GRCWatch
Sign inStart free trial

CIS Control 12.8: Establish and Maintain Dedicated Computing Resources for Administrative Work

Administrative access is a high-value target for attackers. CIS Control 12.8 requires you to isolate all admin work onto dedicated, segmented systems that never touch your primary network or internet. This control dramatically reduces lateral movement risk and credential exposure.

What this means

You must create and maintain separate computing resources—whether physical machines or logically isolated virtual environments—exclusively for administrative tasks and accounts with elevated privileges. These resources must be network-segmented from your enterprise primary network and blocked from internet access. The goal is to prevent attackers who compromise standard user endpoints from pivoting to admin workstations or using shared resources to escalate privileges.

How to comply

  1. 1.Inventory all administrative roles and systems that require elevated access across your organization
  2. 2.Procure dedicated hardware or configure logical isolation (VLANs, virtualization) for admin workstations separate from user endpoints
  3. 3.Implement network segmentation rules that block all admin systems from accessing your primary user network and prevent any outbound internet connectivity
  4. 4.Configure multi-factor authentication and strong credential management on all admin resources
  5. 5.Monitor and log all access to and activity on dedicated admin systems
  6. 6.Document your segmentation architecture, including network diagrams and firewall rules
  7. 7.Conduct regular audits to ensure no administrative work occurs on standard user or shared devices

Evidence auditors look for

  • Network diagrams showing physical or logical separation of admin workstations from primary network
  • Firewall rules and access control lists demonstrating blocked internet access to admin systems
  • Hardware inventory or virtualization platform documentation confirming dedicated resources
  • Configuration screenshots showing network segmentation (VLAN assignments, subnet isolation)
  • Access logs from admin systems showing only authorized administrative activity
  • Change management records for any updates or modifications to dedicated admin resources
  • Audit reports confirming no admin access from standard user devices

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically maps your admin resource inventory to CIS 12.8 requirements, detects unsegmented admin workstations, and generates evidence reports from your network logs—eliminating manual segmentation audits.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Control 3.3 - Address Unauthorized SoftwareCIS Control 5.1 - Establish and Maintain an Inventory of AccountsCIS Control 6.1 - Establish and Maintain an Inventory of Authorized and Unauthorized SoftwareCIS Control 12.1 - Segment Networks Based on SensitivityCIS Control 13.1 - Establish and Maintain a Security Awareness Program