How to Comply with CMMC AC.2.007 Employ the Principle of Least Privilege

One of the first steps to being CMMC compliant is completing the principle of least privilege, A.K.A CMMC AC.2.007.

When it comes to IT, cybersecurity, and CMMC compliance, the policies can be confusing and in-depth. It’s easy to overlook and put off data security, but making it a priority is necessary to protect your business. 

In this blog, we’ll dive into one policy, CMMC AC.2.007, break it down, and make it easier to understand.

What is CMMC AC.2.007?

Before getting into the details, check out our blog: Understanding the CMMC 2.0 Framework to get a basic understanding of CMMC.

CMMC AC.2.007 employs the principle of least privilege, including for specific security functions and privileged accounts.

What does that even mean?

Imagine if every employee in your company had access to all of your data. At any moment, your new employee can see every salary, confidential HR reports, or any financial information stored on the server. CMMC AC.2.007 prevents that headache by setting security permissions for each user account. 

[How To] Employ the Principle of Least Privilege

Whether you’re a large organization or a small business of one or two people, the permissions in place to comply with CMMC AC.2.007 are exactly the same – the only difference is how to implement them. 

When your business is configured with a domain, users can be split into groups and permissions applied in bulk. On the other hand, if your business computers are local, you’ll have to individually apply permissions. 

Windows Server (Domain)

Before you spend all your time working on individual computers, set up bulk permissions with these 4 steps. 

  1. Establish security groups for file access
  2. Create the users in your organization
  3. Assign users to security groups based on their roles
  4. Grant security groups specific folder access


  1. Establish Security Groups for File Access

The first step is to establish security groups for file access. The security groups are typically determined based on roles or departments (see our examples below)

To build out these groups, you’ll need to access the ‘user’ portion of the Active Directory Users and Computers. The quickest way to get there is: Start > Active Directory Users and Computers > Users.

Once you’re in the Users folder, right-click in the open space in the right pane and select New > Group. Now it’s time to configure the group. You’ll enter a group name and select Global and Security

Repeat this step until you have all the groups created that you need. 

2. Create the Users in Your Organization

To create the users, start out with the same steps as establishing groups: Start > Active Directory Users and Computers > Users.

Then, right-click in the right pane and select New > User. It’ll direct you to fill out the user’s credentials and create a password for them. Now, your user is created. 

Repeat this step until all the users in your organization are created.

3. Assign Users to Security Groups Based on Their Roles

Follow the same path as the previous steps: Start > Active Directory Users and Computers > Users.

Once you’re in the users folder, you should see the newly created users in the right pane. Double-click on a user to view the user properties. From there, you’ll select Member Of > Add, then type the name of the security group the user belongs to. To finalize your choice, click Apply > OK.

4. Grant Security Groups Specific Folder Access

Unlike the previous steps, this step is configured within the Server Manger Console. Begin by selecting Start >Server Manager. Once you’re in the console, click File and Storage Services > Shares. 

If you have Shares created, right-click on the one you want to assign the group to, select Properties > Permissions > Customize Permissions > Add > Select a Principle, then search for the group.

If you don’t have Shares created, click Tasks > New Share. You’ll want to create Shares that align with your security groups.

Windows Computer (Local Account)

Applying user permissions in bulk isn’t an option with local setups. While the steps are simple, it may be time consuming since the permissions need to be applied to each account on every computer.

Follow these 5 steps to apply security permissions to local users. 

  1. Click the Windows Key + R to begin the ‘Run’ command. A pop-up window for this command will appear in the bottom left corner. 
  2. Type ‘control userpasswords2’ into the ‘Run’ command space. Now, every local user on the computer should appear. 
  3. Select the user you want to change the permissions for, then click Properties > Group Membership.
  4. Depending on the user, you’ll choose between Standard user and Administrator. 
  5. Click Apply > OK, and you’re all done. Repeat this step for every computer.

Security Group Examples

Before diving in, keep in mind that there isn’t a set number of security groups needed. Additionally, users can be added to multiple security groups. Unlike other security policies, these groups are highly customizable to adjust for your business. 

In our experience, these are the 5 most common security groups we see set up: 

  1. Fiscal – for your finance and account departments
  2. HR – for your human resource team
  3. All Staff – files that anyone in the company can access
  4. Owners, Leadership, or Admin – these are typically for the top-level executives
  5. Domain Admins – for access to literally everything on the server (be careful with this)

Partnering With Professionals

You might be thinking, I have all the steps to comply with the CMMC AC.2.007 policy, why would I hire IT?

We get it. The steps seem simple and straightforward. However, one small mistake can lead to large consequences. If lower-level employees have access to confidential information such as FCI or CUI, it could negatively impact your reputation, operations, and potentially financials. 

Don’t risk your business’ data integrity. Let us give you a free CMMC consultation and make sure you’re on the right track. 

Similar posts