In November 2012, the UK government Public Services Network (PSN) Code of Practice replaced the Government Secure Intranet Code of Connection (GSi CoCo). Based on ISO 27001, the new code is outcome based so that government departments can comply how they see fit, rather than check a list of technical requirements.
As a core requirement of the new code, least privilege security is the practice of assigning only the permissions users require to perform their roles. Though least privilege security is widely accepted as best practice, Windows users often work with full administrative rights because of the difficulties associated with running legacy applications, adding new hardware and working with some Windows features under a standard user account.
The PSN Code of Practice includes configuration controls that require government departments to:
- Lockdown software according to policy, and assign the minimum privileges required to use a PSN service
- Prevent the execution of unauthorized software
- Prevent unauthorized changes to the standard build of network device
- Ensure that users give permission before active content can be executed