Privileged Access Workstation (PAW): Sichere Admin-Arbeitsplätze für privilegierte Zugriffe
Privileged Access Workstations (PAWs) are dedicated, hardened workstations used exclusively for administrative tasks. Microsoft’s recommendation for protecting privileged identities in Active Directory and Azure. PAWs separate administrative activities from everyday web browsing, email, and other sources of risk. This article explains PAW deployment models (physical, virtual, cloud), hardening configuration, integration into a tiered administration model, and an alternative LAPS-based clean-source principle.
Table of Contents (5 sections)
Administrators use the same workstation for email, web browsing, and managing domain controllers. This practice is the most common entry point for privileged attacks: A phishing link opens a document that executes macros running in the context of the logged-in administrator—who also happens to be a domain administrator. PAWs solve this problem through physical or logical separation.
Clean Source Principle
Microsoft Clean Source Principle:
"The security of a system cannot exceed
the security of the systems that manage it"
Consequence:
Domain controller security ≤ security of the admin workstation
Admin workstation security ≤ security of the admin laptop
Admin laptop security ≤ security of the network segments with access
Problem with a standard admin laptop:
→ Internet access with risks: phishing, drive-by downloads
→ Email client: malware vectors
→ Browser with plug-ins: attack surface
→ USB access: BadUSB, infected devices
→ Other software: Office, Teams, Zoom (all vulnerable)
Attack path without PAW:
1. Attacker: Phishing email to admin (admin@firma.de)
2. Admin opens attachment on standard laptop
3. Malware loads in admin context
4. Admin logs into DC simultaneously (remote)
5. Malware uses DC connection for Pass-the-Hash
6. Domain compromised!
PAW interrupts this path:
→ PAW has no email client
→ PAW has no internet browser (or severely restricted)
→ PAW is configured only for admin tools
→ Even if normal laptop is compromised: PAW disconnects accessPAW Deployment Models
Model 1: Physically Dedicated Device (Classic):
Hardware:
→ Separate laptop/desktop exclusively for admin tasks
→ Physically separated from the normal work PC
→ Recommended: no network adapters for Wi-Fi (wired only!)
→ TPM 2.0 + Secure Boot + BitLocker (full encryption)
Usage:
→ Admin laptop: EXCLUSIVELY for DC/server administration
→ Regular laptop: Email, Teams, browser, Office
→ Never: Admin tools on the regular laptop
→ Never: Personal use on the admin laptop
Advantages:
✓ Maximum security (complete separation)
✓ Easy to understand and enforce
Disadvantages:
✗ Two devices (cost, complexity for admins)
✗ For remote work: difficult to take with you
Model 2: VM-based PAW (more practical for remote work):
Setup:
→ Host system: Standard Windows laptop (email, internet)
→ PAW: Hyper-V/VMware VM with strict isolation rules
Hyper-V configuration for PAW VM:
□ Disable Enhanced Session Mode (prevents clipboard sharing!)
□ Shared Folder: NONE
□ Network: separate virtual network (admin network access only)
□ Internet access: BLOCKED (via firewall rule in vSwitch)
□ USB passthrough: DISABLED
Limitations:
✗ VM escape vulnerabilities exist (theoretically)
✗ Host compromise = PAW compromise possible
✗ Clipboard/drag-and-drop must be explicitly disabled
Model 3: Cloud-based PAW (Azure Virtual Desktop/Windows 365):
Azure Virtual Desktop as PAW:
→ Admin connects via AVD client
→ AVD session runs in Azure (not on local device!)
→ Local device: only AVD client allowed for admin connection
Advantages:
✓ Device-independent (even from a personal laptop)
✓ Azure Conditional Access can protect PAW sessions
✓ Centralized management + logging
Disadvantages:
✗ Dependence on the internet
✗ Azure compromise = PAW compromisePAW Hardening Configuration
Windows hardening for PAW:
Basic configuration via GPO:
1. Software restriction (AppLocker/WDAC):
# Only allowed programs:
Allowed:
→ Windows system programs (C:\Windows\*)
→ Admin tools (RSAT, PowerShell, MMC)
→ AV/EDR agent
Blocked: EVERYTHING else!
→ No browser, no Office, no Teams, no Notepad++
2. Network firewall rules:
# Outbound:
ALLOW → Admin networks (192.168.100.0/24)
ALLOW → Domain controller IPs
ALLOW → DNS (Corporate)
ALLOW → Windows Update
DENY ALL → Internet (no HTTP/HTTPS to external IPs!)
