From LedHed's Wiki
Jump to: navigation, search
Line 6: Line 6:
  
 
== Tiers ==
 
== Tiers ==
Tier 0 = Highly sensitive servers such as: Domain Controllers, Certificate Authorities, RADIUS Servers, Management Servers (e.g. System Center)
+
Tier 0 = Highly sensitive servers such as: Domain Controllers, Certificate Authorities, RADIUS Servers, Management Servers (e.g. System Center) <br>
Tier 1 = Application servers such as: Database Servers (that don't contain highly sensitive information), DNS, DHCP, Skype, SharePoint.
+
Tier 1 = Application servers such as: Database Servers (that don't contain highly sensitive information), DNS, DHCP, Skype, SharePoint. <br>
Tier 2 = End user devices such as: Desktops/Laptops used by end users.
+
Tier 2 = End user devices such as: Desktops/Laptops used by end users. <br>
  
 
Note: Administration tasks for each tier should be isolated to that tier. Managing any server from a lower tier is violation of the PAW model. Interactive Logons are only permitted within the same tier, Network Logons are permitted across all tiers as necessary (Least Privilege).
 
Note: Administration tasks for each tier should be isolated to that tier. Managing any server from a lower tier is violation of the PAW model. Interactive Logons are only permitted within the same tier, Network Logons are permitted across all tiers as necessary (Least Privilege).

Revision as of 20:44, 11 October 2016

Privileged Access Workstations

Overview

Privileged Access Workstations is a security model developed by Microsoft which helps protect a workstations against Pass-the-Hash and other attacks.


Tiers

Tier 0 = Highly sensitive servers such as: Domain Controllers, Certificate Authorities, RADIUS Servers, Management Servers (e.g. System Center)
Tier 1 = Application servers such as: Database Servers (that don't contain highly sensitive information), DNS, DHCP, Skype, SharePoint.
Tier 2 = End user devices such as: Desktops/Laptops used by end users.

Note: Administration tasks for each tier should be isolated to that tier. Managing any server from a lower tier is violation of the PAW model. Interactive Logons are only permitted within the same tier, Network Logons are permitted across all tiers as necessary (Least Privilege).


Reference

https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/privileged-access-workstations

https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/securing-privileged-access-reference-material#ADATM_BM