In the 2021 SolarWinds attack, adversaries abused a service account with domain admin rights to move laterally across thousands of systems. The Principle of Least Privilege (PoLP) states that a user, process, or service should be granted only the minimum rights necessary to perform its function. This lesson translates PoLP from a theoretical mantra into concrete OS-level implementation—covering account design, privilege bracketing, and time-bound access escalation.
Modern OSes offer granular privilege models: Windows has over 40 user rights assignments (SeShutdownPrivilege, SeBackupPrivilege), Linux defines capabilities (CAP_NET_RAW, CAP_SYS_ADMIN), and macOS uses entitlements. Instead of giving a backup operator full Administrator or root, grant only SeBackupPrivilege or CAP_DAC_READ_SEARCH. This limits damage if the account is compromised. Use tools like whoami /priv on Windows and capsh --print on Linux to audit current privileges.
This output shows which privileges are enabled or disabled for the current token. Even if a privilege is present but disabled, it still represents potential attack surface because a vulnerable service might enable it. A PoLP design removes unnecessary privileges entirely, not just disables them.
# Check Linux capabilities of a process (e.g., nginx running as www-data)
ps -C nginx -o pid= | xargs -I {} sudo grep -i Cap /proc/{}/status
# Output includes CapInh, CapPrm, CapEff bitmasks
# CapEff 0000000000000000 means no effective capabilities — ideal💡 The 'CapEff' hex mask shows effective capabilities. A well-configured nginx might have CapEff=0000000000003000 (CAP_NET_BIND_SERVICE and CAP_SYS_PTRACE) but should be audited to see if even those can be dropped with systemd directives.
Administrators should operate as standard users and escalate only when needed. On Windows, UAC with consent prompt achieves this; on Linux, sudo with a specific command list and timestamp_timeout=0. For higher security, implement a privilege access management (PAM) solution that grants temporary, audited access. Integrating with Active Directory Authentication Policies and Silos or sudo with Kerberos tickets adds dynamic, time-bound RBAC.
# Tighten sudo for a specific user to only run systemctl restart nginx
# /etc/sudoers.d/webadmin
webadmin ALL=(root) NOPASSWD: /usr/bin/systemctl restart nginx
Defaults:webadmin timestamp_timeout=0This configuration lets the user restart nginx without a password but requires re-authentication for every sudo call (timeout=0). No other commands are permitted, adhering strictly to PoLP.
| Platform | PoLP Mechanism | Example Command |
|---|---|---|
| Windows | User Rights Assignment, Service SID | sc sidtype MyService restricted |
| Linux | Capabilities, sudo, systemd isolation | systemctl edit myservice --full |
| macOS | Entitlements, TCC, sudo | /usr/libexec/PlistBuddy -c "Add :com.apple.private.tcc.allow array" Entitlements.plist |
Service accounts should never be interactive and should be stripped of all unnecessary privileges. On Windows, create a service account with no interactive logon rights and assign only the required privileges. On Linux, systemd service units can specify User=, Group=, and CapabilityBoundingSet to restrict capabilities, while also using ProtectSystem=, PrivateTmp=, and NoNewPrivileges=yes to sandbox the process.
⚠️ Service accounts are frequent targets for credential theft. Never reuse a privileged service account across multiple services, and rotate credentials using managed identities or secrets management tools.
Verify exercises to earn ★ 120 XP and unlock next lab level.