This chapter covers the Principle of Least Privilege (PoLP), a foundational security concept that appears in approximately 5-10% of CompTIA A+ 220-1102 exam questions across multiple objectives, particularly in Domain 2 (Security) Objective 2.2. You will learn exactly what PoLP means, how it is implemented in Windows and Linux systems, and how to configure user accounts and permissions to enforce it. Understanding PoLP is critical for protecting systems from accidental damage, malware, and privilege escalation attacks — all of which are heavily tested on the exam.
Jump to a section
Imagine a hotel where every guest receives a key card that grants access only to their specific room, the lobby, and the fitness center — nothing else. The front desk clerk has a card that opens the office, the supply closet, and the reservation system, but not guest rooms. The manager has a master key that opens all doors, but only uses it when necessary. The principle of least privilege (PoLP) works exactly like this: each person (user, process, or system) is granted the minimum permissions required to perform their job function. If a housekeeper needs to clean rooms, they get a card that opens all guest rooms during their shift, but not the manager's office or the IT server room. If a guest tries to access the roof, the card is denied. In computing, this means a user account cannot install software or modify system files unless that task is explicitly part of their role. The hotel's key card system logs every access attempt — just as Windows Security Event Log records every privilege use. If a card is used outside its authorized area, the system triggers an alert. This prevents a stolen guest card from being used to access the hotel safe, just as a compromised standard user account cannot be used to disable antivirus or change system policies. The key is that permissions are granted based on the minimum needed, not based on trust or convenience.
What is the Principle of Least Privilege?
The Principle of Least Privilege (PoLP) states that every user, program, or process should have only the minimum set of permissions necessary to perform its legitimate function. This is a core security control that reduces the attack surface and limits the blast radius of any compromise. On the 220-1102 exam, you must understand that PoLP applies to:
User accounts (standard vs. administrator)
Service accounts (running services with minimal rights)
Application permissions (file system, registry, network access)
Group memberships (e.g., Power Users, Backup Operators)
Why PoLP Exists
Without PoLP, users often run with administrative privileges by default. This creates several security risks:
Accidental damage: An admin user might accidentally delete critical system files.
Malware impact: Malware running under an admin account can modify system files, disable security software, and install rootkits.
Privilege escalation: If an attacker compromises a standard user account, they still need to escalate to admin to cause maximum damage. PoLP makes that step harder.
Insider threats: A disgruntled employee with excessive permissions can steal or destroy data beyond their job scope.
How PoLP Works Internally
On Windows, every process runs with an access token that contains the user's security identifier (SID) and group SIDs. When a process tries to access an object (file, registry key, printer), Windows checks the object's security descriptor (which contains a discretionary access control list, or DACL) against the token. If the token lacks the required permission, access is denied.
For example, when a standard user tries to write to C:\Windows\System32, the NTFS file system checks the DACL on the System32 folder. The DACL typically grants only SYSTEM and Administrators write access. Since the standard user's token does not include the Administrators group SID, the write fails with ACCESS_DENIED.
Key Components and Defaults
- Built-in accounts:
- Administrator: Full control over the system. Disabled by default in Windows 10/11.
- Guest: Very limited privileges. Disabled by default.
- SYSTEM: Highest local privileges, used by OS services.
- User Account Control (UAC): Enforces PoLP by running standard users with limited tokens even when they are members of the Administrators group. When an admin action is required, UAC prompts for consent (for admins) or credentials (for standard users).
- UAC has four levels: Always notify, Notify me only when apps try to make changes (default), Notify me only when apps try to make changes (do not dim desktop), and Never notify.
- Default user groups:
- Administrators: Full system access.
- Users: Standard user rights. Members cannot modify system settings or install software.
- Power Users: Legacy group from Windows XP; has more rights than Users but less than Administrators. In modern Windows, Power Users is retained for backward compatibility but has limited elevated privileges.
- Remote Desktop Users: Members can log on remotely via RDP.
- Backup Operators: Can bypass file permissions for backup purposes.
- Linux equivalents:
- root (UID 0): Superuser with all privileges.
- Regular users (UID >= 1000): Limited privileges.
