NIST 800-171 • LEVEL 2 • ACCESS CONTROL
3.1.6 — Least Privilege – Privileged Accounts
Restrict privileged accounts on the system to {{ insert: param, A.03.01.06.ODP.01 }}.. Require that users (or roles) with privileged accounts use non-privileged accounts when accessing non-security functions or non-security information.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- privileged accounts on the system are restricted to {{ insert: param, A.03.01.06.ODP.01 }}.
- users (or roles) with privileged accounts are required to use non-privileged accounts when accessing non-security functions or non-security information.
Practitioner Notes
This practice takes least privilege a step further — it says that people who do have admin accounts must use a regular account for everyday work like email and web browsing. The admin account only comes out when they need to do admin things.
Example 1: In Active Directory, create a naming convention for admin accounts (e.g., a-jsmith for admin, jsmith for daily use). Set the GPO at Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment → "Deny log on locally" to prevent admin accounts from logging into regular workstations. Admins use their privileged account only via Remote Desktop to servers or through a Privileged Access Workstation.
Example 2: In Microsoft 365, go to Azure AD → Roles and Administrators and ensure that Global Admin accounts are separate cloud-only identities that are not synced from on-prem AD. Enable Privileged Identity Management (PIM) so admins must "activate" their role for a limited time window, rather than having standing admin access 24/7.