Phone Number +1-202-802-9399 (US)

Thycotic is now Delinea!

Your Leadership Mandated
A Least Privilege Policy.
Now What?

Find out how to implement and enforce a least privilege policy without putting the brakes on productivity


Administrators have routine use of shared accounts with standing privileges.


Without least privilege, virtually all Windows, Macs, Linux and UNIX systems are vulnerable.


Avoid standing privileges and enforce least privilege based on approved just-in-time access request workflows.

The least privilege model means limiting access to reduce your attack surface

When users or applications operate with administrative privileges, they have access to sensitive data, operating systems, and powerful controls. In contrast, with modern Privileged Access Management, administrative accounts with full rights are vaulted for emergencies only. The user requests additional roles which, if granted, allow access to specific systems and the ability to run specific applications or commands. When the user needs additional privilege to perform a legitimate task, they can be requested and granted just-in-time, for a limited time.

Regulations like PCI DSS, HIPAA, SOX, and NIST, and CIS security controls recommend or require implementing a least privilege model as part of a compliance solution. During an audit, you may have to demonstrate how the principle of least privilege is applied and enforced in your organization to control administrative accounts.

Man with laptop
Man working at laptop

A least privilege policy mitigates the risk of malware infecting your network

Eliminating the use of local admin accounts on desktops and laptops prevents the installation of malicious software. It’s essential, therefore, to protect access to both user desktops and laptops, as well as servers. Eighty percent of hackers find human error the easiest way to breach a network because so many users have administrative accounts and accidentally click malicious links.

  • Without a least privilege policy, users typically retain admin access over local endpoints and that makes them an easy target. When a user is logged in with privileged credentials and unwittingly downloads malicious code from an email or website, that malware gains unlimited access to the computer and possibly multiple systems on your network.
  • A bad actor can compromise the admin credentials and penetrate your network. Any malware that executes will inherit the permissions that the user already has and having full admin rights can allow that to spread to other systems in the network. A least privilege policy prevents a bad actor from moving laterally in your network to avoid malware spreading.

Learn how you can protect your users’ desktops and laptops with Privilege Manager and extend that powerful protection to servers with Cloud Suite.

Organizations typically have exponentially more privileged accounts than they have employees. Privileged accounts may be unknown, unmanaged, and, therefore, unprotected.

How To Successfully Comply With A Least Privilege Policy

The first step to comply with a least privilege policy is knowing which privileges you need to manage

Prioritize your risk with Thycotic’s Least Privilege Discovery tool.

  • Find out which endpoints and local users have administrative credentials.
  • Identify which applications are in use and if they require administrative rights to run.
  • Understand your risk level for service accounts and applications with an elevated or excessive set of privileges.
Man sitting at table making notes
Team meeting

Next, create a plan for managing user and application requirements to make sure your least privilege policy will succeed

Your first step is to discover the shared privileged accounts, and then vault the mission-critical accounts for emergency purposes only. Next, build a list of policies, that is centrally managed, that define your least privilege access. These least privilege policies can then be deployed on endpoints for local enforcement.

To keep pace with business needs, application control solutions let people use applications while complying with a least privilege policy.

  • Find out what applications are currently used on your network with the free Endpoint Application Discovery Tool.
  • Implement least privilege policies that include just enough privileges, granted just-in-time, for a limited time, with a Zero Trust Privilege approach.
  • Let your software do its share of the work: automate your application policies and your workflows to review and approve applications, so your desktop team isn’t overwhelmed with support requests, and users can get back to work faster.

Now, you are ready to remove unneeded privileges to comply with your least privilege policy

  • A privilege management solution can reset all users, endpoints, or systems to a “clean slate” at once, monitor activity to ensure your least privilege policy is always enforced, and allow you to manage changes easily.
  • Under a least privilege policy, just-in-time access control should be given when privilege is truly needed. Local and privileged accounts should always be vaulted away. This way they only use the local and domain admin accounts when privilege is truly needed.

Learn how Privilege Manager allows you to manage local endpoint security with precision, and deploy a policy-driven Least Privilege posture.

Woman at laptop
Top 10 Keys To Successful Least Privilege Adoption via Application Control

Top 10 Keys to Successful Least Privilege Adoption via Application Control

In this report you’ll learn:

  • The most effective and secure approaches to least privilege and application control
  • How you can demonstrate compliance with least privilege
  • Policies and workflow you need to keep users and IT teams productive

Free Least Privilege Discovery Tool

When accounts are overprivileged, they’re vulnerable to insider threats and malware attacks.

Thycotic’s free Least Privilege Discovery Tool helps you reduce risk and meet least privilege compliance requirements with a prioritized list of actions specific to your environment.

You can quickly and easily find vulnerabilities related to:

  • User workstations – Identify accounts with local admin privileges.
  • IT infrastructure and services – Find elevated privileges on IT resources and service accounts and credentials improperly shared or past their expiration date.
  • Operating systems and applications – See which applications on your network are flagged as malicious or insecure.