- sudo: Allows authorized users to execute commands as root or another user. Configuration in /etc/sudoers.
Configuration and Verification Commands (Windows)
Check current user privileges:
whoami /privView user group memberships:
net user username
net localgroup AdministratorsCreate a standard user account:
net user jdoe P@ssw0rd /add
net localgroup Users jdoe /addRemove from Administrators group:
net localgroup Administrators jdoe /deleteConfigure UAC:
- Via GUI: Control Panel > User Accounts > Change User Account Control settings
- Via Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- EnableLUA (1 = on, 0 = off)
- ConsentPromptBehaviorAdmin (0 = elevate without prompting, 2 = prompt for consent, 5 = prompt for credentials)
- PromptOnSecureDesktop (1 = dim desktop, 0 = do not dim)
Check UAC status:
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUAHow PoLP Interacts with Other Technologies
AppLocker: Can restrict which applications users can run, enforcing PoLP at the application level.
BitLocker: Requires admin privileges to enable/disable, but standard users can still access encrypted drives if granted.
Windows Defender: Standard users cannot disable real-time protection or modify exclusion lists.
Group Policy: Can enforce PoLP by restricting software installation, access to Control Panel, and other settings.
NTFS Permissions: Used to grant minimal file/folder access to users and groups.
Exam-Tested Implementation Examples
Standard vs. Administrator accounts: The exam expects you to know that standard users cannot install software or change system settings. Always recommend standard accounts for daily use.
Run as administrator: Right-click > Run as administrator prompts UAC. This is a way for admins to temporarily elevate privileges.
Service accounts: Services should run with the minimum required privileges — never as SYSTEM unless absolutely necessary.
Linux sudo: The exam may ask about sudo as a PoLP tool — only specific users can run specific commands as root.
Identify user roles and tasks
Begin by listing all user roles in the organization (e.g., help desk, accountant, manager) and the specific tasks each role must perform. For example, a help desk technician needs to reset passwords and unlock accounts but does not need to modify system files. This step is critical because granting permissions beyond these tasks violates PoLP. On the exam, you may be given a scenario and asked to determine the minimum permissions needed for a role. Always consider the principle: no more than necessary.
Create user groups based on roles
In Active Directory or local SAM, create security groups that map to the roles identified. For instance, create a 'HelpDesk' group and grant it the 'Reset Password' right via Group Policy or delegated control. Do not add users directly to built-in groups like Administrators unless they truly need full control. The exam frequently tests that group membership is the preferred method for assigning permissions because it simplifies management and auditing.
Assign minimal permissions to groups
Set NTFS permissions, share permissions, and registry permissions to grant only the necessary access. For example, the 'HelpDesk' group might have 'Read' and 'Write' access to the shared support folder but no access to the finance folder. Use the principle of 'deny by default, allow explicitly.' On Windows, effective permissions are the sum of allowed permissions minus any explicit deny. The exam expects you to know that explicit deny overrides allow.
Create standard user accounts
When creating user accounts, do not add them to the Administrators group. Instead, add them to the Users group (standard user). This ensures that even if the account is compromised, the attacker cannot install malware or disable security software. For users who occasionally need admin rights (e.g., to install approved software), use 'Run as administrator' with separate admin credentials or a secondary admin account. The exam emphasizes that standard user accounts are the default recommendation for daily use.
Enable and configure User Account Control
UAC should be enabled (default) to enforce PoLP. Even if a user is a member of Administrators, UAC runs most applications with a standard user token. Only when an application requests elevation does UAC prompt for consent or credentials. The default level 'Notify me only when apps try to make changes to my computer' is appropriate for most environments. Disabling UAC weakens PoLP and is a common exam trap — never disable UAC on a production system.
Audit and review permissions regularly
Use tools like 'Effective Permissions' tab in Windows, `icacls`, or `Get-Acl` in PowerShell to review permissions. Check for users who have been accidentally added to privileged groups. The exam may ask about auditing using Security Event Log (Event ID 4720 for user creation, 4732 for group membership changes). Regular reviews ensure that permissions remain minimal as roles change.
