3.1.15 — Admin Commands Over the Wire

The One-Liner

Just because someone is an admin doesn’t mean they can do everything remotely. Define which admin functions are allowed over remote connections.

What It Says

Authorize remote execution of privileged commands and remote access to security-relevant information.

What It Actually Means

Being an admin locally doesn’t automatically mean full admin remotely. For remote admin access:

1. Identify which admin functions can be performed remotely — and which can’t
2. Document who is authorized to perform each remote admin function
3. Enforce it technically — not just through policy

If you can avoid remote admin entirely, that’s the strongest position. If you can’t, restrict it to the minimum necessary commands and the minimum necessary people.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are remotely permitted admin commands identified?	A documented list of what admin work can be done remotely
2	Are remotely accessible security info sources identified?	You know which security data can be accessed remotely
3	Is remote admin execution authorized?	Specific people authorized for specific remote admin functions
4	Is remote security info access authorized?	Access to audit configs, security settings controlled remotely

---

What to Have Ready on Assessment Day

Documents they’ll review: Access control policy, remote access procedures, system configuration, system security plan, audit logs

People they’ll talk to: Sysadmins, information security staff

Live demos they’ll ask for: “Show me which admin functions can be performed remotely and who is authorized for each one.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Which admin functions can be executed remotely?”
• “Is remote admin execution only authorized for documented operational needs?”
• “How do you prevent unauthorized remote admin access?”
• “Show me the documentation of authorized remote privileged functions.”

Real-World Example

A contractor’s access control policy permits two IT staff to remotely manage user accounts and reset passwords, but firewall configuration changes must be performed on-site. This is enforced through Entra PIM — the firewall admin role requires physical presence (no remote activation). The policy is documented, and the PIM configuration proves enforcement.

---

Where Companies Trip Up

No documentation. Admins perform remote admin tasks but there’s no record of what’s authorized.

Full admin access remotely. No restriction on which admin functions can be performed remotely.

No separate authorization. Remote admin is granted as part of the general admin role without specific remote authorization.

---

How to Talk About This

To a CEO or Board

We’ve documented exactly which admin functions can be performed remotely and who is authorized for each one. High-impact changes require on-site access.

To an Engineering Team

Entra PIM roles with location-based activation rules. Remote admin limited to user management and helpdesk functions. Firewall and security config changes require on-prem session. Documented in access control policy.

---

Connected Requirements

Requirement	Why it matters here
3.1.12 — Eyes on Remote Access	Broader remote access controls
3.1.5 — Minimum Necessary	Least privilege applies to remote admin too
3.7.5 — Remote Maintenance MFA	MFA for remote maintenance sessions

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: AC.L2-3.1.15 | SPRS Weight: 1 point | POA&M Eligible: Yes