileged access. Shared credentials prevent accurate audit trails, enable lateral movement after single credential compromise, and obscure accountability for sensitive actions. Technical enforcement is achieved through identity and access management (IAM) policies, privileged access management (PAM) solutions, and directory service configurations that block credential reuse.
Control objective
What auditing this proves
Demonstrate that all administrative accounts are uniquely assigned to individual users and that no credentials providing elevated privileges are shared among multiple personnel or systems.
Associated risks
Risks this control addresses
- Attacker uses a single compromised shared admin credential to gain persistent privileged access across multiple systems without detection
- Inability to attribute malicious or erroneous administrative actions to a specific individual during forensic investigation
- Delayed incident response when multiple users possess the same credential and cannot be isolated
- Credential rotation failure when departing employees may retain knowledge of shared passwords still in use by others
- Insider threat actors hide malicious activity behind shared accounts, preventing identification and prosecution
- Compliance violations due to lack of individual accountability in audit logs for sensitive operations
- Social engineering attacks scale horizontally as one shared credential provides access to numerous resources
Testing procedure
How an auditor verifies this control
- Obtain current exports of all administrative groups, roles, and privileged accounts from Active Directory, IAM platforms, cloud provider consoles, and PAM solutions.
- Cross-reference each administrative account username against the organization's human resources roster and identity lifecycle records to identify generic, service, or role-based account names.
- Select a sample of 15-20 administrative accounts across diverse systems (domain admins, database admins, cloud admins, network device admins) and request proof of individual assignment.
- Review password management policies and PAM system configurations to verify technical controls that prevent credential sharing or simultaneous login from multiple locations.
- Interview 5-7 administrators to confirm each possesses a unique credential and understands the prohibition on sharing passwords or using generic accounts.
- Examine authentication logs for the sampled accounts over the past 30 days, analyzing for simultaneous logins from different IP addresses or geographic locations that indicate credential sharing.
- Inspect privileged session recordings or audit logs to verify all administrative actions are traceable to named individuals, not generic accounts.
- Review access provisioning and deprovisioning workflows to confirm administrative credentials are created for named individuals and revoked upon role change or termination.