3.13.3 — Separate Admin from User
What It Says
Section titled “What It Says”Separate user functionality from system management functionality.
What It Actually Means
Section titled “What It Actually Means”Admin consoles, management interfaces, and configuration tools must be isolated from regular user access. Three levels of separation, from minimum to strongest:
Minimum: Logical access controls. Admin portals restricted by role — regular users get “Access Denied.” Conditional Access policies restrict admin console access to compliant devices.
Better: Separate management VLAN. Admin traffic on a dedicated network segment. Management interfaces only reachable from the management VLAN.
Best: Privileged Access Workstations (PAW). Dedicated hardware for admin tasks. The admin’s regular laptop handles email and browsing. The PAW handles server management. No cross-contamination.
The assessor will check: can a regular user’s browser reach the firewall management interface? Can an admin manage servers from the same session they use for email? If yes, separation is inadequate.
Pass or Fail
Section titled “Pass or Fail”Your assessor needs a “yes” to every row:
| # | Question | What “yes” looks like |
|---|---|---|
| 1 | Is user functionality separated from system management functionality? | Regular users can’t access admin consoles; admin traffic is isolated |
| 2 | Are management interfaces restricted? | Admin portals not reachable from the general user network |
What to Have Ready on Assessment Day
Section titled “What to Have Ready on Assessment Day”Documents they’ll review: System and communications protection policy; system security plan; system design documentation; network diagrams; system configuration settings showing management interface restrictions
People they’ll talk to: System or network administrators; personnel with information security responsibilities; system developers
Live demos they’ll ask for: Mechanisms implementing separation of user and management functionality
The Assessor’s Playbook
Section titled “The Assessor’s Playbook”These are the actual questions. Have answers ready.
- “Can a regular user access any admin console from their workstation?”
- “Is admin traffic on a separate VLAN or subnet?”
- “Do your admins use the same machine for email and server management?”
- “Show me how admin console access is restricted.”
- “What happens if a regular user tries to reach the firewall management interface?”
Where Companies Trip Up
Section titled “Where Companies Trip Up”Admin consoles on user network. Anyone on the corporate network can reach the firewall management GUI. Restrict by IP or VLAN.
Same machine for everything. Admins browse the web, check email, AND manage servers from the same laptop. A PAW or at minimum separate browser profiles are needed.
No Conditional Access on admin portals. M365 admin center accessible from any device. Use Conditional Access to restrict to managed admin devices.
SSH/RDP open from user VLAN. Management protocols accessible from the general network. Restrict to management VLAN only.
How to Talk About This
Section titled “How to Talk About This”Connected Requirements
Section titled “Connected Requirements”| Requirement | Why it matters here |
|---|---|
| 3.1.6 — Two Hats, Two Accounts | Separate accounts supports separate management access |
| 3.13.1 — Guard the Boundaries | Management VLAN is an internal boundary |
| 3.1.5 — Minimum Necessary | Least privilege restricts who reaches management interfaces |
Implementation (coming soon)
Section titled “Implementation (coming soon)”Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.
CMMC Practice ID: SC.L2-3.13.3 | SPRS Weight: 1 point | POA&M Eligible: Yes