Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Privileged Access Management Glossary

Privileged Access Workstation (PAW) - Sicherer Admin-Arbeitsplatz

A Privileged Access Workstation (PAW) is a dedicated, hardened computer used exclusively for administrative tasks—no email, no web browsing, no Office applications. The PAW concept follows Microsoft’s Tiered Administration Model: Tier 0 (Domain Controller), Tier 1 (Server), Tier 2 (Workstations). Technical details: separate VLAN, dedicated AD tier, Credential Guard, AppLocker whitelist, USB lock, dedicated VPN. Prevents the theft of admin credentials via phishing or malware on regular work computers.

Privileged Access Workstations (PAWs) are dedicated, hardened computers designed for administrative tasks. The core principle: Admin credentials must never be used on a regular work computer that also handles email and web browsing.

The Problem with Regular Admin Computers

Why a regular admin computer is dangerous:

Typical attack path without a PAW:
  1. Domain admin uses a regular laptop for email and administrative tasks
  2. Phishing email → Malware → Keylogger
  3. Admin logs into the domain controller: Credentials stolen!
  4. Attacker has domain admin rights

  → This attack is TRIVIAL and happens every day!

Microsoft study:
  → 90% of all APT compromises start with stolen admin credentials
  → Source: Microsoft Detection and Response Team (DART)

With PAW:
  1. Domain admin uses PAW exclusively for admin tasks
  2. PAW: no email, no browser, no Office, no USB
  3. Phishing email: doesn’t even reach the PAW (different machine!)
  4. Even if the normal workstation is compromised: admin credentials aren’t stored there!

Microsoft Tier Model and Clean Source Principle

Tiered Administration Model:

Tier 0: Domain/Enterprise Admin Level
  Systems: Domain Controller, AD Admin Tools, PKI, ADFS
  PAW:     Physical dedicated computer
  Admin Accounts: Used only on Tier 0
  Communication: Only to other Tier 0 systems

  ↕ (No direct connection!)

Tier 1: Server Admin Level
  Systems: Application servers, DB servers, file servers
  PAW:     Physical or VM (strictly isolated)
  Admin accounts: Used only on Tier 1
  Must not: Administer Tier 0 systems



Tier 2: Workstation/User Admin Level
  Systems: Workstations, laptops, printers
  Admin: standard IT help desk tasks
  Admin accounts: Tier 2 only

Clean Source Principle:
  → Admin workstation must ALWAYS be more trustworthy than the target!
  → Domain controller (highest privileges) → requires the cleanest workstation
  → Workstation (lowest privileges) → standard admin laptop OK

Tier violations (common mistakes):
  × Domain admin logs in on a standard PC
  × Tier-0 account is used for file server admin
  × Tier-1 admin has RDP access to the DC
  → ALL tier violations = potential golden ticket preparation!

PAW Technical Implementation

PAW Hardware and Software Configuration:

Hardware (Minimum):
  → Dedicated laptop/desktop (no shared device!)
  → TPM 2.0 (for BitLocker + Credential Guard)
  → Secure Boot enabled
  → RAM: 16 GB (for VM-based PAW)
  → Disk: NVMe SSD, BitLocker encrypted

Network Configuration:
  → Dedicated VLAN: "PAW-VLAN" (e.g., 10.0.100.0/24)
  → Firewall Rules:
    PAW → DC (443, 3389, LDAP): allowed
    PAW → Admin server (3389, WinRM): allowed
    PAW → Internet: BLOCKED!
    PAW → Normal office network: BLOCKED!
  → DNS: Dedicated DNS server (no split DNS with the normal network!)

