NIST 800-171 • LEVEL 2 • ACCESS CONTROL

3.1.7Least Privilege – Privileged Functions

Prevent non-privileged users from executing privileged functions. Log the execution of privileged functions.

CMMC Practice Mapping

NIST 800-53 Controls

AC-6(9)AC-6(10)

Assessment Objectives

  • the execution of privileged functions is logged.
  • non-privileged users are prevented from executing privileged functions.

Practitioner Notes

Standard users should never be able to install software, change security settings, or modify system configurations. And when someone does use admin privileges, those actions need to be logged so you can spot misuse.

Example 1: Configure Windows User Account Control (UAC) via GPO at Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → "User Account Control: Run all administrators in Admin Approval Mode" set to Enabled. This forces even admin users to confirm elevation, and blocks standard users from elevating entirely.

Example 2: Enable Advanced Audit Policy Configuration via GPO at Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy → Privilege Use → "Audit Sensitive Privilege Use" set to Success/Failure. This logs every time someone uses privileges like Debug Programs, Take Ownership, or Act As Part of the Operating System. Forward these logs to your SIEM (e.g., Splunk, Microsoft Sentinel) for review.

Related NIST 800-171 Requirements

3.1.1 Account Management 3.1.2 Access Enforcement 3.1.3 Information Flow Enforcement 3.1.4 Separation of Duties