Phone Number +1-202-802-9399 (US)

Your Leadership Mandated
A Least Privilege Policy.
Now What?

Find out how to implement and enforce a least privilege policy without putting the brakes on productivity


To comply with regulations and reduce your risk, you need a least privilege policy that removes excessive privileges.


Without least privilege, virtually all Windows and Mac computers are vulnerable.


Automatically remove privileges and add policy-based controls so people can use tools without needing the help desk.

The least privilege model means limiting access to reduce your attack surface

When users or applications operate with administrative privileges, they have access to sensitive data, operating systems, and powerful controls. In contrast, under a least privilege model, administrative accounts with elevated privileges are given only to people who really need them, when they need them. All others operate as general, everyday users with an appropriate set of privileges.

Regulations like PCI DSS, HIPAA, SOX, and NIST and CIS security controls recommend or require implementing a least privilege model as part of a compliance solution. During an audit, you may have to demonstrate how the principle of least privilege is applied and enforced in your organization to control administrative accounts.

Man with laptop
Man working at laptop

A least privilege policy prevents malware from infecting your network

When everyday users lack admin rights on their desktops and laptops, they can’t install malicious software. Eighty percent of hackers find human error the easiest way to breach a network because so many users have administrative accounts and accidentally click malicious links.

  • Without a least privilege policy, users typically retain admin access over local endpoints and that makes them an easy target. When a user is logged in with privileged credentials and unwittingly downloads malicious code from an email or website, that malware gains unlimited access to the computer and possibly multiple systems on your network.
  • A least privilege policy prevents malicious code from conquering an endpoint or spreading over your attack surface. By limiting access and keeping most people on Standard User or Domain User accounts instead of Local Admin accounts, you protect your network from malware exploits.

Organizations typically have exponentially more privileged accounts than they have employees. Privileged accounts may be unknown, unmanaged, and, therefore, unprotected.

How To Successfully Comply With A Least Privilege Policy

The first step to comply with a least privilege policy is knowing which privileges you need to manage

Prioritize your risk with Thycotic’s Least Privilege Discovery tool.

  • Find out which endpoints and local users have administrative credentials.
  • Identify which applications are in use and if they require administrative rights to run.
  • Understand your risk level for service accounts and applications with an elevated or excessive set of privileges.
Man sitting at table making notes
Team meeting

Next, create a plan for managing user and application requirements to make sure your least privilege policy will succeed

Simply limiting access or removing privileges to enforce your least privilege policy is not an adequate least privilege management practice, and it can have negative consequences. When you remove privileges from users, they may not be able to do their jobs as easily because they can’t install or update software or manage system controls. Make sure your least privilege policy also includes approved business applications and a process to keep users productive.

To keep pace with business needs, application control solutions let people use applications while complying with a least privilege policy.

  • Find out what applications are currently used on your network with the free Endpoint Application Discovery Tool.
  • To comply with least privilege policies, user rights should never be elevated to execute applications because this opens a window for hackers to exploit. Instead, allowed applications should be elevated directly.
  • Let your software do its share of the work: automate your application policies and your workflows to review and approve applications, so your desktop team isn’t overwhelmed with support requests, and users can get back to work faster.

Now, you are ready to remove unneeded privileges to comply with your least privilege policy

  • A privilege management solution can reset all users, endpoints, or systems to a “clean slate” at once, monitor activity to ensure your least privilege policy is always enforced, and allow you to manage changes easily.
  • Under a least privilege policy, even Local Admins on servers and Domain Admin accounts should be limited. IT admins should have a standard account without privileged network access for day-to-day work, such as checking email. This way they only use the Local and Domain Admin accounts when privilege is truly needed.
Woman at laptop
Top 10 Keys To Successful Least Privilege Adoption via Application Control

Top 10 Keys to Successful Least Privilege Adoption via Application Control

In this report you’ll learn:

  • The most effective and secure approaches to least privilege and application control
  • How you can demonstrate compliance with least privilege
  • Policies and workflow you need to keep users and IT teams productive

Free Least Privilege Discovery Tool

When accounts are overprivileged, they’re vulnerable to insider threats and malware attacks.

Thycotic’s free Least Privilege Discovery Tool helps you reduce risk and meet least privilege compliance requirements with a prioritized list of actions specific to your environment.

You can quickly and easily find vulnerabilities related to:

  • User workstations – Identify accounts with local admin privileges.
  • IT infrastructure and services – Find elevated privileges on IT resources and service accounts and credentials improperly shared or past their expiration date.
  • Operating systems and applications – See which applications on your network are flagged as malicious or insecure.