+1-202-802-9399 (US)

Your leadership mandated a least privilege policy. Now what?

Find out how to implement and enforce a least privilege policy without putting the brakes on productivity

Challenge

To comply with regulations and reduce your risk, you need a least privilege policy that removes excessive privileges.

danger

Without least privilege, virtually all Windows and Mac computers are vulnerable.

Solution

Automatically remove privileges and add policy-based controls so people can use tools without needing the help desk.

Why do security regulations call for a least privilege policy?

The least privilege model means information is accessed only on a need-to-know basis

When users or applications operate with administrative privileges, they have access to sensitive information and powerful system controls. In contrast, under a least privilege policy, privileged access is given only to people who really need it, when they need it. All others operate as general, everyday users without privileged credentials.

Regulations like PCI DSSHIPAASOX, and NIST and CIS security controls recommend or require a least privilege policy. During an audit, you may have to demonstrate how the concept of least privilege is applied and enforced in your organization.

A least privilege policy prevents malware from infecting your network

When everyday users lack admin rights on their desktops and laptops, they can’t install malicious software. Eighty percent of hackers find human error the easiest way to breach a network because so many users have admin rights and accidentally click malicious links.

  • Without a least privilege policy, users typically retain admin access over local endpoints and that makes them an easy target. When a user is logged in with privileged credentials and unwittingly downloads malicious code from an email or website, that malware gains unlimited access to the computer and possibly multiple systems on your network.
  • A least privilege policy prevents malicious code from conquering an endpoint or spreading over your network. By keeping people on Standard User or Domain User accounts instead of Local Admin accounts, you protect your network from malware exploits.

Try Least Privilege Discovery tool

Discover how many endpoints are currently a malware risk.

Organizations typically have 2-3x more privileged accounts than they have employees. Privileged accounts may be unknown, unmanaged, and, therefore, unprotected.

How to successfully comply with a least privilege policy

The first step to comply with a least privilege policy is knowing which privileges you need to manage

Prioritize your risk with Thycotic’s Least Privilege Discovery tool.

  • Find out which endpoints and local users have administrative credentials.
  • Identify which applications are in use and if they require administrative rights to run.
  • Understand your risk level for service accounts and applications with excessive privileges.

Next, create a plan for managing user and application requirements to make sure your least privilege policy will succeed

Simply removing privileges to enforce your least privilege policy can have negative consequences. When you remove privileges from users, they may not be able to do their jobs as easily because they can’t install or update software or manage system controls. Make sure your least privilege policy also includes approved business applications and a process to keep users productive.

To keep pace with business needs, application control solutions let people use applications while complying with a least privilege policy.

  • Find out what applications are currently used on your network with the free Endpoint Application Discovery Tool.
  • To comply with least privilege policies, user rights should never be elevated to execute applications because this opens a window for hackers to exploit. Instead, whitelisted applications should be elevated directly.
  • Automating your application policies and your workflows to review and approve applications ensures your desktop team isn’t overwhelmed with support requests and users can get back to work faster.

Now, you are ready to remove unneeded privileges to comply with your least privilege policy

  • A privilege management solution can reset all users, endpoints, or systems to a “clean slate” at once, monitor activity to ensure your least privilege policy is always enforced, and allow you to manage changes easily.
  • Under a least privilege policy, even Local Admins on servers and Domain Admin accounts should be limited. IT admins should have a standard account without privileged network access for day-to-day work, such as checking email. This way they only use the Local and Domain Admin accounts when privilege is truly needed.

Try Windows Application Discovery Tool

Compile a list of applications on your network to decide if they should be whitelisted or blacklisted.

least privilege management

thycotic privilege manager

Enforce your least privilege policy by removing privileges and implementing application control.

See how to make least privilege management hassle free for security, desktop support, and business users >

Try Privilege Manager for 30 Days

By completing this form you are opting into emails from Thycotic. You can unsubscribe at any time.

Whitepaper:

Top 10 Keys to Successful Least Privilege Adoption Via Application Control

blog:

How to Protect Your Desktop Team When Moving to Least Privilege

blog:

Why is Least Privilege the Place to Start for Endpoint Security?

free tool:

Compile a list of applications on your network to decide if they should be whitelisted or blacklisted.