3.1.15 — Authorize Remote Execution of Privileged Commands and Remote Access to Security-Relevant Information

Running admin commands or viewing security configurations remotely is a high-risk activity. You need to explicitly authorize who can do this and make sure it's logged. Not everyone who can VPN in should be able to run PowerShell as admin on a server.

Example 1: In Active Directory, create a dedicated "Remote Admins" security group. Configure the GPO at Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment → "Access this computer from the network" to include only this group on servers. Document the list of authorized remote administrators and the commands they are permitted to execute in your SSP.

Example 2: Deploy a Privileged Access Management (PAM) tool like CyberArk or BeyondTrust. Configure it to require just-in-time access requests for any remote administrative session. The admin requests access, a supervisor approves, and the session is time-limited and fully recorded. This gives you both authorization control and an audit trail.