Advanced Least Privilege Security concepts

Most operating systems, including Windows NT, use advanced Least Privilege Security concepts as follows:

Discretionary Access Control

Discretionary Access Control (DAC) is where system administrators assign access to a set of objects, such as a directory of files, and allow the user to change the security properties of those files. The user becomes the owner of the directory and can modify the security properties of all files within that directory.

Mandatory Access Control

Mandatory Access Control (MAC) allows system administrators to centrally control the changes users can make to objects they own. MAC helps prevent the flow of sensitive information from a high-privileged account to a lower one.

Mandatory Integrity Control

Windows Vista introduced a form of MAC through Mandatory Integrity Control (MIC) that prevents processes running with a low Integrity Level (IL) from writing to or deleting objects with a higher IL.

Role-based Access Control

Windows Server 2003 included Role-based Access Control (RBAC) that allows system administrators to control access, based on users' organizational roles. Focusing on users' roles rather than objects and resources, as with DAC, is a more natural way for system administrators to control access to data across an organization. DAC enforces basic least privilege concepts to protect operating system files and registry keys using groups, which are collections of users, whereas RBAC roles are collections of permissions.