A privileged access workstation (PAW) is a computer that is only used to perform administrative tasks. This computer has a locked-down configuration compared to computers used for day-to-day activities on the network. PAWs have the following characteristics:

• Access is limited to staff that performs administrative tasks. PAWS are especially locked-down computers that should only be used for administrative tasks. PAWs should be able to connect to sensitive servers on your organization’s network but should be unable to browse the internet or perform non-administrative tasks, such as responding to emails. Administrative accounts used to manage sensitive servers should be configured so that they can only be used on PAWs and not on typical end-user computers used for day-to-day organizational tasks.
• Restrictions on software that can run on the PAW. The software configuration of the PAW is hardened so that only specifically authorized software can run on the PAW. This means that malware that might be deployed on the PAW to capture the credentials of an administrator or to elevate privileges will be unable to run because it will not be on the list of applications of scripts that are specifically authorized for the PAW. Windows Defender Device Guard and Windows Defender Application Control are technologies that you should deploy on PAWs to control code that can be executed on the computer.
• Protected by secure technologies. PAWs are configured with secure boot, BitLocker, and technologies including Credential Guard. This reduces the chance that malware can take control of the computer during the boot process. Credential Guard is a technology that protects credentials stored on the computer by storing them in a special virtualized container that is only accessible to authorized processes within the operating system. Credential Guard minimizes the chance of successful pass-the-hash or pass-the-ticket attacks.

Join the discussion

What other methods can you think of to restrict privilege escalation? Use the discussion section below and let us know your thoughts. Once you’re happy with your contribution, click the Mark as complete button to check the step off, then you can move to the next step.