NIST 800-53 REV 5 • ACCESS CONTROL

AC-6(8)Privilege Levels for Code Execution

Prevent the following software from executing at higher privilege levels than users executing the software: {{ insert: param, ac-06.08_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

In certain situations, software applications or programs need to execute with elevated privileges to perform required functions. However, depending on the software functionality and configuration, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications or programs, those users may indirectly be provided with greater privileges than assigned.

Practitioner Notes

Software should only run with the privilege level it actually needs. If an application does not need admin rights, it should not run as admin. This limits the damage if the application is compromised.

Example 1: In Windows, configure application compatibility settings so that legacy apps do not run with elevated privileges by default. Set the GPO at Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → "User Account Control: Only elevate executables that are signed and validated" to Enabled.

Example 2: In Linux, run application services with dedicated service accounts that have no shell access. Create the account with useradd -r -s /usr/sbin/nologin appuser and configure the systemd service file with User=appuser and Group=appgroup.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management