2   Policy Statement

Admin By Request handles account separation natively, and as such fully complies with the Cyber Essentials Plus (CE+) account separation requirements without any modifications from its default configuration.

However, if a second separate account is needed for reasons other than a CE+ compliance requirement, this can be achieved using the MFA Account Separation feature.

Refer to Confirmation of Account Separation for an independent pentest assessment.

2.1  MFA Account Separation Feature Requirements

For UK customers, the MFA Account Separation feature is enabled by default. For non-UK customers, the feature is disabled by default and must be enabled by us for your tenant. If you are outside the UK, please contact your Admin By Request / partner account manager to enable this feature if required.

2.2  Authentication and MFA Enforcement

When configured, all users requesting privileged access must authenticate using MFA.

If a user does not have two separate accounts, an alternative approach may be applied:

  • The user authenticates with minimum credentials (authentication or MFA) on the endpoint.

  • The administrator must approve access via SSO to the ABR portal using a separate (i.e. secondary) account.

  • This ensures that two distinct accounts are used in the process, though some auditors may interpret compliance differently.

2.3  Implementation in Admin By Request (ABR)

Organizations must update their Windows endpoints to ABR v8.5.1+ to access the MFA for secondary account setting.

IT administrators must configure the setting in the ABR portal and ensure users comply with the new authentication requirements.

The security team must verify that access control logs reflect proper account separation practices.

2.4  Compliance with Cyber Essentials Plus

Both native account separation and MFA Account Separation align with the CE+ requirement that privileged access must be performed using a different account. If you already manage or require two user-accessible accounts per user to manage privileged access, then MFA Account Separation is the recommended option.

In such a scenario, the existing admin or adm account should be downgraded to non-privileged, with Admin By Request EPM providing granular privilege elevation, elevation blocking, auditing and malware protection for the account with privilege elevation capabilities via a suitably configured sub setting.

NOTE

Admin By Request's dual non-privileged per-user MFA Account Separation configuration is a far more secure approach than what is currently required by CE+:

To meet CE+ compliance, it is entirely permissible to supply each user who might need privilege elevation with a full, credentials-based, unrestricted local admin account as a separate privileged account. The standard also permits the sharing of this privileged account between users.

Neither of these things is necessary using Admin By Request MFA Account Separation.

If an alternative authentication approach is used, organizations must document and verify its acceptance with auditors.

2.5  Documentation and Review

A document outlining this policy (Cyber Essentials Plus Policy) is made available in the Documentation Center and/or the Trust Center, explaining compliance steps.

This policy shall be reviewed annually or upon updates to Cyber Essentials Plus or ABR functionality.