Understanding Privileged Access Workstations (PAWs)

For some of the work I do, there is often a need to have a secure workstation that will let me perform tasks for Administration only, and not be vulnerable to any type of attacks. In fact, having a workstation that is this protected would actually be useful for everyone. The current threat environment for most organizations is rife with sophisticated phishing and other internet attacks that create almost daily risk of security compromise for internet exposed accounts and workstations. This threat environment requires organizations to adopt an “assume breach” security approach when designing protections for assets like administrative accounts and sensitive business assets. These will need to be protected against both direct internet threats as well as attacks mounted from other workstations, servers, and devices within the environment.

Why don’t we just use Virtual Machines?
Though that is a great design, they are still limited, in terms of Security and Control, as nothing is applied to the Operating System, as you are relying on the Virtual Machine protection barrier such as Firewall and controls. Privileged Access Workstations (PAWs) provide a dedicated operating system for sensitive tasks, while being protected from Internet attacks and threat vectors. The ability to separate sensitive tasks and accounts from your daily use workstations and devices, will provide very strong protection from phishing attacks, application and OS vulnerabilities, various impersonation attacks, and credential theft attacks such as keystroke logging, Pass-the-Hash, and Pass-The-Ticket. The logical design builds on the protections found in Windows 10 Credential Guard and Device Guard components and goes beyond normal protections for sensitive accounts and tasks. You would use this methodology for accounts with access to high value assets. This would be be accounts that require Administrative Privileges to high impact IT administrative roles and tasks. Such systems include Active Directory Domains and Forests, Microsoft Azure Active Directory tenants, Office 365 tenants, Process Control Networks (PCN), Supervisory Control and Data Acquisition (SCADA) systems, Automated Teller Machines (ATMs), and Point of Sale (PoS) devices. You could also consider PAWs for accounts that require access to high sensitivity information.

What are Privileged Access Workstation (PAW)?
In simplest terms, a PAW is a hardened and locked down workstation designed to provide high security protections for sensitive accounts and tasks. To utilize PAWs the following steps need to be completed:

Deployment for Active Directory Administrators
During this step, you will create the secure administrative Active Directory organizational unit (OU) structure to host your privileged access workstation (PAW), as well as deploy the PAWs themselves. This structure also includes the group policies and groups required to support the PAW. You will create most of the structure using PowerShell scripts which are available on TechNet – https://gallery.technet.microsoft.com/Privileged-Access-3d072563.

Extend PAW to all administrators
This step about ensuring that any user with administrative rights over mission-critical applications and dependencies have the changes made for PAW. This should include administrators of application servers, operational health and security monitoring solutions, virtualization solutions, storage systems, and network devices.

Advanced PAW security
Once the core protections are in place for PAW, then you can enhance these systems. Bolstering the basic protection with advanced features including multi-factor authentication and network access rules. Such options are:

Enable multi-factor authentication for privileged accounts
White list trusted applications using Device Guard and/or AppLocker
Use Protected Users, Authentication Policies, and Authentication Silos to further protect privileged accounts

Running workstations like this will also allow for a regular operating system to be setup within a Virtual Machine. This will take advantage of the protections on the host operating system for PAW, and then allow for more flexibility within the Virtual Machine.

More to come in future posts 🙂

To learn more about PAW you can use the following links:

https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations
https://blogs.technet.microsoft.com/windowsserver/2016/05/26/securing-privileged-access-preventing-and-detecting-attacks/
https://gallery.technet.microsoft.com/Privileged-Access-3d072563
https://channel9.msdn.com/Blogs/Taste-of-Premier/PAWs
https://opbuildstorageprod.blob.core.windows.net/output-pdf-files/en-us/WS.WindowsServerDocs/live/identity.pdf

 

Liam Cleary

I work as an Associate Director for Protiviti in Virginia. My main focus is to ensure that SharePoint can either natively or with minimal customization meet the business requirement securely. I am currently a SharePoint MVP focused on Architecture but also cross the boundary into Development and Security. I am often found at user groups, conferences speaking, offering advice, spending time in the community, teaching my kids how to code, raspberry PI programming, hacking the planet and sometimes building Lego robots.

You may also like...