A contractor uses a password recovery tool on a production server to retrieve a forgotten service account password. The tool works — but it also dumps every password hash on the system into a file that the contractor takes home on a USB stick. A.8.18 requires that utility programs capable of bypassing security controls are tightly restricted, authorized and logged.
Many legitimate system utilities have dual use: they help administrators maintain systems but also help attackers escalate privileges, extract data or disable security controls. The control ensures these tools are available only to those who need them, when they need them.
What does the standard require?
- Limit access. Restrict privileged utility programs to a small number of trusted, authorized users.
- Authenticate and authorize. Enforce strong authentication and formal authorization before use.
- Remove unnecessary utilities. Uninstall or disable any utility programs that are not needed on the system.
- Log all usage. Record every use of privileged utilities, including who used them, when and what actions were performed.
- Segregate from applications. Keep utility programs separate from application software and regular network traffic.
In practice
Inventory all privileged utilities. Survey every production system: which utilities are installed that could bypass security controls? Create a list and classify each as essential (keep, restrict), occasionally needed (remove, provide on demand) or unnecessary (remove).
Apply application control. Use AppLocker, WDAC or equivalent tools to block execution of unauthorized utilities. Only whitelisted tools on whitelisted paths can run.
Log utility execution. Configure audit logging to record every execution of privileged utilities — process name, user, timestamp, command-line arguments. Forward these logs to your SIEM for review.
Use privileged access workstations. Provide a dedicated workstation (PAW) for administrative tasks, including utility usage. This workstation is hardened, monitored and isolated from general-purpose workstations.
Typical audit evidence
Auditors typically expect the following evidence for A.8.18:
- Utility inventory — list of authorized privileged utilities per system type (see IT Operations Policy in the Starter Kit)
- Access authorization records — documentation of who is authorized to use which utilities
- Application control configuration — whitelisting policies blocking unauthorized utilities
- Usage logs — audit logs showing utility execution
- Removal evidence — proof that unnecessary utilities have been uninstalled or disabled
KPI
Percentage of privileged utility programs with restricted and logged access
Measured as a percentage: how many identified privileged utilities have access restrictions and usage logging enabled? Target: 100%.
Supplementary KPIs:
- Number of unauthorized utility executions blocked per month
- Percentage of production systems with application control enabled
- Number of privileged utilities installed on production systems (target: decreasing)
BSI IT-Grundschutz
A.8.18 maps to BSI modules for access management and IT administration:
- ORP.4 (Identity and Access Management) — restricting access to tools that bypass security controls.
- OPS.1.1.2 (Orderly IT Administration) — requirements for managing administrative tools and utilities.
Related controls
- A.8.2 — Privileged Access Rights: Privileged utilities are often used under privileged access — both must be controlled together.
- A.8.19 — Installation of Software on Operational Systems: Software installation controls prevent unauthorized utilities from being added.
- A.8.15 — Logging: Logging of utility usage is essential for audit and forensics.
Sources
- ISO/IEC 27001:2022 Annex A, Control A.8.18 — Use of privileged utility programs
- ISO/IEC 27002:2022 Section 8.18 — Implementation guidance for use of privileged utility programs
- BSI IT-Grundschutz, ORP.4 — Identity and Access Management