How to Meet AC.L2-3.1.15

Requirement

Show: AC.L2-3.1.15 – Authorize remote execution of privileged commands and remote access to security-relevant information.

This control comes from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2.

Understanding the Requirement

This control requires you to explicitly decide which privileged actions and security-relevant data can be accessed remotely, and only allow that access for authorized people under defined conditions. By limiting who can perform admin tasks over remote connections (such as VPN) and what security data can be reached remotely, you lower the chance that a compromised account or device can be used to take over systems or harvest sensitive logs and alerts. Practically, you must identify permitted remote admin commands, identify which security data can be accessed remotely, and formally authorize both before enabling them.

Policies and Procedures Needed

Establish a Remote Administration Policy that defines when remote privileged activity is allowed, how it is approved, and which tools and networks are permitted. Complement it with procedures for VPN and remote access, privileged account management (including split admin accounts), service account handling, device authorization (trusted/managed devices only), change and ticket-based approvals, emergency “break-glass” use, logging and monitoring, and periodic access reviews and recertifications. Include onboarding/offboarding steps that add/remove users from remote-admin groups and define an exceptions process with time-bound approvals.

Technical Implementation

• Default to “no remote admin.” Disable VPN and remote access for privileged accounts where feasible. Use separate accounts for admins (one standard user account allowed on VPN, one admin account blocked from VPN) and enforce this with directory groups and conditional access.
• If remote admin is necessary, tightly scope it: define the exact systems and commands permitted (e.g., remote desktop assistance to user PCs only; no remote logon to domain controllers). Implement with security groups (e.g., “Remote-Admin-Approved”), firewall rules limiting VPN subnets to specific management gateways, and just-in-time group membership with automatic expiry.
• Require MFA on VPN and admin tools. Allow remote privileged sessions only from compliant, managed devices (device certificates, EDR present, disk encryption enabled). Use hardened privileged access workstations (PAWs) or a secured jump host/bastion and block direct admin access from general user devices.
• Protect security-relevant information: classify what counts (e.g., SIEM, syslog, EDR/IDS dashboards, audit logs, vulnerability scans) and block remote access by default. Where access is essential, restrict to named users and groups, approved IP ranges, and read-only roles; segment logging infrastructure onto internal-only networks not routable from VPN.
• Enforce approvals and visibility: require a ticket/change record before enabling remote privileged commands or granting access to security data; use PAM or automated workflows to grant time-bound access. Log and, where possible, record remote admin sessions and commands; forward logs to a SIEM and review them routinely.
• Validate continuously: run periodic access reviews for “Remote-Admin-Approved” and log-reader groups, test firewall and conditional access policies, simulate a compromised VPN user to confirm privileged paths remain blocked, and maintain an audited break-glass account with strict controls.

Example in a Small or Medium Business

A 120-person manufacturer decides that admin activity should occur onsite, except for limited help desk support. They create split accounts for IT staff and configure VPN policies so only standard user accounts can connect; admin accounts are denied VPN access. The help desk is granted remote support rights through an RMM tool to user endpoints, but firewall rules block the VPN subnet from reaching domain controllers, hypervisors, firewall management, and the syslog/SIEM network. A “Remote-Admin-Approved” group provides time-bound access to the jump host for rare after-hours changes, granted via a ticket and auto-expiring in two hours. MFA is required for VPN and the jump host, and only managed, encrypted laptops with EDR can connect. All remote sessions through the jump host are logged and session-recorded to the SIEM, and access to the SIEM itself is internal-only, with no VPN routing to that VLAN. Quarterly, the IT manager reviews group memberships and session logs, removing any stale access and documenting the review.

Summary

To meet AC.L2-3.1.15, SMBs should make remote privileged activity the exception, not the norm: define what is permitted, who can do it, from which devices, and through which tightly controlled paths. A clear Remote Administration Policy, split accounts, MFA, managed devices, jump hosts, and network segmentation prevent routine VPN users from reaching privileged systems or security data. Approvals, time-bound access, and comprehensive logging provide assurance and auditability. Together, these policy and technical controls materially reduce the risk that a compromised remote user can execute privileged commands or exfiltrate security-relevant information.