Best Practices - The Principle of Least Privilege (POLP)

Version 2

    Every program and every user of the system should operate using the least set of privileges necessary to complete the job.” (The protection of information in computer systems, 1974, Jerome H. Saltzer and Michael D. Schroeder)



    The principle of least privilege (POLP) is the practice of limiting access to the minimal level that will allow normal functioning.


    In a personal computing context, you can increase security by using an account without administrative rights. Operating in an administrative account can make your system vulnerable to malicious code online that normally would be denied access if you were operating with lower permission levels. Simply visiting an unfamiliar Internet site with these high-privilege accounts can cause extreme damage to your computer, such as deleting all of your files, reformatting your hard drive, or creating a new user account with administrative access. 


    Some operating systems have “least privilege” built in. For example, Vista’s/Windows 7’s user account control (UAC) has two operational modes, one with and one without administrative privileges. Even in the latter mode, however, explicit permission is required for external system access. When you do need to perform tasks as an administrator, always follow secure procedures.


    A related concept, privilege bracketing, involves ensuring that when permission levels must be raised temporarily that the higher level is in effect for the briefest possible time. So, for example, you might log on to an administrative account when necessary for some task and immediately revert to a lower-level account as soon as that task is complete.


    The principle of least privilege is also known as the principle of least authority (POLA).