| Line 3: | Line 3: | ||
== Overview == | == Overview == | ||
Privileged Access Workstations is a security model developed by Microsoft which helps protect a workstations against [[Pass-the-Hash]] and other attacks. | Privileged Access Workstations is a security model developed by Microsoft which helps protect a workstations against [[Pass-the-Hash]] and other attacks. | ||
| + | |||
| + | |||
| + | == Tiers == | ||
| + | Tier 0 = Highly sensitive servers such as: Domain Controllers, Certificate Authorities, RADIUS Servers, Management Servers (e.g. System Center) | ||
| + | Tier 1 = Application servers such as: Database Servers (that don't contain highly sensitive information), DNS, DHCP, Skype, SharePoint. | ||
| + | Tier 2 = End user devices such as: Desktops/Laptops used by end users. | ||
| + | |||
| + | Note: Administration tasks for each tier should be isolated to that tier. Managing any server from a lower tier is violation of the PAW model. Interactive Logons are only permitted within the same tier, Network Logons are permitted across all tiers as necessary (Least Privilege). | ||
== Reference == | == Reference == | ||
https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/privileged-access-workstations | https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/privileged-access-workstations | ||
| + | |||
| + | https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/securing-privileged-access-reference-material#ADATM_BM | ||
[[Category:Security_(Windows)]][[Category:Windows]] | [[Category:Security_(Windows)]][[Category:Windows]] | ||
Revision as of 20:43, 11 October 2016
Privileged Access Workstations
Overview
Privileged Access Workstations is a security model developed by Microsoft which helps protect a workstations against Pass-the-Hash and other attacks.
Tiers
Tier 0 = Highly sensitive servers such as: Domain Controllers, Certificate Authorities, RADIUS Servers, Management Servers (e.g. System Center) Tier 1 = Application servers such as: Database Servers (that don't contain highly sensitive information), DNS, DHCP, Skype, SharePoint. Tier 2 = End user devices such as: Desktops/Laptops used by end users.
Note: Administration tasks for each tier should be isolated to that tier. Managing any server from a lower tier is violation of the PAW model. Interactive Logons are only permitted within the same tier, Network Logons are permitted across all tiers as necessary (Least Privilege).