While browsing for some information on browsing down, I found some useful resources from the National Cyber Security Centre; a whitepaper on Security Architecture Anti-Patterns, guidance on secure system administration and a blog post on protecting management interfaces (which focuses on browsing down).

Reassuringly, my current plans for improving my network’s security align with a lot of this advice - their “small company” example is almost exactly what I am aiming to achieve. While this is still “browsing up”, not having separate uber-secure privileged-access-workstations (“PAW”), my plans incorporate the security controls they describe for this scenario. I am not adding a PAW (at least for now) for the same cost reasons, as well as my agenda to reduce power consumption which adding an PAW runs counter to.