Least Privilege and Compliance

The principle of least privilege requires that a user should be given no more privileges than is required to perform their job function.

The Department of Defense Trusted Computer System Evaluation Criteria, (DOD-5200.28-STD), also known as the Orange Book, defines least privilege as a principle that “requires that each subject in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks. The application of this principle limits the damage that can result from accident, error, or unauthorized use.”

An important aspect of implementing least privilege is to avoid letting users logon to their desktops with administrative rights, but in practice this can be difficult to achieve, as a user must be granted the privileges necessary to perform all of their tasks. It is an all too common problem that a user requires administrative rights to perform a small number of tasks, with the only solution being to add them to the administrators group.

The concept of least privilege has become more prevalent in recent years due to the need for many organizations to be compliant with standards such as ITIL, Sarbanes-Oxley (SOX) and HIPAA.

Avecto Privilege Guard can play a key role in implementing a least privilege environment and deploying compliant desktops. With Privilege Guard it is no longer necessary to make users members of the administrators group. If a user requires administrative rights to carry out a limited set of tasks then Privilege Guard can elevate these tasks automatically based on policy settings without user intervention. The experience is seamless to the user and ensures that the user runs with standard rights, avoiding accidental or deliberate abuse of administrative privileges.

Avecto Privilege Guard makes it possible to deploy compliant desktops by:

  • Enabling users to log on to their computers with standard user accounts
  • Negating the need to provide users with access to the administrative account to perform system configuration tasks
  • Allowing users to perform approved computer configuration tasks, such as
    amending network settings, managing printers and changing the time
  • Allowing users to install authorized software
  • Allowing users to run legacy applications or any other application that requires administrative rights to run
  • Protecting data on shared computers from unauthorized access
  • Auditing the use of applications that run with administrative rights

The IT department have complete control over which applications are elevated by Privilege Guard, and policies may be applied to individual users or groups of users.

Copyright © Avecto 2008. All rights reserved | Privacy, Terms, Contact us, Site map, Avecto home