Administrators should not be logging in as regular users and then elevating privileges. SC.L2-3.13.3 requires separation of administrative functions from normal user work. The goal is to prevent accidental misuse of admin privileges and to maintain a clear audit trail of who performed administrative actions. This is a core part of AC.L2-3.1.2 (access restrictions for privileged functions) and works hand-in-hand with AC.L2-3.1.1 (logical access control).
What the assessor is actually evaluating
The assessor will check:
Documented separation policy: You should have a policy requiring that each administrator maintains separate accounts for regular work and administrative work.
Technical implementation: In Active Directory, administrators should be members of admin groups with a dedicated admin account. They should not be logging in with their regular user account and elevating.
Audit trail: Logs should show that administrative actions are performed by identifiable admin accounts, not by regular user accounts that have been elevated.
What a realistic SSP definition looks like
Policy: “The organization implements privilege separation. All administrators maintain separate user and administrative accounts. Administrative work is performed only through the administrative account. Users and administrators are prevented from logging into systems with administrative accounts for non-administrative purposes.”
Supporting details:
- Account structure: Each administrator has two AD accounts, e.g., jsmith (regular user) and jsmith.admin (administrative). The admin account is disabled for interactive login on non-critical systems.
- Administrative group membership: Admin accounts are members of the Administrators, Domain Admins, or role-specific groups. Regular user accounts are never members of these groups.
- Enforcement: Group Policy prevents logon by regular users to domain controllers and critical servers.
- Monitoring: Audit logs track logons to administrative systems and alert on attempts to use regular user accounts.
How to present your evidence
- Privilege separation policy document: Describes the requirement for separate admin accounts and how separation is enforced.
- Active Directory screenshots: Show user accounts and their group memberships. Display at least 3-5 administrator accounts showing the pattern of separate user and admin accounts.
- Group Policy audits: Show GPOs that enforce administrative account separation or prevent regular users from logging in to sensitive systems.
- Audit logs: Pull Windows security event logs showing successful admin account logons for administrative tasks (e.g., user creation, software installation) and no logons from regular user accounts to admin systems.
Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.
Assessor: “Tell me about your administrative account structure. How do you separate administrative functions from user work?”
You: “Every administrator has two AD accounts: one regular account for email and regular work, and a separate admin account for administrative tasks. Admin accounts are only used for admin work.” [Pull up AD group membership showing 3-4 administrators with matching user.admin accounts]
Assessor: “Show me the audit logs for admin account activity from the past 30 days.”
You: [Pull up Windows security logs showing successful logons from admin accounts and administrative actions performed under those identities]
Assessor: “Do you ever see regular user accounts performing administrative actions?”
You: “No. Our policy prohibits it, and our logs show only admin accounts performing administrative tasks. If we need to perform admin work, we log out and log back in with the admin account.” [Show a sample of logs with no admin actions attributed to regular user accounts]
Common failures
No documented separation policy: The organization has not written down that admins should use separate accounts. When the assessor asks for the policy, nothing exists.
Admins using a single account with elevated privileges: Administrators log in with their regular account and use “Run as Administrator” for admin work. While technically privileged, this violates the separation principle because the audit log shows the regular account name.
Group membership is incorrect: Regular user accounts are members of admin groups, or admin accounts are unnecessary because users elevate directly.
Clean separation in AD: All administrators have clear naming conventions for admin accounts. No regular user accounts are in admin groups. Admin and user accounts are visibly separated.
Consistent audit trails: Logs show administrative actions tied to clearly identifiable admin accounts.
Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.
If you use an MSP/MSSP
If an MSP manages your systems, ensure the MSP maintains separate administrative accounts and logs administrative actions under those accounts. Request documentation of the MSP’s account separation practices. The assessor may ask you how MSP administrative access is tracked. Be able to explain the separation model used.
This guide is for reference only and does not replace official CMMC documentation or professional compliance advice.