From LedHed's Wiki
Revision as of 21:44, 11 October 2016 by Ledhed (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Privileged Access Workstations

Overview

Privileged Access Workstations is a security model developed by Microsoft which helps protect a workstations against Pass-the-Hash and other attacks.


Tiers

Tier 0 = Highly sensitive servers such as: Domain Controllers, Certificate Authorities, RADIUS Servers, Management Servers (e.g. System Center)
Tier 1 = Application servers such as: Database Servers (that don't contain highly sensitive information), DNS, DHCP, Skype, SharePoint.
Tier 2 = End user devices such as: Desktops/Laptops used by end users.

Note: Administration tasks for each tier should be isolated to that tier. Managing any server from a lower tier is violation of the PAW model. Interactive Logons are only permitted within the same tier, Network Logons are permitted across all tiers as necessary (Least Privilege).


Examples

Tier 0

Roles and Services:

  • Domain Controllers
  • Certificate Authorities
  • RADIUS Servers
  • Password Vaults (e.g. KeePass)
  • 2 Factor Authentication
  • System Center
  • Hardened Management Workstations

Restrictions:

  • Interactive Logon: Enterprise Admins (EA) and Domain Admins (DA) ONLY! (GPO Enforced)
  • Groups and Members: Members of the EA and DA groups are approved and reviewed regularly by the Change Advisory Board (CAB). Membership should be kept to a minimum.
  • Firewall: On, Least Privilege, Manageable only from Tier 0 PAWs. (GPO Enforced for common rules)
  • App Locker: Only MS Signed roles and features, or those validated and approved by the CAB.
  • Hardening: NTLMv2 only, Interactive Logons = 0, Server 2016 only (if at all possible)

PAW workstations: Admins need to be able to administer the servers within Tier 0. To do this they need a dedicated device for that tier. According to the PAW model, Admins should also have standard accounts for email and internet access (another device), and if Tier 0 admins are to perform management on Tier 1, they need a dedicated device for that as well. As you can see the Tier 0 admin is going to need a lot of devices. Here are some options:

3x SFF PC's + KVM 2x SFF PC's + Thin Client for Tier 2 + KVM

1x Desktop or Laptop running Hyper-V, with 2 VM's installed. The Host OS is Tier 0, Tier 1 is a dedicated VM, and Tier 2 is a dedicated VM.

  • Host OS: Server 2016 or Windows 10
    • Minimum Hardware: CPU: 4 cores w/ Virtualization and SLAT support, 16 GB RAM, TPM 1.2 or 2.0
    • Security Features: Device Guard, Credential Guard, BitLocker
  • Tier 1 VM
    • Host OS: Server 2016 or Windows 10
    • Security Features: Device Guard, Credential Guard
  • Tier 2 VM
    • Host OS: Any supported Operating System (Windows 7 - 10, Linux, Mac) assuming it can be virtualized without violating its EULA.




Reference

https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/privileged-access-workstations

https://technet.microsoft.com/windows-server-docs/security/securing-privileged-access/securing-privileged-access-reference-material#ADATM_BM