Microsoft Privileged Access Workstation ‘PAW’ Security Model

Before we learn about PAW security model, lets first understand what PAW is?

PAW (Privileged Access Workstations) is a mechanism that is used to help administrators or IT security officers to avoid the exposure of privileged credentials by attackers or criminals from your network.

For example, if an administrator is using his/her computer to manage both active directory and using the web to do some other work, then actually, he/she is putting the company at risk.

If by accident a user visits a malicious website or clicks on a document attached to a malicious email, and later continues to perform his privileged account access to active directory work, unknowingly he/she is helping the attacker gain control of the active directory resources.

Privileged Access Workstations (PAWs) provide a dedicated environment for sensitive tasks that is protected from Internet attacks and threat vectors. Separating these sensitive tasks and accounts from the daily use workstations and devices provides very strong protection from phishing attacks, application and OS vulnerabilities, various impersonation attacks, and credential theft attacks.

PAW FAQs:

Who is required to use a Privileged Access Workstation (PAW)?

A Privileged Access Workstation (PAW) must be used by any workforce that is managing or administrating High-Risk servers and applications.

How does using a Privileged Access Workstation (PAW) make me more secure?

Using a Privileged Access Workstation (PAW) to access servers and applications reduces the attack surface of your servers and applications by limiting which systems can communicate with them. A PAW is a heavily fortified and instrumented system only allowed to perform privileged administrative tasks on server systems. The privileged activities are easily categorized, which makes potentially malicious activities easier to spot. This is enhanced by sending logs to a central logging facility and alerting on events.

How is a Privileged Access Workstation (PAW) more secure than a shared bastion server?

A shared bastion server is a system that allows multiple IT staff to manage systems simultaneously. This exposes the shared bastion server to a large attack surface, including IT staff coming in from untrusted systems. If a shared bastion server is infiltrated, an attacker could exploit the system, steal the credentials of any administrator who is currently logged in, and use the server to enter the network and access other privileged systems. A PAW mitigates this risk by eliminating the concentration of multiple administrator credentials on a single host and by providing hardening measures such as preventing external remote connections, preventing email and web browsing, and application whitelisting.

How do I manage multiple environments simultaneously, or use both a Windows and a Linux environment on my Privileged Access Workstation (PAW)?

Provision virtual machine host systems with multiple virtual machine PAWs for multiple environments but within the same physical PAW environment and not in virtual desktop infrastructure.

Can I run a regular untrusted computing environment in a virtual machine on the Privileged Access Workstation (PAW)?

This is not a supported configuration.

Do I have to carry multiple computers if I use a Privileged Access Workstation (PAW)?

In most cases, you will need at least two computers (a workstation and a PAW) to get your work done. Because of this concern, we specify ultra-portable laptops as PAWs. If you use a virtual desktop infrastructure (VDI) environment for your untrusted system, you must use a dedicated physical PAW computer.

Should I ask for a Windows or Mac Privileged Access Workstation (PAW)?

This depends on your needs and what environment you prefer. Some Unix administrators like to have remote and wallet natively on the Mac.

How Do I Configure Firewalls for a Privileged Access Workstation (PAW)?

The Privileged Access Workstation (PAW) service relies on proper configuration of the firewalls protecting your servers and applications. To be protected by a PAW, configure your firewalls to only allow management access to systems from your group’s assigned range of PAW IP numbers. By restricting the source address to that of the PAW VPN you know that only PAWs are accessing the servers.

Reference: https://uit.stanford.edu/service/paw/faq/