NIST 800-53 REV 5 • ACCESS CONTROL

AC-6(5)Privileged Accounts

Restrict privileged accounts on the system to {{ insert: param, ac-06.05_odp }}.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

Supplemental Guidance

Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of restricting privileged accounts between allowed privileges for local accounts and for domain accounts provided that they retain the ability to control system configurations for key parameters and as otherwise necessary to sufficiently mitigate risk.

Practitioner Notes

Privileged accounts should be dedicated to specific administrative roles. The person who manages user accounts should not use the same privileged account to manage database servers.

Example 1: Create separate admin accounts for different tiers: adm-t0-john for domain controllers, adm-t1-john for member servers, adm-t2-john for workstation management. Configure AD group policies to restrict each tier's admin accounts to only log on to systems in their tier.

Example 2: In Azure AD PIM, create custom roles scoped to specific tasks. Instead of granting Global Administrator, create roles like Exchange Admin, SharePoint Admin, and Security Reader. Assign them as eligible with time-limited activation through PIM.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management