Enterprise Scenario 1: Healthcare System
A hospital network with 5,000 employees uses Active Directory. The IT department enforces PoLP by creating role-based groups: 'Nurses', 'Doctors', 'Administrative Staff', and 'IT Support'. Nurses can access patient records but cannot modify system settings. Doctors have additional access to prescribe medications. Administrative staff can only view scheduling data. IT support has local admin rights on workstations but not on servers. When a nurse's account is compromised via phishing, the attacker can only view patient records, not install ransomware across the network. This containment is a direct result of PoLP. The system uses Group Policy to apply different software restrictions — nurses cannot install any software, while IT support can install approved applications via Software Center.
Enterprise Scenario 2: Financial Services Firm
A bank with 2,000 employees uses Linux servers for trading applications. Developers have sudo access to restart services but not to modify kernel parameters. The /etc/sudoers file is configured to allow specific commands:
%developers ALL=(ALL) /usr/bin/systemctl restart trading-appThis enforces PoLP because developers can only restart the trading app, not any other service. When a developer accidentally runs a malicious script, it cannot modify critical system files because the script runs with the developer's limited privileges. The bank also uses SELinux to further restrict process capabilities. Misconfiguration occurs when a new developer is accidentally added to the wheel group (full sudo access) — this violation of PoLP is caught during quarterly audits using ausearch.
Common Pitfalls
Over-privileged service accounts: Many organizations run services as SYSTEM or LocalSystem when a lower-privileged account like NetworkService would suffice. This gives the service unnecessary access to the entire system.
Granting 'Everyone' permissions: Some administrators grant 'Everyone' full control to shares to avoid access issues, violating PoLP. This is a common exam wrong answer.
Not revoking permissions when roles change: When an employee moves from IT support to HR, their old admin rights remain unless explicitly removed. This is a security risk tested on the exam.
Scale and Performance
In large environments, managing PoLP manually is impractical. Enterprises use Privileged Access Management (PAM) solutions like Microsoft Identity Manager or CyberArk to automate provisioning and deprovisioning. Performance impact is minimal — checking ACLs is a fast operation, but overly complex ACLs with many ACEs can slow down file access. Best practice is to use groups rather than individual user permissions.
What CompTIA A+ 220-1102 Tests
Objective 2.2 requires you to "Given a scenario, apply the appropriate security controls to protect a system." PoLP is a key control. The exam tests:
Standard vs. Administrator accounts: You must know that daily use should be with a standard account. Administrator accounts are only for specific tasks.
UAC: Know the default UAC setting and what it does. The exam may ask about the difference between consent and credential prompts.
Group memberships: Which built-in groups have elevated privileges? Power Users is a legacy group with limited admin rights — the exam may ask if it still exists (yes) and its purpose (backward compatibility).
Linux sudo: The concept that sudo allows limited root access.
Service accounts: Should run with minimum privileges.
Common Wrong Answers and Why Candidates Choose Them
"Give all users administrator rights for convenience" — Candidates think this makes troubleshooting easier. WRONG because it violates PoLP and increases security risk.
"Disable UAC to improve performance" — Candidates see UAC prompts as annoying and disable it. WRONG because UAC is a critical security control.
"Power Users group is the same as Administrators" — Candidates confuse Power Users with Administrators. WRONG: Power Users have fewer rights.
"Standard users can install software if they have the installation media" — WRONG: Standard users cannot write to Program Files or system registry, so installation fails unless the installer is designed for per-user installation.
Specific Numbers and Terms on the Exam
Default UAC level: "Notify me only when apps try to make changes to my computer" (second from top).
Event IDs: 4720 (user created), 4732 (user added to group), 4624 (logon).
Command: whoami /priv to list privileges.
Group: Backup Operators can bypass NTFS permissions for backup.
Edge Cases
Run as administrator vs. UAC: Even an admin user must explicitly elevate via UAC. The exam may ask what happens when a standard user tries to run a program as administrator — they are prompted for admin credentials.
Guest account: Disabled by default; if enabled, it has very limited privileges.
SYSTEM account: Has more privileges than Administrator; used by the OS.
Eliminating Wrong Answers
If a question asks about the best way to limit a user's ability to damage the system, look for answers that involve standard user accounts, UAC, or group restrictions. Eliminate any answer that suggests granting full admin rights or disabling security features. If the scenario involves a service, the answer should mention running the service with a minimally privileged account.
