AC-3(6) — Protection of User and System Information

This is about protecting both user data and system data from unauthorized access. The system should not expose sensitive information like passwords, encryption keys, or personal data to anyone not explicitly authorized.

Example 1: In Windows, configure the registry at HKLM\SYSTEM\CurrentControlSet\Control\Lsa → RestrictAnonymous to value 1 to prevent anonymous enumeration of SAM accounts and shares. This stops attackers from listing user accounts without credentials.

Example 2: In your web applications, ensure API endpoints that return user data apply authorization checks at the controller level. Use middleware like ASP.NET's [Authorize(Roles = "Admin")] attribute or Django's @permission_required decorator. Never rely solely on hiding the URL.