Overview
A Privileged Access Workstation (PAW) is a dedicated, hardened computer used only for administrative tasks.
Why? Because admins currently use the same laptop to check email, browse the web, and manage the Domain Controller. If they click a phishing link, the attacker owns the laptop, steals the admin credentials (via Keylogger or Pass-the-Hash), and owns the Domain.
PAWs break this attack chain. The admin uses a standard laptop for email/web, and a separate, locked-down PAW for admin tasks. The PAW cannot browse the internet and cannot read email.
Architecture
Reference Pattern: Tiered Hardware
Separating the "Dirty" (Internet/Email) environment from the "Clean" (Admin) environment.
Diagram
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| Form Factor | Separate Laptop, VM on Laptop, VDI | Separate Laptop (Tier 0) | Physical separation is best for Domain Admins. VM/VDI is acceptable for lower tiers. |
| Connectivity | Internet Access, No Internet | Allowlist Only | Block all internet except specific management URLs (e.g., Azure Portal, Vendor Updates). |
| Productivity | Email/Office, None | None | No Outlook, no Word, no Slack. Reduces attack surface. |
| OS Management | Standard Image, Hardened Image | Hardened (clean source) | Use a separate, clean build pipeline. Do not put the PAW in the same AD OU as standard laptops. |
| Access | Username/Pass, Smartcard/FIDO | Smartcard / FIDO2 | Enforce MFA for logon to the PAW itself. |
Implementation
Phase 1: The Domain Admin PAW (Tier 0)
- Issue physical laptops to the 5-10 Domain Admins.
- Block Internet access.
- Install only RSAT (Remote Server Admin Tools) and Jump Client.
- Goal: Protect the keys to the kingdom.
Phase 2: The Server Admin PAW (Tier 1)
- Deploy secure VDI or VMs for Server Admins.
- Require them to use this VM to RDP/SSH into servers.
- Block copy/paste between the Host (Dirty) and VM (Clean).
- Goal: Protect production infrastructure.
Phase 3: Cloud Admin PAW
- Browser-only PAW (e.g., Chromebook or Locked Browser) for AWS/Azure access.
- Enforce Device Trust policies (CA) to ensure only the PAW can access the Cloud Console.
- Goal: Stop token theft from unmanaged devices.
Risks
- Usability Revolt: Carrying two laptops is annoying. Admins will try to bypass it.
- "Jump Box" Confusion: A Jump Box (Server) is not a PAW (Client). You need both.
- Supply Chain: Ensure the PAW hardware itself wasn't compromised before you got it.
- Cost: Buying extra hardware for admins is an expense, but cheaper than a breach.
KPIs
- PAW Adoption: Percentage of admins (Tier 0/1) using PAWs for privileged tasks vs. standard workstations.
- Compliance Rate: Percentage of PAWs meeting strict security baselines (patching/config) vs. fleet average.
- Bypass Attempts: Alerts triggered by admins logging into Tier 0 systems from non-PAW IP addresses.
- Incident Count: Number of malware infections detected on PAWs (Target: 0).