Skip to content

Access Wall - Privileged Access Enforcement

Purpose

Access Wall is a PAM-native access enforcement feature designed to prevent direct, unmanaged access to privileged assets. It ensures that all inbound administrative connections (e.g., RDP, SSH, WinRM) to a protected asset are allowed only from the PAM system or other pre-approved hosts. Access Wall provides automated, scalable enforcement of host-level access rules without requiring manual firewall configuration.

Key Capabilities

  • Inbound Access Enforcement: Limits inbound connections to privileged ports, by default allowing only PAM servers. Optional trusted hosts can be configured as required.
  • Supported Platforms:
    • Windows Server (via Windows Defender Firewall)
    • Linux Servers (iptables, nftables)
    • Select network devices
    • Cloud-hosted VMs using native OS firewall controls
  • Protocol Coverage:
    • Default: RDP (3389), SSH (22), WinRM (5986)
    • Customizable ports for organization-specific requirements
  • Tag-Based Deployment: Apply a predefined Access Wall tag to an asset to enable enforcement. Only tagged assets are affected.

How It Works

  1. Tag Assignment:
    The PAM administrator applies the [Application :: Access Wall] tag to selected assets in the PAM console.
  2. Remote Connection:
    The PAM system connects to the asset using existing privileged credentials via WinRM (Windows) or SSH (Linux). No additional credentials or agents are required.
  3. Firewall Configuration:
    Access Wall applies predefined inbound rules to the asset’s native firewall. By default, only inbound connections from the PAM system (or other defined trusted hosts) are allowed.
  4. Optional Customization:
    Administrators may extend rules to allow additional trusted hosts or customize ports if necessary.
  5. Access Wall Enforcement:
    Access Wall enforcement is activated per asset using the Enable Access Wall action. When enabled, all relevant default inbound access rules are disabled, and only traffic explicitly permitted by the configured custom rules is allowed.

Note

For deatiled configuration steps, review our Access Wall Configuration page.

Operational Considerations

  • Default Behavior: Only inbound access from PAM servers is allowed.
  • Safety: Predefined firewall rules minimize risk of misconfiguration. Trusted hosts can be added to maintain necessary connectivity.
  • Scope: Enforcement applies only to assets tagged with [Application :: Access Wall]. Untagged assets remain unaffected.
  • Scalability: Designed for enterprise environments, Access Wall can manage hundreds or thousands of assets without manual firewall intervention.

Use Cases

  • Prevent privileged users or attackers from bypassing PAM controls.
  • Simplify firewall management across large server or device fleets.
  • Ensure technical enforcement of privileged access policies for compliance (SOC 2, ISO 27001, etc.).
  • Reduce operational overhead for IT teams while maintaining security posture.

Summary

Access Wall extends the PAM platform to enforce host-level access controls, ensuring all privileged access is managed, auditable, and compliant. By automating firewall rule enforcement, it reduces operational complexity while maintaining strong security posture.