AC-17(7) — Additional Protection for Security Function Access

When security functions are accessed remotely — like managing firewall rules or SIEM configurations — provide extra protection beyond what you require for regular remote access.

Example 1: Create a separate VPN profile for security infrastructure management that requires a hardware token (YubiKey) in addition to the standard MFA. Only members of the Security-Admins group can connect using this profile.

Example 2: Require all remote access to security tools (SIEM, vulnerability scanner, PAM) to originate from a Privileged Access Workstation (PAW). Configure Conditional Access policies that block access to security admin portals from any device not registered as a PAW in Intune.