(Created page with "Privileged Access Workstations == Overview == Privileged Access Workstations is a security model developed by Microsoft which helps protect a workstations against [Pass-the-H...") |
|||
(4 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
== Overview == | == Overview == | ||
− | Privileged Access Workstations is a security model developed by Microsoft which helps protect a workstations against [Pass-the-Hash] and other attacks. | + | Privileged Access Workstations is a security model developed by Microsoft which helps protect a workstations against [[Pass-the-Hash]] and other attacks. |
+ | |||
+ | |||
+ | == Tiers == | ||
+ | Tier 0 = Highly sensitive servers such as: Domain Controllers, Certificate Authorities, RADIUS Servers, Management Servers (e.g. System Center) <br> | ||
+ | Tier 1 = Application servers such as: Database Servers (that don't contain highly sensitive information), DNS, DHCP, Skype, SharePoint. <br> | ||
+ | Tier 2 = End user devices such as: Desktops/Laptops used by end users. <br> | ||
+ | |||
+ | Note: Administration tasks for each tier should be isolated to that tier. Managing any server from a lower tier is violation of the PAW model. Interactive Logons are only permitted within the same tier, Network Logons are permitted across all tiers as necessary (Least Privilege). | ||
+ | |||
+ | |||
+ | == Examples == | ||
+ | === Tier 0 === | ||
+ | Roles and Services: | ||
+ | * Domain Controllers | ||
+ | * Certificate Authorities | ||
+ | * RADIUS Servers | ||
+ | * Password Vaults (e.g. KeePass) | ||
+ | * 2 Factor Authentication | ||
+ | * System Center | ||
+ | * Hardened Management Workstations | ||
+ | |||
+ | Restrictions: | ||
+ | * Interactive Logon: Enterprise Admins (EA) and Domain Admins (DA) ONLY! (GPO Enforced) | ||
+ | * Groups and Members: Members of the EA and DA groups are approved and reviewed regularly by the Change Advisory Board (CAB). Membership should be kept to a minimum. | ||
+ | * Firewall: On, Least Privilege, Manageable only from Tier 0 PAWs. (GPO Enforced for common rules) | ||
+ | * App Locker: Only MS Signed roles and features, or those validated and approved by the CAB. | ||
+ | * Hardening: NTLMv2 only, Interactive Logons = 0, Server 2016 only (if at all possible) | ||
+ | |||
+ | PAW workstations: | ||
+ | Admins need to be able to administer the servers within Tier 0. To do this they need a dedicated device for that tier. According to the PAW model, Admins should also have standard accounts for email and internet access (another device), and if Tier 0 admins are to perform management on Tier 1, they need a dedicated device for that as well. As you can see the Tier 0 admin is going to need a lot of devices. Here are some options: | ||
+ | |||
+ | 3x SFF PC's + KVM | ||
+ | 2x SFF PC's + Thin Client for Tier 2 + KVM | ||
+ | |||
+ | 1x Desktop or Laptop running Hyper-V, with 2 VM's installed. The Host OS is Tier 0, Tier 1 is a dedicated VM, and Tier 2 is a dedicated VM. | ||
+ | *Host OS: Server 2016 or Windows 10 | ||
+ | **Minimum Hardware: CPU: 4 cores w/ Virtualization and SLAT support, 16 GB RAM, TPM 1.2 or 2.0 | ||
+ | **Security Features: Device Guard, Credential Guard, BitLocker | ||
+ | *Tier 1 VM | ||
+ | **Host OS: Server 2016 or Windows 10 | ||
+ | **Security Features: Device Guard, Credential Guard | ||
+ | *Tier 2 VM | ||
+ | **Host OS: Any supported Operating System (Windows 7 - 10, Linux, Mac) assuming it can be virtualized without violating its EULA. | ||
+ | |||
+ | |||
+ | |||
+ | |||
== Reference == | == Reference == | ||
https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/privileged-access-workstations | https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/privileged-access-workstations | ||
+ | |||
+ | https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/securing-privileged-access-reference-material#ADATM_BM | ||
[[Category:Security_(Windows)]][[Category:Windows]] | [[Category:Security_(Windows)]][[Category:Windows]] |
Latest revision as of 21:44, 11 October 2016
Privileged Access Workstations
Contents
Overview
Privileged Access Workstations is a security model developed by Microsoft which helps protect a workstations against Pass-the-Hash and other attacks.
Tiers
Tier 0 = Highly sensitive servers such as: Domain Controllers, Certificate Authorities, RADIUS Servers, Management Servers (e.g. System Center)
Tier 1 = Application servers such as: Database Servers (that don't contain highly sensitive information), DNS, DHCP, Skype, SharePoint.
Tier 2 = End user devices such as: Desktops/Laptops used by end users.
Note: Administration tasks for each tier should be isolated to that tier. Managing any server from a lower tier is violation of the PAW model. Interactive Logons are only permitted within the same tier, Network Logons are permitted across all tiers as necessary (Least Privilege).
Examples
Tier 0
Roles and Services:
- Domain Controllers
- Certificate Authorities
- RADIUS Servers
- Password Vaults (e.g. KeePass)
- 2 Factor Authentication
- System Center
- Hardened Management Workstations
Restrictions:
- Interactive Logon: Enterprise Admins (EA) and Domain Admins (DA) ONLY! (GPO Enforced)
- Groups and Members: Members of the EA and DA groups are approved and reviewed regularly by the Change Advisory Board (CAB). Membership should be kept to a minimum.
- Firewall: On, Least Privilege, Manageable only from Tier 0 PAWs. (GPO Enforced for common rules)
- App Locker: Only MS Signed roles and features, or those validated and approved by the CAB.
- Hardening: NTLMv2 only, Interactive Logons = 0, Server 2016 only (if at all possible)
PAW workstations: Admins need to be able to administer the servers within Tier 0. To do this they need a dedicated device for that tier. According to the PAW model, Admins should also have standard accounts for email and internet access (another device), and if Tier 0 admins are to perform management on Tier 1, they need a dedicated device for that as well. As you can see the Tier 0 admin is going to need a lot of devices. Here are some options:
3x SFF PC's + KVM 2x SFF PC's + Thin Client for Tier 2 + KVM
1x Desktop or Laptop running Hyper-V, with 2 VM's installed. The Host OS is Tier 0, Tier 1 is a dedicated VM, and Tier 2 is a dedicated VM.
- Host OS: Server 2016 or Windows 10
- Minimum Hardware: CPU: 4 cores w/ Virtualization and SLAT support, 16 GB RAM, TPM 1.2 or 2.0
- Security Features: Device Guard, Credential Guard, BitLocker
- Tier 1 VM
- Host OS: Server 2016 or Windows 10
- Security Features: Device Guard, Credential Guard
- Tier 2 VM
- Host OS: Any supported Operating System (Windows 7 - 10, Linux, Mac) assuming it can be virtualized without violating its EULA.