Phone Number +1-202-802-9399 (US)

Your leadership mandated a least privilege policy. Now what?

Find out how to implement and enforce a least privilege policy without putting the brakes on productivity

The Challenge | Icon


To comply with regulations and reduce your risk, you need a least privilege policy that removes excessive privileges.

The Danger | Icon


Without least privilege, virtually all Windows and Mac computers are vulnerable.

The Solution | Icon


Automatically remove privileges and add policy-based controls so people can use tools without needing the help desk.

Why do security regulations call for a least privilege policy?

The least privilege model means limiting access to reduce your attack surface

When users or applications operate with administrative privileges, they have access to sensitive data, operating systems, and powerful controls. In contrast, under a least privilege model, administrative accounts with elevated privileges are given only to people who really need them, when they need them. All others operate as general, everyday users with an appropriate set of privileges.

Regulations like PCI DSSHIPAASOX, and NIST and CIS security controls recommend or require implementing a least privilege model as part of a compliance solution. During an audit, you may have to demonstrate how the principle of least privilege is applied and enforced in your organization to control administrative accounts.

A least privilege policy prevents malware from infecting your network

When everyday users lack admin rights on their desktops and laptops, they can’t install malicious software. Eighty percent of hackers find human error the easiest way to breach a network because so many users have administrative accounts and accidentally click malicious links.

  • Without a least privilege policy, users typically retain admin access over local endpoints and that makes them an easy target. When a user is logged in with privileged credentials and unwittingly downloads malicious code from an email or website, that malware gains unlimited access to the computer and possibly multiple systems on your network.
  • A least privilege policy prevents malicious code from conquering an endpoint or spreading over your attack surface. By limiting access and keeping most people on Standard User or Domain User accounts instead of Local Admin accounts, you protect your network from malware exploits.

Try Least Privilege Discovery tool

Discover how many endpoints are currently a malware risk.

Organizations typically have 2-3x more privileged accounts than they have employees. Privileged accounts may be unknown, unmanaged, and, therefore, unprotected.

How to successfully comply with a least privilege policy

The first step to comply with a least privilege policy is knowing which privileges you need to manage

Prioritize your risk with Thycotic’s Least Privilege Discovery tool.

  • Find out which endpoints and local users have administrative credentials.
  • Identify which applications are in use and if they require administrative rights to run.
  • Understand your risk level for service accounts and applications with an elevated or excessive set of privileges.

Next, create a plan for managing user and application requirements to make sure your least privilege policy will succeed

Simply limiting access or removing privileges to enforce your least privilege policy is not an adequate least privilege management practice, and it can have negative consequences. When you remove privileges from users, they may not be able to do their jobs as easily because they can’t install or update software or manage system controls. Make sure your least privilege policy also includes approved business applications and a process to keep users productive.

To keep pace with business needs, application control solutions let people use applications while complying with a least privilege policy.

  • Find out what applications are currently used on your network with the free Endpoint Application Discovery Tool.
  • To comply with least privilege policies, user rights should never be elevated to execute applications because this opens a window for hackers to exploit. Instead, allowed applications should be elevated directly.
  • Let your software do its share of the work: automate your application policies and your workflows to review and approve applications so your desktop team isn’t overwhelmed with support requests and users can get back to work faster.

Now, you are ready to remove unneeded privileges to comply with your least privilege policy

  • A privilege management solution can reset all users, endpoints, or systems to a “clean slate” at once, monitor activity to ensure your least privilege policy is always enforced, and allow you to manage changes easily.
  • Under a least privilege policy, even Local Admins on servers and Domain Admin accounts should be limited. IT admins should have a standard account without privileged network access for day-to-day work, such as checking email. This way they only use the Local and Domain Admin accounts when privilege is truly needed.

Try Windows Application Discovery Tool

Compile a list of applications on your network to decide if they should be allowed or denied.

least privilege management software

thycotic privilege manager

Enforce your least privilege policy by removing privileges and implementing application control.

See how to make least privilege management hassle free for security, desktop support, and business users >

Try Privilege Manager for 30 Days

Choose your deployment option:
By completing this form you are opting into emails from Thycotic. You can unsubscribe at any time.


Top 10 Keys to Successful Least Privilege Adoption Via Application Control


How to Protect Your Desktop Team When Moving to Least Privilege


Why is Least Privilege the Place to Start for Endpoint Security?

free tool:

Compile a list of applications on your network to decide if they should be allowed or denied.