System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations may separate system management functions from user functions by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in SA-08, including SA-08(01), SA-08(03), SA-08(04), SA-08(10), SA-08(12), SA-08(13), SA-08(14), and SA-08(18).
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
SC-02 | Separation of System and User Functionality | Protects | T1203 | Exploitation for Client Execution |
SC-02 | Separation of System and User Functionality | Protects | T1210 | Exploitation of Remote Services |
SC-02 | Separation of System and User Functionality | Protects | T1211 | Exploitation for Defense Evasion |
SC-02 | Separation of System and User Functionality | Protects | T1190 | Exploit Public-Facing Application |
SC-02 | Separation of System and User Functionality | Protects | T1189 | Drive-by Compromise |
SC-02 | Separation of System and User Functionality | Protects | T1068 | Exploitation for Privilege Escalation |
SC-02 | Separation of System and User Functionality | Protects | T1611 | Escape to Host |
SC-02 | Separation of System and User Functionality | Protects | T1212 | Exploitation for Credential Access |