From LedHed's Wiki
Jump to: navigation, search
Line 11: Line 11:
  
 
Note: Administration tasks for each tier should be isolated to that tier. Managing any server from a lower tier is violation of the PAW model. Interactive Logons are only permitted within the same tier, Network Logons are permitted across all tiers as necessary (Least Privilege).
 
Note: Administration tasks for each tier should be isolated to that tier. Managing any server from a lower tier is violation of the PAW model. Interactive Logons are only permitted within the same tier, Network Logons are permitted across all tiers as necessary (Least Privilege).
 +
 +
 +
== Examples ==
 +
=== Tier 0 ===
 +
Roles and Services:
 +
* Domain Controllers
 +
* Certificate Authorities
 +
* RADIUS Servers
 +
* Password Vaults (e.g. KeePass)
 +
* 2 Factor Authentication
 +
* System Center
 +
* Hardened Management Workstations
 +
 +
Restrictions:
 +
* Interactive Logon:  Enterprise Admins (EA) and Domain Admins (DA) ONLY! (GPO Enforced)
 +
* Groups and Members:  Members of the EA and DA groups are approved and reviewed regularly by the Change Advisory Board (CAB). Membership should be kept to a minimum.
 +
* Firewall: On, Least Privilege, Manageable only from Tier 0 PAWs. (GPO Enforced for common rules)
 +
* App Locker: Only MS Signed roles and features, or those validated and approved by the CAB.
 +
* Hardening: NTLMv2 only, Interactive Logons = 0, Server 2016 only (if at all possible)
 +
  
  

Revision as of 21:13, 11 October 2016

Privileged Access Workstations

Overview

Privileged Access Workstations is a security model developed by Microsoft which helps protect a workstations against Pass-the-Hash and other attacks.


Tiers

Tier 0 = Highly sensitive servers such as: Domain Controllers, Certificate Authorities, RADIUS Servers, Management Servers (e.g. System Center)
Tier 1 = Application servers such as: Database Servers (that don't contain highly sensitive information), DNS, DHCP, Skype, SharePoint.
Tier 2 = End user devices such as: Desktops/Laptops used by end users.

Note: Administration tasks for each tier should be isolated to that tier. Managing any server from a lower tier is violation of the PAW model. Interactive Logons are only permitted within the same tier, Network Logons are permitted across all tiers as necessary (Least Privilege).


Examples

Tier 0

Roles and Services:

  • Domain Controllers
  • Certificate Authorities
  • RADIUS Servers
  • Password Vaults (e.g. KeePass)
  • 2 Factor Authentication
  • System Center
  • Hardened Management Workstations

Restrictions:

  • Interactive Logon: Enterprise Admins (EA) and Domain Admins (DA) ONLY! (GPO Enforced)
  • Groups and Members: Members of the EA and DA groups are approved and reviewed regularly by the Change Advisory Board (CAB). Membership should be kept to a minimum.
  • Firewall: On, Least Privilege, Manageable only from Tier 0 PAWs. (GPO Enforced for common rules)
  • App Locker: Only MS Signed roles and features, or those validated and approved by the CAB.
  • Hardening: NTLMv2 only, Interactive Logons = 0, Server 2016 only (if at all possible)


Reference

https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/privileged-access-workstations

https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/securing-privileged-access-reference-material#ADATM_BM