Skip to content

Access Wall - Privileged Access Enforcement

Purpose

Access Wall is a PAM-native access enforcement feature designed to prevent direct, unmanaged access to privileged assets. It ensures that all inbound administrative connections (e.g., RDP, SSH, WinRM) to a protected asset are allowed only from the PAM system or other pre-approved hosts. Access Wall provides automated, scalable enforcement of host-level access rules without requiring manual firewall configuration.

Key Capabilities

  • Inbound Access Enforcement: Limits inbound connections to privileged ports, by default allowing only PAM servers. Optional trusted hosts can be configured as required.
  • Supported Platforms:
    • Windows Server (via Windows Defender Firewall)
    • Linux Servers (iptables, nftables)
    • Select network devices
    • Cloud-hosted VMs using native OS firewall controls
  • Protocol Coverage:
    • Default: RDP (3389), SSH (22), WinRM (5986)
    • Customizable ports for organization-specific requirements
  • Tag-Based Deployment: Apply a predefined Access Wall tag to an asset to enable enforcement. Only tagged assets are affected.

How It Works

  1. Tag Assignment:
    The PAM administrator applies the [Application :: Access Wall] tag to selected assets in the PAM console.
  2. Remote Connection:
    The PAM system connects to the asset using existing privileged credentials via WinRM (Windows) or SSH (Linux). No additional credentials or agents are required.
  3. Firewall Configuration:
    Access Wall applies predefined inbound rules to the asset’s native firewall. By default, only inbound connections from the PAM system (or other defined trusted hosts) are allowed.
  4. Optional Customization:
    Administrators may extend rules to allow additional trusted hosts or customize ports if necessary.

Note

For configuration steps, review our Access Wall Configuration page.

Operational Considerations

  • Default Behavior: Only inbound access from PAM servers is allowed.
  • Safety: Predefined firewall rules minimize risk of misconfiguration. Trusted hosts can be added to maintain necessary connectivity.
  • Scope: Enforcement applies only to assets tagged with [Application :: Access Wall]. Untagged assets remain unaffected.
  • Scalability: Designed for enterprise environments, Access Wall can manage hundreds or thousands of assets without manual firewall intervention.

Use Cases

  • Prevent privileged users or attackers from bypassing PAM controls.
  • Simplify firewall management across large server or device fleets.
  • Ensure technical enforcement of privileged access policies for compliance (SOC 2, ISO 27001, etc.).
  • Reduce operational overhead for IT teams while maintaining security posture.

Summary

Access Wall extends the PAM platform to enforce host-level access controls, ensuring all privileged access is managed, auditable, and compliant. By automating firewall rule enforcement, it reduces operational complexity while maintaining strong security posture.