Lack of Administrator Control over Security
This weakness occurs when a system's built-in security settings cannot be adjusted by its administrator. This prevents tailoring security to the specific deployment environment, forcing the system to operate at a lower or inappropriate security level than required.
When administrators lack continuous control over security configurations, they cannot effectively defend the system against evolving threats. This includes threats from external attackers or even the original software vendor. For example, hard-coded credentials that cannot be changed create a permanent backdoor that the admin is powerless to close, making targeted security hardening impossible. This rigidity forces the organization to accept the developer's default risk posture, which often doesn't match real-world needs. It prevents implementing least-privilege principles, adapting to new compliance rules, or responding to incident investigations. Ultimately, the product becomes a liability instead of a protected asset, as security decisions are outsourced and frozen in time.
Impact: Varies by Context
ID : DX-14
The following code is an example of an internal hard-coded password in the back-end:Code Example:
cCode Example:
java