CIS Control 4.7: Manage Default Accounts on Enterprise Assets and Software
Default accounts are a critical security vulnerability that attackers exploit to gain immediate access to your systems. CIS Control 4.7 requires you to systematically identify, disable, or secure all pre-configured vendor accounts across your enterprise assets and software. This foundational control prevents unauthorized access before it happens.
What this means
Default accounts—such as root, administrator, guest, and vendor-supplied credentials—come pre-installed on most enterprise assets and software. These accounts are publicly known and widely documented, making them attractive targets for attackers. CIS 4.7 requires organizations to take ownership of these accounts by either disabling them entirely or rendering them unusable through password changes, access restrictions, or removal of associated privileges. This applies to servers, network devices, databases, applications, and any other enterprise software.
How to comply
- 1.Inventory all enterprise assets and software to identify which systems have default accounts
- 2.Document all default account credentials and their associated privileges
- 3.Disable or deactivate default accounts where functionally possible
- 4.If disabling is not possible, change default passwords to strong, unique credentials
- 5.Remove unnecessary privileges from default accounts that must remain active
- 6.Implement multi-factor authentication on any default accounts that cannot be disabled
- 7.Audit and monitor default account usage to detect unauthorized access attempts
- 8.Establish a policy requiring all new systems and software to have default accounts disabled before deployment
Evidence auditors look for
- System administrator logs showing disabled default accounts (root, administrator, guest)
- Configuration management database entries documenting default account status across all assets
- Change management records proving default passwords were changed from vendor defaults
- Access control lists showing default accounts stripped of unnecessary permissions
- Automated scan reports from vulnerability or configuration management tools showing zero active default accounts
- Policy documentation requiring default account management during asset onboarding
- Audit logs showing failed login attempts against disabled default accounts
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates default account discovery and tracking across your enterprise assets, providing one central dashboard to verify all default accounts are disabled and alerting you to any re-enabled accounts or configuration drift.
See how GRCWatch handles this control automatically
Start free trial