+1-202-802-9399 (US)

Thycotic’s Cyber Security Publication

Least Privilege Uncovered

November 20th, 2018

Organizations around the world are challenged by an ever-growing cyber threat landscape and are experiencing serious cyber fatigue. Their employees are dealing with constant information overload about cyber attacks, ransomware, identity theft and phishing scams.

Employees are exposed to risky behavior

For years, employees across all departments in most organizations have habitually practiced risky behavior, usually unintentionally. They do this by clicking on attachments or links within emails not knowing what might happen next; by logging into internet services using the same password they have chosen for their Facebook account, corporate email and bank account; or by simply plugging a USB stick they found in a café into their laptop.

Your organization is under pressure to meet compliance … but nobody knows if the next email is the one that contains malware

Cyber Fatigue is occurring at all levels of the organization, from the CISO looking for metrics on the company’s exposure to cyber-attacks to the IT Security team trying to force employees to be more secure. The organization is under pressure to meet compliance, and employees need to perform their daily tasks, but nobody knows if the next email is the one that contains malware.

The balance between security and ease of use is critical

IT Security tries to balance the needs of the business while at the same time securing and protecting the organization’s most valuable assets.  To secure the organization, IT Security usually attempts to reduce privileges to employees’ access. However this can create conflict between IT Security and the rest of the employees.

Despite efforts to raise cybersecurity awareness and train users on secure behavior, 25% of your employees will open phishing emails, and more than one in ten will click on an attachment that contains malware. (See more alarming stats on this infographic.)These types of successful social engineering attacks are just one reason why employee workstations and personal devices are the most vulnerable part of your IT systems.

All it takes is one compromised user with local administrative privileges to gain full control or even take down your entire network

Privileged accounts exist everywhere in your IT environment. In many cases, users may not even realize the type of access they possess. They only know that when access is denied, they can’t get their work done. Hackers and cyber-criminals target these privileged accounts because once compromised, they provide the ability to move across your systems and networks undetected.

A world of too many over-privileged users increases the business’s cyber risks

Organizations today typically face major challenges when implementing a least privilege policy because built-in limits on access can impact employee productivity. One thing is clear: when an employee has too many privileges you typically do not hear from them, but when privileges are limited or restricted and the employee is unable to access an account, launch an application or connect to a printer, the IT help desk will surely be the first to know.

Unhappy employees are quick to call the help desk when they are unable to perform their jobs. This usually results in the IT help desk making the user over-privileged, and while they can now perform their job it is at the increased risk of turning a simple incident into a major catastrophe. Should the over-privileged employee fall victim to a cyber-attack, the attack could easily escalate to the entire organization.

Introducing the Principle of Least Privilege

Least Privilege is the concept of giving only the minimum permissions to an end-user, application, service, task or system to perform the jobs they have been assigned, or enable elevate on demand for the privileges needed at that time without impacting productivity or involving the IT help desk. This helps reduce costs, increase efficiency and reduce risks.  By definition, least privilege is intended to prevent “over-privileged access” by users, applications, or services to help reduce the risk of exploitation without impacting productivity.

Least Privilege access control is a technique that is used to help enforce Zero Trust and includes a Risk-Based security strategy.  Zero Trust is a place where most organizations should begin, and this means that all access request by any user or system to the network, services, applications, data or systems is verified, and trust is built but continuously challenged if the trust is changed. This requires organizations to classify users and systems into trust risks, for example, different security controls between employees, contractors, suppliers, temporary or department sensitivity.

Cybersecurity classifications of trust and accepted risk can be dynamic. That is, you create different policies or rules across the enterprise for identities, services, applications, data, and systems.

The more access you have or request the more security controls you must satisfy before you get access.  You can have the choice of trust as always, verify, or always audit, depending on how much risk you must reduce.

When starting with Least Privilege you will first want to do the following:

DISCOVER ALL Admin and Local Admin Privileges

First, you should automatically discover all admin and local admin privileges across the environment, and this includes privileges inherited via group memberships.  It is important to know what employees, devices, software, services, applications and hardware have privileged accounts provisioned.  This will help identity where your organization is compliant with industry compliance requirements, and possible gaps that need to be secured further.

INVENTORY ALL your Devices and Software

It is critical that you know what software is deployed and how software gets deployed, so knowing where it was installed from in the first place is a good way to get to know the organization’s risks.  Was software installed from SharePoint, a USB device, downloaded from the internet, via an email or deployed using a software delivery solution?  This will help determine what applications you have, whether you are properly licensed, trusted vendors your organization depends on, suspicious applications, and the most common method chosen by users to install the software.  Depending on your organization’s IT Policy, you might want to determine at this stage your preferred method of deployment, and what should be restricted.


Before enforcing restrictions or least privilege you will want to learn about the common usage: which employees are actively using their privileges and which users are potentially over-privileged.  Now you can determine which users’ administrative privileges need to be replaced with policies to ensure that they can continue doing their job without any disruption.

REPLACE PRIVILEGES with Automation Policies

Once you have audited the environment you can start to remove or reduce privileges from users who no longer require them. For those who actively require them you can replace privileges with policies that allow the task to be elevated on demand without the user becoming over-privileged.

By combining both Privileged Access Management and Application Control you can control access to devices, services, applications, data and hardware, and control which actions they can perform.


Combining privileged access management with application control


It is also best practice to combine Least Privilege with Privileged Access Management using the PAM Life-cycle:

Combine Least Privilege with Privileged Access Management using the PAM Life-cycle

The Benefits of Implementing a Least Privilege Strategy

The benefits of implementing a Least Privilege strategy, or policy, are significant for all organizations.

Most organizations today need to satisfy various compliance requirements and regulations.  A strong least privilege strategy will help organizations meet most compliance and regulations requirements for restricting administrator access, so look at your least privilege strategy as a fast track to meeting most of your compliance security requirements.

Patch Management is one of the most repetitive, challenging tasks that all organizations must carry out, yet they continuously fail at staying current.  As most exploits on Windows require local administrative rights, least privilege security helps reduce the risk of more than 90% of Microsoft Windows Vulnerabilities. So you can focus on only those vulnerabilities that are exploitable without local admin rights.  This saves an organization both time and money as it becomes more effective at patching critical vulnerabilities.

Malware and Ransomware risks will be reduced because the user will not be able to execute untrusted applications, so an accidental click on that malicious email attachment will be prevented from infecting the system or any other system on the same network.

In Summary, a Strong Least Privilege Strategy will:

  1. Reduce costs: Save time and money by managing users securely. 
  1. Produce empowered, happier employees: They can perform their duties without encountering roadblocks. 
  1. Fast track compliance: Automate reporting will satisfy auditors. 
  1. Improve security: Block cyber-criminals and malicious insiders from exploiting password compromise.

Implementing least privilege needn't be hard.

Privilege Manager makes least privilege adoption easy for users and reduces the workload for IT/desktop support.



The following two tabs change content below.

Joseph Carson

Joseph Carson has over 25 years' experience in enterprise security, is the author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies", and is a cyber security professional and ethical hacker. Joseph is a cyber security advisor to several governments, critical infrastructure, financial and transportation industries, speaking at conferences globally. Joseph serves as the Chief Security Scientist at Thycotic.

Latest posts by Joseph Carson (see all)

Leave a Reply