Privileged Access Workstations
Contents
Overview
Privileged Access Workstations is a security model developed by Microsoft which helps protect a workstations against Pass-the-Hash and other attacks.
Tiers
Tier 0 = Highly sensitive servers such as: Domain Controllers, Certificate Authorities, RADIUS Servers, Management Servers (e.g. System Center)
Tier 1 = Application servers such as: Database Servers (that don't contain highly sensitive information), DNS, DHCP, Skype, SharePoint.
Tier 2 = End user devices such as: Desktops/Laptops used by end users.
Note: Administration tasks for each tier should be isolated to that tier. Managing any server from a lower tier is violation of the PAW model. Interactive Logons are only permitted within the same tier, Network Logons are permitted across all tiers as necessary (Least Privilege).
Examples
Tier 0
Roles and Services:
- Domain Controllers
- Certificate Authorities
- RADIUS Servers
- Password Vaults (e.g. KeePass)
- 2 Factor Authentication
- System Center
- Hardened Management Workstations
Restrictions:
- Interactive Logon: Enterprise Admins (EA) and Domain Admins (DA) ONLY! (GPO Enforced)
- Groups and Members: Members of the EA and DA groups are approved and reviewed regularly by the Change Advisory Board (CAB). Membership should be kept to a minimum.
- Firewall: On, Least Privilege, Manageable only from Tier 0 PAWs. (GPO Enforced for common rules)
- App Locker: Only MS Signed roles and features, or those validated and approved by the CAB.
- Hardening: NTLMv2 only, Interactive Logons = 0, Server 2016 only (if at all possible)