All security plans have a posture or philosophy about security. The posture determines the approach to security throughout the organization. The two most common postures are referred to as Default DENY and Default ALLOW.
if something is not explicitly allowed, it is immediately
. The default action for all security operations is to disallow access to a resource. Least privilege encompasses Default DENY. This is a more secure posture.
; it assumes that all things are allowed unless
denied. Systems are completely
except for specific instances where a resource is limited or closed off. End-users find Default ALLOW more
Some plans mix the two postures. A posture of Default DENY may be assumed for inbound network operations and Default ALLOW for outbound ones. File servers may be subject to Default ALLOW, whereas database servers are subject to Default DENY. In practice, this is what usually happens. A balance is then achieved between the ability for end-users to get to resources they need versus keeping hackers out.
Default DENY is still the better practice despite the limitations it places on end-users.