The principle of least privilege is a basic cybersecurity tenet. The idea is to provide as little access to a resource as possible while still allowing a successful transaction. Such a transaction might be accessing a file, managing a service, administering a system like Active Directory, running applications, connecting to a specific network, etc.
The principle of least privilege falls under the umbrella of a zero-trust security policy, which operates on the idea that even internal resources are untrusted and must be authenticated and authorized.
One of the most basic applications of the principle is the oft-heard advice not to log on to a system with a root or administrator account. These accounts almost always have more power than is necessary for a user doing daily tasks like checking email, web browsing, running a spreadsheet program, etc.
A robust implementation of the principle benefits the organization by reducing the chances of security breaches, malware or mistakes. The effects of user mistakes can be catastrophic, such as the recent grounding of planes in the United States caused by an unintentionally deleted set of files. However, users used to a more open environment will likely have difficulty adapting to being restricted to only the resources applicable to their role.
Read on to learn three ways you can use the principle of least privilege, including a basic permissions scenario, managing group memberships and concluding with a more complex application management example.
Example 1: File and Folder Access
Let’s begin with a straightforward example. Suppose a file named vacation-policy.txt exists on a Linux server. Likely, all users should be able to view the policy file contents and discover how much vacation time they can take. However, allowing all users to edit the policy would be absurd!
To translate this example into Linux terms, all users should have the read (r--) permission to the file, but only a few users should have read and write (rw-).
An Advanced Example
I'll extend the example to something a little more complex. Imagine a webserver and the various roles associated with it. The server administrator should have access to system and application configuration files, but probably not website content files. Web developers should edit (read and write) the content files but not access server or application configuration files. Finally, website users should only be able to read specific content files and certainly not upload or change any files.
In these cases, the principle of least privilege means granting the most restrictive permissions possible that still allow users the required level of access for their role.
Example 2: Managing Group Memberships
In a larger context, consider administrators working in a Windows Active Directory environment. The standard superuser account is the Domain Administrator. Any member of the Domain Admins group has virtually unlimited privileges within the domain. These privileges include the administration of services like DNS and DHCP.
However, what if you delegate DNS and DHCP administration to specific IT staff members? These folks need complete administrative control of the two services but should not have any authority over other Active Directory objects, such as user or computer accounts.
Microsoft answered this need by providing DNS and DHCP administrative groups.
- DNS admins: Administrative access to configure the DNS service
- DHCP admins: Administrative access to configure the DHCP service
Using these two groups, a senior administrator could delegate DNS and DHCP administration to junior administrators without granting complete domain administration privileges. This is a great application of the principle of least privilege.
AD also includes the DHCP Users group, which permits read-only access to the DHCP information—perfect for auditors or contractors. Microsoft also recommends administrators create other service-specific administrative groups, as necessary.
Other delegation and default group examples:
- /etc/sudoers: Delegate Linux administrative privileges carefully by writing a precise sudoers configuration file for the sudo command
- Administrative groups: Control membership in administrative groups, such as the Linux wheel group
- Anonymous and default accounts: Remove Windows and Linux anonymous or other default accounts, if possible
- /etc/sshd_config: Configure the Linux SSH service configuration file to deny root access (administrators should elevate their privileges via sudo after the connection rather than connecting as root) and restrict which SSH clients are allowed to connect
Example 3: Control Applications
Access to files and service configurations is not the only issue. The principle of least privilege also applies to applications. Modern organizations maintain a list of authorized programs users and administrators may run. Users typically only have access to the applications associated with their job roles.
Similarly, IT personnel such as support specialists and help desk technicians often use configuration scripts and troubleshooting applications that standard users should not be able to access. One way to manage such tools is a read-only shared folder that contains authorized versions of programs and trusted copies of scripts. Only the required IT staff members should have read access to this share.
Windows Active Directory environments can enforce the use of authorized software by implementing Windows Defender Application Control (WDAC) policies. These Group Policy settings identify applications and apply rules defining whether the application is allowed to run on the system. WDAC enables administrators to enforce the organization's authorized programs list. This is one method for mitigating malware.
Reasons to control applications:
- Configuration scripts not fully understood by non-IT personnel
- Limited apps based on need, license costs, support, etc.
Mitigate Mistakes With the Principle of Least Privilege
The principle of least privilege is one of the most critical components of a zero-trust security posture. While I provided three examples of the principle, there are far too many examples of applying the principle to be included in this article.
Here’s a list of some basic guidance and practices:
Under the principle of least privilege, identities are granted access to resources only at the level required and no higher; if the user only needs to read the file, they are given the read permission and not read-write. This approach helps mitigate malware, mistakes and data breaches.
Learn the skills you need with CompTIA CertMaster Learn. Sign up today for a free trial today!