NIST 800-53 REV 5 • ACCESS CONTROL

AC-6(10)Prohibit Non-privileged Users from Executing Privileged Functions

Prevent non-privileged users from executing privileged functions.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

No related controls listed

Supplemental Guidance

Privileged functions include disabling, circumventing, or altering implemented security or privacy controls, establishing system accounts, performing system integrity checks, and administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. Preventing non-privileged users from executing privileged functions is enforced by [AC-3](#ac-3).

Practitioner Notes

Regular users must be prevented from performing actions that require elevated privileges. The system should enforce this technically, not just rely on policy.

Example 1: Use Windows AppLocker or WDAC (Windows Defender Application Control) to block standard users from running administrative tools like PowerShell ISE, regedit.exe, and mmc.exe. Configure the policy via GPO at Computer Configuration → Policies → Windows Settings → Security Settings → Application Control Policies.

Example 2: In Linux, verify that /etc/sudoers does not contain ALL=(ALL) ALL for any group besides dedicated admin groups. Run sudo -l -U username for each user to confirm they only have access to explicitly approved commands. Remove any overly broad sudo entries.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management