Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - SC.L2-3.13.3 – Separate user functionality from system management functionality.
Understanding the Requirement
This control requires your organization to identify and separate normal user functions from system management (administrative) functions so that people who do not have administrative responsibilities cannot perform system administration, and administrators perform administrative tasks only when using a distinct administrative account. In practice that means listing which accounts and roles perform user vs. admin tasks, ensuring administrators have two accounts (a regular user account and an admin account), and technically restricting admin functions to the admin accounts and appropriate management systems.
Technical Implementation
-
Inventory and justify administrative accounts.
Start with an access review: produce a list of accounts with local or domain administrative privileges (Active Directory Domain Admins, local administrators on servers/workstations, network device admins). For each account document the business need, approver, and frequency of use. Remove or suspend any admin accounts that cannot be justified.
-
Create and enforce dual-account practice for admins.
Require administrators to have two accounts: a daily-use unprivileged user account and a separate admin account used only for system management tasks. Enforce this by local policy, Active Directory group membership, and work procedures; disable admin account interactive login on end-user workstations where possible.
-
Use group-based and role-based controls to restrict admin access.
Implement security groups for administrative roles (e.g., Domain Admins, Server Admins, Network Admins) and apply Least Privilege: grant the minimal admin rights necessary. Limit which machines these groups can log into (for example, only management servers, jump boxes, or privileged workstations).
-
Use dedicated management workstations or jump hosts.
Deploy a hardened admin workstation (Privileged Access Workstation or jump server) for all administrative tasks. Block admin accounts from logging into ordinary user workstations to reduce credential theft risk. Where a PAM (Privileged Access Management) solution is available, use it to broker admin sessions.
-
Apply technical controls and logging.
Enforce multi-factor authentication for admin accounts, enable audit logging for privileged actions (e.g., AD changes, server configuration changes), and forward logs to a centralized log server or SIEM. Configure alerts for administrative logins from unusual places or outside business hours.
-
Policy, training, and periodic review.
Publish a short written policy that defines the dual-account requirement and authorized admin activities. Train admins on when to use each account and review admin access quarterly (or after personnel changes). Include consequences for failing to follow the process.
Example in a Small or Medium Business
Acme Tech, a 60-person MSP, held an access audit and found 18 accounts with elevated privileges across servers and network devices. The IT manager removed administrative rights from five contractors who no longer needed them, and then mapped the remaining admins to specific roles (AD admin, server admin, network admin). Each administrator was given a regular domain user account for email and daily tasks plus a separate admin account with a clear naming convention (e.g., jsmith-admin). The company set up a hardened jump server that only admin accounts can access and blocked admin accounts from logging into staff desktops via group policy. They required MFA for admin accounts and enabled detailed auditing of changes in Active Directory and on critical servers, with alerts emailed to the IT manager. The IT policy was updated to require quarterly access reviews and short training for new admins. A month later, an attempted change from a staff member using a regular account was denied while the same admin successfully logged in using their admin account on the jump host—demonstrating separation worked as designed.
Summary
Separating user functionality from system management functionality is achieved by a combination of policy (dual-account requirement, documented approvals, and reviews) and technical controls (group/role restrictions, jump hosts, MFA, logging). For SMBs the practical path is: inventory admin privileges, revoke unnecessary rights, provide administrators with distinct admin accounts, limit where those accounts can log on, and log and review administrative activities. These simple, repeatable steps reduce the risk of privilege misuse and make it straightforward to demonstrate compliance during an assessment.
