| Line 11: | Line 11: | ||
Note: Administration tasks for each tier should be isolated to that tier. Managing any server from a lower tier is violation of the PAW model. Interactive Logons are only permitted within the same tier, Network Logons are permitted across all tiers as necessary (Least Privilege). | Note: Administration tasks for each tier should be isolated to that tier. Managing any server from a lower tier is violation of the PAW model. Interactive Logons are only permitted within the same tier, Network Logons are permitted across all tiers as necessary (Least Privilege). | ||
| + | |||
| + | |||
| + | == Examples == | ||
| + | === Tier 0 === | ||
| + | Roles and Services: | ||
| + | * Domain Controllers | ||
| + | * Certificate Authorities | ||
| + | * RADIUS Servers | ||
| + | * Password Vaults (e.g. KeePass) | ||
| + | * 2 Factor Authentication | ||
| + | * System Center | ||
| + | * Hardened Management Workstations | ||
| + | |||
| + | Restrictions: | ||
| + | * Interactive Logon: Enterprise Admins (EA) and Domain Admins (DA) ONLY! (GPO Enforced) | ||
| + | * Groups and Members: Members of the EA and DA groups are approved and reviewed regularly by the Change Advisory Board (CAB). Membership should be kept to a minimum. | ||
| + | * Firewall: On, Least Privilege, Manageable only from Tier 0 PAWs. (GPO Enforced for common rules) | ||
| + | * App Locker: Only MS Signed roles and features, or those validated and approved by the CAB. | ||
| + | * Hardening: NTLMv2 only, Interactive Logons = 0, Server 2016 only (if at all possible) | ||
| + | |||
Revision as of 21:13, 11 October 2016
Privileged Access Workstations
Contents
Overview
Privileged Access Workstations is a security model developed by Microsoft which helps protect a workstations against Pass-the-Hash and other attacks.
Tiers
Tier 0 = Highly sensitive servers such as: Domain Controllers, Certificate Authorities, RADIUS Servers, Management Servers (e.g. System Center)
Tier 1 = Application servers such as: Database Servers (that don't contain highly sensitive information), DNS, DHCP, Skype, SharePoint.
Tier 2 = End user devices such as: Desktops/Laptops used by end users.
Note: Administration tasks for each tier should be isolated to that tier. Managing any server from a lower tier is violation of the PAW model. Interactive Logons are only permitted within the same tier, Network Logons are permitted across all tiers as necessary (Least Privilege).
Examples
Tier 0
Roles and Services:
- Domain Controllers
- Certificate Authorities
- RADIUS Servers
- Password Vaults (e.g. KeePass)
- 2 Factor Authentication
- System Center
- Hardened Management Workstations
Restrictions:
- Interactive Logon: Enterprise Admins (EA) and Domain Admins (DA) ONLY! (GPO Enforced)
- Groups and Members: Members of the EA and DA groups are approved and reviewed regularly by the Change Advisory Board (CAB). Membership should be kept to a minimum.
- Firewall: On, Least Privilege, Manageable only from Tier 0 PAWs. (GPO Enforced for common rules)
- App Locker: Only MS Signed roles and features, or those validated and approved by the CAB.
- Hardening: NTLMv2 only, Interactive Logons = 0, Server 2016 only (if at all possible)