NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-2(1)Interfaces for Non-privileged Users

Prevent the presentation of system management functionality at interfaces to non-privileged users.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Preventing the presentation of system management functionality at interfaces to non-privileged users ensures that system administration options, including administrator privileges, are not available to the general user population. Restricting user access also prohibits the use of the grey-out option commonly used to eliminate accessibility to such information. One potential solution is to withhold system administration options until users establish sessions with administrator privileges.

Practitioner Notes

Non-privileged users should never see system management options on their screens. If a regular employee opens a web portal or application, admin functions should be completely hidden — not just grayed out.

Example 1: Configure your web applications so admin panels and management consoles are served on a completely different URL or port that is only accessible from the admin VLAN. Regular users never even see a login page for admin functions.

Example 2: In Azure AD, use Conditional Access policies to block access to admin portals (portal.azure.com, admin.microsoft.com) from non-admin accounts. Only accounts with admin roles assigned can reach those interfaces.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(2) Disassociability SC-3 Security Function Isolation