Principle of Least Privilege means granting only the minimum permissions necessary to perform a job.
Standard user accounts are for daily use; administrator accounts are for specific tasks.
UAC is enabled by default and enforces PoLP by running apps with a standard user token.
Default UAC level: 'Notify me only when apps try to make changes to my computer'.
Power Users group is legacy and has limited elevated privileges, not full admin rights.
Service accounts should run with minimal privileges, not as SYSTEM.
Use groups to assign permissions, not individual user accounts.
Explicit deny in ACLs overrides allow.
Linux sudo allows limited root access for specific commands.
Regularly audit group memberships and permissions to maintain PoLP.
These come up on the exam all the time. Here's how to tell them apart.
Standard User Account
Cannot install software or modify system files
Cannot change system-wide settings
Default account type for daily use
Limited access token by default
Less impact if compromised
Administrator Account
Full control over the system
Can install software and change any settings
Should only be used for administrative tasks
Can elevate to full token via UAC
High impact if compromised
Mistake
The Administrator account should be used for daily work to avoid permission issues.
Correct
The Administrator account has full system access and should only be used for specific administrative tasks. Daily use should be with a standard user account. Using the Administrator account increases the risk of accidental damage and malware impact.
Mistake
UAC is just a nuisance and can be safely disabled.
Correct
UAC is a critical security feature that enforces PoLP by running applications with a standard user token even when the user is an admin. Disabling UAC weakens system security and is not recommended. The default setting is appropriate for most environments.
Mistake
The Power Users group has the same privileges as Administrators.
Correct
Power Users is a legacy group from Windows XP. In modern Windows, it retains limited elevated privileges but not full admin rights. It is included for backward compatibility. Administrators have full control, while Power Users have more rights than Users but less than Administrators.
Mistake
Standard users can install any software as long as they have the installation files.
Correct
Standard users cannot write to system directories like `C:\Program Files` or modify system registry keys. Many software installations require admin privileges. Some applications support per-user installation, but most enterprise software requires elevation.
Mistake
Granting 'Everyone' full control to a shared folder is a good way to ensure access.
Correct
Granting 'Everyone' full control violates PoLP because it gives all users, including guests and potential attackers, unrestricted access. Permissions should be granted only to specific groups that need access, using the principle of least privilege.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The Principle of Least Privilege (PoLP) is a security concept where users and processes are given only the minimum permissions needed to perform their tasks. In Windows, this means using standard user accounts for daily work, enabling UAC, and assigning permissions via groups. It prevents accidental damage and limits the impact of malware.
Go to Settings > Accounts > Family & other users > Add someone else to this PC. Choose 'I don't have this person's sign-in information' and then 'Add a user without a Microsoft account'. Enter a username and password, then select the account and change account type to 'Standard User'. Alternatively, use `net user username password /add` and `net localgroup Users username /add`.
User Account Control (UAC) is a Windows security feature that prevents unauthorized changes to the OS. It runs all users with a standard user token by default, even if they are administrators. When an action requires admin privileges, UAC prompts for consent or credentials. This enforces PoLP and prevents malware from making system-wide changes without the user's knowledge.
The default UAC setting is 'Notify me only when apps try to make changes to my computer' (second level from the top). This dims the desktop and shows a prompt when an app attempts to make system changes. It does not prompt when the user changes Windows settings.
Generally, no. Standard users cannot write to `C:\Program Files` or modify system registry keys. Some applications support per-user installation (installing to `%AppData%`), but most require administrator privileges. If a standard user tries to run an installer, UAC will prompt for admin credentials.
Administrators have full control over the system. Power Users is a legacy group with more rights than Users but less than Administrators. In modern Windows, Power Users can install some legacy applications but cannot modify system files or security settings. It is retained for backward compatibility.
Linux uses regular user accounts with limited privileges. The root user (UID 0) has full access. The `sudo` command allows authorized users to execute specific commands as root, configured in `/etc/sudoers`. This enforces PoLP by granting only necessary elevated access.
You've just covered Principle of Least Privilege — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?