Dedicated AD Tier:
  # Separate OU for PAW computers:
  OU=PAWDevices,OU=Tier0,DC=corp,DC=local
  OU=PAWUsers,OU=Tier0,DC=corp,DC=local

  # PAW-specific GPO:
  → AppLocker: only explicitly allowed apps (whitelist!)
  → No Internet browsing: IE/Edge/Chrome blocked via AppLocker
  → USB ports disabled (except for admin tools): Device installation via GPO
  → Windows Defender Credential Guard: ENABLED
  → Windows Defender Device Guard (WDAC): ENABLED
  → Audit: all logins and admin actions

Enable Credential Guard:
  # GPO: Computer Configuration → Administrative Templates →
  #       System → Device Guard:
  "Turn on Virtualization Based Security": Enabled
    Platform Security Level: Secure Boot and DMA Protection
    Credential Guard Configuration: Enabled with UEFI lock

  # Verify:
  msinfo32 → "Virtualization-based security Services Running"
  # Should contain: "Credential Guard"
  # With Credential Guard: Mimikatz can NO LONGER extract credentials from LSASS!

AppLocker configuration for PAW:
  # Default Deny + Whitelist:
  # Allowed:
  %SystemRoot%\*              → Windows System Tools
  %ProgramFiles%\*            → Default programs
  C:\AdminTools\*             → Custom admin scripts

  # Explicitly allowed admin tools:
  PowerShell.exe (signed by Microsoft)
  mmc.exe (Microsoft Management Console)
  rsat\*.exe (Remote Server Admin Tools)

  # Prohibited (default block):
  Browser executables (chrome.exe, firefox.exe, msedge.exe)
  Office (winword.exe, excel.exe, outlook.exe)
  TeamViewer, AnyDesk, etc.

VM-based PAW (Bastion VM)

PAW as a virtual machine:

Concept: "Jump VM" on a standard laptop, strictly isolated

  Host laptop (standard)              PAW VM (Hyper-V / VMware)
  → Email, Office, browser         → Admin tools, RSAT
  → Connected: Company network           → Connected: PAW VLAN
  → No admin rights              → Admin access only

Advantages of VM-PAW:
  → No second device required (cost advantage)
  → Fast snapshotting (before admin action: snapshot!)
  → Easy reimaging (compromised → fresh snapshot)

Disadvantages of VM-PAW:
  → Host system must be trustworthy
  → Hypervisor escape theoretically possible (extremely rare)
  → Less isolated than a physical device

Hyper-V configuration:
  # Isolated virtual network for PAW-VM:
  New-VMSwitch -Name "PAW-VLAN" -SwitchType Internal
  # VM configuration:
  Set-VMNetworkAdapterVlan -VMName "PAW-VM" -Access -VlanId 100
  # No connection to the host network!

  # Credential Guard also in VM:
  Set-VMSecurity -VMName "PAW-VM" -VirtualizationBasedSecurityOptOut $false

Microsoft Privileged Access Devices (new designation):
  → Privileged Access Workstation (physical)
  → Privileged Access Desktop (VM on isolated host)
  → Privileged Access Interface (Remote Desktop Gateway)
  → Secure Admin Workstation (SAW) for very high demand

PAW Operation and Governance

PAW Lifecycle Management:

Provisioning:
  1. New device: only via Secure Supply Chain
     (directly from the manufacturer, no middleman)
  2. OS installation: offline from a USB drive (not from the network!)
  3. GPO: automatically via AD group membership
  4. BitLocker: Recovery key in AD (not on a regular server!)
  5. Enrollment: MDM enrollment (Intune: PAW device group)

Regular maintenance:
  → Windows Updates: Maintenance window, completely separate from regular updates
  → Patches: monthly, from our own WSUS (not the Internet!)
  → Reimage: every 6 months (best practice), or after any suspected compromise

Emergency procedures:
  → PAW lost/stolen: remotely wipe BitLocker key (Intune)
  → Suspected PAW compromise: isolate immediately, start IR process
  → No PAW available: break-glass procedure with physical security token

PAW Deployment Checklist:
  □ Dedicated AD tier (Tier 0 OU) created
  □ PAW VLAN configured, firewall rules set
  □ Credential Guard enabled via GPO
  □ AppLocker whitelist configured + tested
  □ No browsers/email/Office on PAW
  □ BitLocker enabled, recovery key secured
  □ USB access restricted to whitelist
  □ Admin accounts NOT usable on regular workstations
  □ Monitoring: all PAW logins in SIEM
  □ Training: all admins are familiar with the tier model and PAW rules

AWARE7 Services on This Topic

Penetrationstest ISO 27001 Beratung
Back to Glossary Book a free consultation