Skip main navigation

£199.99 £139.99 for one year of Unlimited learning. Offer ends on 28 February 2023 at 23:59 (UTC). T&Cs apply

Find out more

Privileged access workstations


A privileged access workstation (PAW) is a computer that is only used to perform administrative tasks. This computer has a locked-down configuration compared to computers used for day-to-day activities on the network. PAWs have the following characteristics:

  • Access is limited to staff that performs administrative tasks. PAWS are especially locked-down computers that should only be used for administrative tasks. PAWs should be able to connect to sensitive servers on your organization’s network but should be unable to browse the internet or perform non-administrative tasks, such as responding to emails. Administrative accounts used to manage sensitive servers should be configured so that they can only be used on PAWs and not on typical end-user computers used for day-to-day organizational tasks.
  • Restrictions on software that can run on the PAW. The software configuration of the PAW is hardened so that only specifically authorized software can run on the PAW. This means that malware that might be deployed on the PAW to capture the credentials of an administrator or to elevate privileges will be unable to run because it will not be on the list of applications of scripts that are specifically authorized for the PAW. Windows Defender Device Guard and Windows Defender Application Control are technologies that you should deploy on PAWs to control code that can be executed on the computer.
  • Protected by secure technologies. PAWs are configured with secure boot, BitLocker, and technologies including Credential Guard. This reduces the chance that malware can take control of the computer during the boot process. Credential Guard is a technology that protects credentials stored on the computer by storing them in a special virtualized container that is only accessible to authorized processes within the operating system. Credential Guard minimizes the chance of successful pass-the-hash or pass-the-ticket attacks.

Join the discussion

What other methods can you think of to restrict privilege escalation? Use the discussion section below and let us know your thoughts. Once you’re happy with your contribution, click the Mark as complete button to check the step off, then you can move to the next step.
This article is from the free online

Microsoft Future Ready: Fundamentals of Enterprise Security

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education