Network segmentation between user and server tiers

Description

What this control does

Control objective

What auditing this proves

Demonstrate that traffic between the user / workstation tier and the server / data tier is explicitly restricted, logged and reviewed — preventing lateral movement after a single endpoint compromise.

Associated risks

Risks this control addresses

• Ransomware encryptor reaches file servers via a compromised workstation
• Lateral movement to domain controllers undetected
• Data exfiltration from a server tier to the internet
• Unauthorised admin tooling running across subnets
• Insider with workstation access reaching production databases directly

Live threat patterns this control mitigates:

Testing procedure

How an auditor verifies this control

1. Inventory: Document every VLAN, subnet and security group used to separate user vs server tiers. Capture the as-built diagram.
2. Configuration review: Inspect each firewall / NSG / ACL ruleset between user and server tiers. Confirm default policy is deny.
3. Allowed-flows test: Verify every documented exception (e.g. RDP from jump-host, AD replication, monitoring) is necessary, time-bound, and logged.
4. Live traffic test: From a representative user-tier endpoint, attempt to reach a server-tier service (SMB, SSH, RDP, internal HTTP) that should be blocked. Confirm denial + alert.
5. Lateral movement simulation: With red-team approval, attempt to traverse from a compromised user endpoint to the server tier using tools like CrackMapExec / impacket. Confirm detection and block.
6. Log review: Pull 30 days of east-west allow / deny logs. Confirm logging is enabled, retained, and reviewed.
7. Drift detection: Verify a process exists to detect + remediate unauthorised firewall-rule changes (CI/CD config, change-control records).

Where this control is tested

Audit programs including this control