I’m curious if anybody out there has successfully implemented a form of network segmentation that keeps admin accounts away from systems with internet access.

The goal is to have dedicated jumphosts for teams which can only be accessed via RDP from a single IP, that host requires MFA to access.

The hard part is locking down almost all internet access from the secure Jumpboxes, other than a few cloud based security tools.

I’ve considered whether a second jump box for each team is provided which is logged into only with a regular account and used to download things like ISO’s and firmware updates then transferred laterally to the jumpbox but I think there’s a risk there with SMB.

Assuming a way can be found to allow that lateral transfer safely, is it overkill to have two Jump boxes involved?

Share This Discussion

2 Comments

  • povlhp

    November 10, 2021

    Any sane network admin already has shut down all Internet Access for at least ALL server segments.

    Those that needs Internet Access can do so thru a proxy server, accessing whitelisted domains only. Or if it is something not proxyable, then firewall port openings to specific IP addresses. That means such things MUST have a fixed IP, or a proxy must be established with a fixed IP.

    The jumphost , assume it runs RDP, can access client drives to get the files users downloaded there. Or use Copy/Paste

    Reply
  • subsisn

    November 10, 2021

    Privileged Access Management (PAM) solutions help with this

    Reply

Leave a Comment

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.