Establish and Maintain Dedicated Computing Resources for All Administrative Work
Description
Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access.
Implementation Checklist
Tool Recommendations
Network access control platform providing device profiling, posture assessment, guest access, and BYOD policy enforcement
Cisco · Per-endpoint subscription
Next-generation firewall platform with application-aware policies, threat prevention, URL filtering, and SD-WAN
Palo Alto Networks · Appliance + subscription
Zero trust network access platform replacing VPNs with application-level microsegmentation and identity-based access
Zscaler · Per-user subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Administrative Credential Theft from Shared Workstations
ConfidentialityAdministrators perform privileged tasks from the same workstations used for email and web browsing, and keyloggers, browser exploits, or phishing attacks on those general-purpose systems capture administrative credentials for critical infrastructure.
Pass-the-Hash Attack from Admin Credentials on User Workstations
ConfidentialityAdministrative credentials cached on general-purpose workstations are extracted through pass-the-hash or pass-the-ticket attacks, giving attackers domain admin or infrastructure admin privileges obtained from a standard user endpoint.
Lateral Movement to Critical Systems via Unsegmented Admin Workstations
IntegrityAttackers who compromise a general-purpose workstation where administrators also perform privileged tasks gain a direct path to critical infrastructure because the administrative session provides network access to management interfaces that should be isolated.
Vulnerabilities (When Safeguard Absent)
No Dedicated Administrative Workstations or Jump Boxes
Administrators perform privileged operations from the same workstations used for general business activities, exposing administrative credentials and sessions to threats present on general-purpose endpoints.
Administrative Systems Connected to General Network and Internet
Workstations used for administrative tasks are not segmented from the primary network and have internet access, exposing privileged sessions to web-based threats, phishing attacks, and network-level attacks that dedicated admin systems would avoid.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | SIEM dashboard showing log sources and collection status | Captured monthly |
| Record | Log review records and findings | Per review cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |