From LedHed's Wiki
Jump to: navigation, search
(Created page with "Privileged Access Workstations == Overview == Privileged Access Workstations is a security model developed by Microsoft which helps protect a workstations against [Pass-the-H...")
 
 
(4 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
 
== Overview ==
 
== Overview ==
Privileged Access Workstations is a security model developed by Microsoft which helps protect a workstations against [Pass-the-Hash] and other attacks.
+
Privileged Access Workstations is a security model developed by Microsoft which helps protect a workstations against [[Pass-the-Hash]] and other attacks.
 +
 
 +
 
 +
== Tiers ==
 +
Tier 0 = Highly sensitive servers such as: Domain Controllers, Certificate Authorities, RADIUS Servers, Management Servers (e.g. System Center) <br>
 +
Tier 1 = Application servers such as: Database Servers (that don't contain highly sensitive information), DNS, DHCP, Skype, SharePoint. <br>
 +
Tier 2 = End user devices such as: Desktops/Laptops used by end users. <br>
 +
 
 +
Note: Administration tasks for each tier should be isolated to that tier. Managing any server from a lower tier is violation of the PAW model. Interactive Logons are only permitted within the same tier, Network Logons are permitted across all tiers as necessary (Least Privilege).
 +
 
 +
 
 +
== Examples ==
 +
=== Tier 0 ===
 +
Roles and Services:
 +
* Domain Controllers
 +
* Certificate Authorities
 +
* RADIUS Servers
 +
* Password Vaults (e.g. KeePass)
 +
* 2 Factor Authentication
 +
* System Center
 +
* Hardened Management Workstations
 +
 
 +
Restrictions:
 +
* Interactive Logon:  Enterprise Admins (EA) and Domain Admins (DA) ONLY! (GPO Enforced)
 +
* Groups and Members:  Members of the EA and DA groups are approved and reviewed regularly by the Change Advisory Board (CAB). Membership should be kept to a minimum.
 +
* Firewall: On, Least Privilege, Manageable only from Tier 0 PAWs. (GPO Enforced for common rules)
 +
* App Locker: Only MS Signed roles and features, or those validated and approved by the CAB.
 +
* Hardening: NTLMv2 only, Interactive Logons = 0, Server 2016 only (if at all possible)
 +
 
 +
PAW workstations:
 +
Admins need to be able to administer the servers within Tier 0. To do this they need a dedicated device for that tier. According to the PAW model, Admins should also have standard accounts for email and internet access (another device), and if Tier 0 admins are to perform management on Tier 1, they need a dedicated device for that as well. As you can see the Tier 0 admin is going to need a lot of devices. Here are some options:
 +
 
 +
3x SFF PC's + KVM
 +
2x SFF PC's + Thin Client for Tier 2 + KVM
 +
 
 +
1x Desktop or Laptop running Hyper-V, with 2 VM's installed.  The Host OS is Tier 0, Tier 1 is a dedicated VM, and Tier 2 is a dedicated VM.
 +
*Host OS: Server 2016 or Windows 10
 +
**Minimum Hardware: CPU: 4 cores w/ Virtualization and SLAT support, 16 GB RAM, TPM 1.2 or 2.0
 +
**Security Features: Device Guard, Credential Guard, BitLocker
 +
*Tier 1 VM
 +
**Host OS: Server 2016 or Windows 10
 +
**Security Features: Device Guard, Credential Guard
 +
*Tier 2 VM
 +
**Host OS: Any supported Operating System (Windows 7 - 10, Linux, Mac) assuming it can be virtualized without violating its EULA.
 +
 
 +
 
 +
 
 +
 
  
  
 
== Reference ==
 
== Reference ==
 
https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/privileged-access-workstations
 
https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/privileged-access-workstations
 +
 +
https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/securing-privileged-access-reference-material#ADATM_BM
  
  
 
[[Category:Security_(Windows)]][[Category:Windows]]
 
[[Category:Security_(Windows)]][[Category:Windows]]

Latest revision as of 21:44, 11 October 2016

Privileged Access Workstations

Overview

Privileged Access Workstations is a security model developed by Microsoft which helps protect a workstations against Pass-the-Hash and other attacks.


Tiers

Tier 0 = Highly sensitive servers such as: Domain Controllers, Certificate Authorities, RADIUS Servers, Management Servers (e.g. System Center)
Tier 1 = Application servers such as: Database Servers (that don't contain highly sensitive information), DNS, DHCP, Skype, SharePoint.
Tier 2 = End user devices such as: Desktops/Laptops used by end users.

Note: Administration tasks for each tier should be isolated to that tier. Managing any server from a lower tier is violation of the PAW model. Interactive Logons are only permitted within the same tier, Network Logons are permitted across all tiers as necessary (Least Privilege).


Examples

Tier 0

Roles and Services:

  • Domain Controllers
  • Certificate Authorities
  • RADIUS Servers
  • Password Vaults (e.g. KeePass)
  • 2 Factor Authentication
  • System Center
  • Hardened Management Workstations

Restrictions:

  • Interactive Logon: Enterprise Admins (EA) and Domain Admins (DA) ONLY! (GPO Enforced)
  • Groups and Members: Members of the EA and DA groups are approved and reviewed regularly by the Change Advisory Board (CAB). Membership should be kept to a minimum.
  • Firewall: On, Least Privilege, Manageable only from Tier 0 PAWs. (GPO Enforced for common rules)
  • App Locker: Only MS Signed roles and features, or those validated and approved by the CAB.
  • Hardening: NTLMv2 only, Interactive Logons = 0, Server 2016 only (if at all possible)

PAW workstations: Admins need to be able to administer the servers within Tier 0. To do this they need a dedicated device for that tier. According to the PAW model, Admins should also have standard accounts for email and internet access (another device), and if Tier 0 admins are to perform management on Tier 1, they need a dedicated device for that as well. As you can see the Tier 0 admin is going to need a lot of devices. Here are some options:

3x SFF PC's + KVM 2x SFF PC's + Thin Client for Tier 2 + KVM

1x Desktop or Laptop running Hyper-V, with 2 VM's installed. The Host OS is Tier 0, Tier 1 is a dedicated VM, and Tier 2 is a dedicated VM.

  • Host OS: Server 2016 or Windows 10
    • Minimum Hardware: CPU: 4 cores w/ Virtualization and SLAT support, 16 GB RAM, TPM 1.2 or 2.0
    • Security Features: Device Guard, Credential Guard, BitLocker
  • Tier 1 VM
    • Host OS: Server 2016 or Windows 10
    • Security Features: Device Guard, Credential Guard
  • Tier 2 VM
    • Host OS: Any supported Operating System (Windows 7 - 10, Linux, Mac) assuming it can be virtualized without violating its EULA.




Reference

https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/privileged-access-workstations

https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/securing-privileged-access-reference-material#ADATM_BM