3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.

Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes, roles, and system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational systems. Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges).

Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information or functions. Organizations may differentiate in the application of this requirement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.

Using Windows Server with Active Directory: By extensive use of User Groups. Do not use any users directly in assigning access to anything. By locking directories by authorized groups and deny access to directories not designated to the proper group.  Devices are also allowed/blocked by group access.   Users are assigned to groups where they need access and removed when access is no longer necessary.

All access to directories and network devices is first stripped from all access then security groups are added with access only to areas where group members will need access.   Users are regulated by adding/removing them from the appropriate group.  No user level access is permitted outside of a group.

Monitoring: There is monitoring software available to monitor activity in group assignments to ensure compliance.