Logical Access Control – Least Privilege

If you plan on taking the Security+ exam you should have a good understanding of the various logical access controls including the principle of least privilege. These controls restrict access to the logical network as opposed to restricting access to the physical areas of a building or physical access to devices within the network.

This blog is an excerpt from the CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide.

The principle of least privilege is an example of a technical control that uses access controls. Privileges are the rights and permissions assigned to users. Least privilege specifies that individuals and processes are granted only the rights and permissions needed to perform assigned tasks or functions, but no more. For example, if Joe needs to print to a printer, you should grant him print permission for that printer, but nothing else.

This principle also applies to administrators. Not every IT administrator needs full administrative rights on every device within the network. If an administrator only needs to be able to review logs and update specific network devices, the administrator should be given appropriate access to these logs and devices, and no more.

Remember this

Least privilege is a technical control. It specifies that individuals or processes are granted only those rights and permissions needed to perform their assigned tasks or functions.

A colleague shared an extreme example of how this principle was violated where he worked. He was the lone IT administrator, and no matter how much he asked for help, his boss was never able to get him additional staff. The company grew, and he found he was fielding many complaints because users didn’t have the access they needed. He knew he needed to improve the administrative model with groups and roles, but he just didn’t have enough time.

The users complained to his boss, who then put pressure on him. The boss’s direction was simply: “Fix this problem!”

Ultimately, he put all the users into the Domain Admins group. In a Windows Active Directory domain, the Domain Admins group has full rights and permissions to do anything and everything in a domain. Suddenly, all the users had full privileges. This was the equivalent of lighting the fuse on a time bomb. It would only be a matter of time before users purposely or accidentally caused problems with their newfound permissions.

Ironically, his boss was happy because the users stopped complaining. I heard from him a couple of months later. One of the users found payroll data on the network and discovered the salaries of other employees. It spread through the company quickly and caused a significant amount of infighting. At that point, his boss’s boss wasn’t very happy.

It takes a little time and effort to implement role-based access control with groups. However, it reduces overall administration and helps to implement the principle of least privilege.

Security+ Study Resources

Security+ Full Access Package

Pass the First Time!

Up-to-date Content

New multiple-choice and performance-based questions added regularly

Pass the first time with quality practice test questions, performance-based questions, flashcards, and audio.

Buy The Full Access Study Package Today

60 Days Access

Need more time? You can easily renew for another 60 days at a significantly reduced price.

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here

Our online Security+ study materials are the perfect complement to the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. They can also be used to help ensure you’re ready no matter what study guide you’re using.

This exam is expensive.

Make sure you’re ready before exam day. 

Here’s what you’ll get:

• All of the multiple-choice questions from the best-selling CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. See a demo here. All questions have full explanations so you’ll know why the correct answers are correct and why the incorrect answers are incorrect.
• Over 40 new multiple-choice questions we’ve added after publishing the study guide.
• Over 30 performance-based questions. See a demo here.
• All of the flashcards from the study guide. View them in any Web browser.
• All of the audio from the study guide. Listen to a sample here.
• Access to a free discount code for 10% off your Security+ voucher.

Buy The Full Access Study Package Today

60 Days Access

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here

Study Guide Pass the Security+ exam the first time you take it with the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide. Each of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action. The author uses many of the same analogies and explanations he’s honed in the classroom. These analogies an explanations have helped hundreds of students master the Security+ content. You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details.

You’ll be ready to take and pass the exam the first time you take it. Each chapter includes a comprehensive review section to help you focus on what’s important. Over 440 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. Includes a 100 question pre-test, a 100 question post-test, and practice test questions at the end of every chapter. Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question.