AC-3(1) — Restricted Access to Privileged Functions

Privileged functions — things like changing security settings, managing accounts, or modifying audit logs — must be locked down to a very small group. Regular users should never be able to reach these functions, even by accident.

Example 1: Configure User Account Control (UAC) in Windows via GPO at Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → "User Account Control: Run all administrators in Admin Approval Mode" set to Enabled. This forces even admin accounts to explicitly elevate before running privileged commands.

Example 2: In Linux, configure /etc/sudoers using visudo to restrict which commands each admin can run with elevated privileges. For example, dbadmin ALL=(ALL) /usr/bin/systemctl restart postgresql gives the database admin only the ability to restart the PostgreSQL service, nothing else.