NIST SP 800-171 Least Privilege Requirements

According to the NIST glossary, the principle of least privilege is "the principle that users and programs should only have the necessary privileges to complete their tasks.”

Here is an example: All employees are provided with accounts to Microsoft 365, however only employees who are system administrators are given administrative privileges on Microsoft 365.

Another example is revoking local administrator privileges from employees on their computers but making an exception for developers on their computers.

The goal behind the principle of least privilege is to ensure that only a few individuals have administrative privileges on an information system to prevent accidental and intentional harm. The less privileged accounts there are the lower the probability of a threat actor abusing an account’s privileges to create a security incident.

The principle of least privilege also applies to programs/applications. For example, you download a photo editing application onto your phone. The app asks for access to your photos, and you approve the request because it needs to access the photos for editing purposes. When the app asks for access to your microphone and location you deny the request. The app is now running with least privileges on your phone.

NIST SP 800-171 security control 3.1.5 states “Employ the principle of least privilege, including for specific security functions and privileged accounts.”

To meet this requirement you need to ensure that:

• The privileges granted to a user account are consistent with the account owner’s assigned duties.
• The privileges granted to applications are kept to a minimum (e.g., using UAC on Windows computers)
• Regularly review the privileges assign to user accounts
• Leverage user security groups
• -Leverage system capabilities such as user access control (UAC) for Windows on your systems