Does anyone fully implement workstation and server logon restrictions, and priviledged access workstations (PAW) as prescribed by NIST/STIG/CIS?

The URL is Microsoft’s long description of the same concepts.

Specifically from the above, there’s a few things like:

  • Establishing asset/systems tiers (domain controllers or entire org compromise tier 0, moving towards less consequence in the event of system compromise)
  • Accounts with the Active Directory Domain Admins or equivalent are supposed to be blocked from logging into lower tier assets
  • Workstations that have access to log into these super sensitive assets like Domain controllers for management are considered PAWs, and are blocked from internet access, highly locked down, might have extra hoops or management plane assets are air gapped?

Question:

Does anyone actually do any of this at their organization?

If so, to what degree?

People hated red forest because it was a whole other set of infrastructure to baby sit.

People hate air gapped systems because no remote access or work from home.

The above doesn’t work well with cloud, and as a result Microsoft (just as an example) pushed for the new hybrid PIM models replacing their old red forest concept.

I’m just curious.

  • PaddleMaster@beehaw.org
    link
    fedilink
    English
    arrow-up
    1
    ·
    8 months ago

    Some of that, yes. I work for a university that’s government adjacent, so we have to get audited pretty often. Part of that is proving that we STIG and conform to other frameworks. But within certain labs, access is remote only, so I’m not sure how they would handle having a PAW, when there’s probably just a few admin accounts that have strict rules and limits applied.