DENY ALL → User networks (VLANs for regular employees)
3. Enable Credential Guard:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags = 1
# → Virtualization-based protection for LSA credentials
# → Pass-the-hash attacks from credential dumps made extremely difficult
4. Attack Surface Reduction (ASR) Rules:
# Via Intune or GPO:
Block credential stealing from LSASS: ENABLE
Block process injections: ENABLE
Block untrusted executables from USB: ENABLE
Block Office apps from creating child processes: ENABLE
5. Windows Defender Application Guard (WDAG):
# If browser is REQUIRED: only in WDAG sandbox
# WDAG: isolated Hyper-V container for browser sessions
# Malware in the browser container cannot access host resources
6. Disable USB access:
HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Start = 4 (disabled)
# Via GPO: Computer Configuration → Administrative Templates → System → Removable Storage
# "All Removable Storage: Deny all access"
7. Enforce SMB signing:
# Prevents NTLM relay from PAW:
GPO: Network security: LAN Manager authentication level
→ "Send NTLMv2 response only. Refuse LM & NTLM"
Recommended admin tools on PAW:
✓ Remote Server Administration Tools (RSAT)
✓ Active Directory Users and Computers
✓ Group Policy Management Console
✓ Microsoft Management Console (MMC)
✓ PowerShell (with script signing enforcement)
✓ Azure/Entra ID Admin Center (via WDAG browser)
✓ PAM tool client (CyberArk, BeyondTrust)Integration into Tiered Administration Model
Active Directory Tier Model + PAWs:
Tier 0 - Control Plane (Domain Controllers, PKI):
Admins: 2–5 people maximum
PAW Type: Physically dedicated device
Permitted on this PAW:
→ DC Administration (Active Directory)
→ PKI administration
→ NOT: Tier 1/2 administration!
Privileged accounts: DA, EA (Enterprise Admin)
→ Log in only on Tier 0 PAW!
→ Never on normal workstations!
Tier 1 - Server level:
Admins: IT team
PAW type: VM or physical (depending on risk classification)
Permitted on this PAW:
→ Windows Server administration
→ VMware/Hyper-V administration
→ Database server, application server
Privileged accounts: Server admins
→ Must NOT administer domain controllers!
Tier 2 - Workstations/Endpoints:
Admins: Helpdesk, Desktop Support
PAW Type: Strict standard workstation with restricted rights
Permitted:
→ Endpoint management (Intune, SCCM)
→ LAPS management
NO Tier 2 admins are allowed to touch servers or DCs!
Enforcement with Restricted Access Management (RAMs):
GPO: Deny log on locally (Tier-0 DCs):
→ Group: Tier-1 admins
→ Group: Tier-2 admins
→ Prevents Tier-1/2 admins from logging on to DCs!
Authentication Policy Silos (Windows 2012R2+):
→ Tier-0 accounts: may ONLY authenticate on Tier-0 computers
→ If a Tier-0 account attempts to log in on a regular PC: DENIED!
LAPS (Local Administrator Password Solution):
□ All workstations receive unique local admin passwords
□ Rotates automatically (every 30 days)
□ Stored in AD (Tier-2 admins can view via LAPS)
□ Prevents lateral Pass-the-Hash for local accounts!Monitoring PAW Activities
PAW-Specific SIEM Alerting:
Critical events on PAW computers:
Event 4624 (Logon): Logon of non-admin accounts on PAW → Alert!
Event 4648 (Explicit Credentials): Credentials changed on PAW
Event 7045 (New Service): New service on PAW (suspicious!)
Event 4698 (Scheduled Task): New task on PAW → Alert!
Anomaly Detection:
→ Admin account logging in from a location NOT known as a PAW → Alert!
→ PAW connecting to an Internet IP → Alert!
→ Unplanned process on PAW → Alert!
KQL in Microsoft Sentinel:
// Admin login not from PAW:
SecurityEvent
| where EventID == 4624
| where Account contains "admin" or Account contains "svc"
| where Computer !in (known_paw_hostnames)
| where LogonType in (3, 10) // Network + RemoteInteractive
| project TimeGenerated, Account, Computer, IpAddress
// PAW connects to the Internet:
DeviceNetworkEvents
| where DeviceName in (paw_devices)
| where RemoteIPType == "Public"
| where RemotePort in (80, 443, 8080)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileNameQuestions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
Geschäftsführender Gesellschafter der AWARE7 GmbH mit langjähriger Expertise in Informationssicherheit, Penetrationstesting und IT-Risikomanagement. Absolvent des Masterstudiengangs Internet-Sicherheit an der Westfälischen Hochschule (if(is), Prof. Norbert Pohlmann). Bestseller-Autor im Wiley-VCH Verlag und Lehrbeauftragter der ASW-Akademie. Einschätzungen zu Cybersecurity und digitaler Souveränität erschienen u.a. in Welt am Sonntag, WDR, Deutschlandfunk und Handelsblatt.
10 Publikationen
- Einsatz von elektronischer Verschlüsselung - Hemmnisse für die Wirtschaft (2018)
- Kompass IT-Verschlüsselung - Orientierungshilfen für KMU (2018)
- IT Security Day 2025 - Live Hacking: KI in der Cybersicherheit (2025)
- Live Hacking - Credential Stuffing: Finanzrisiken jenseits Ransomware (2025)
- Keynote: Live Hacking Show - Ein Blick in die Welt der Cyberkriminalität (2025)
- Analyse von Angriffsflächen bei Shared-Hosting-Anbietern (2024)
- Gänsehaut garantiert: Die schaurigsten Funde aus dem Leben eines Pentesters (2022)
- IT Security Zertifizierungen — CISSP, T.I.S.P. & Co (Live-Webinar) (2023)
- Sicherheitsforum Online-Banking — Live Hacking (2021)
- Nipster im Netz und das Ende der Kreidezeit (2017)
IT-Grundschutz-Praktiker (TÜV) IT Risk Manager (DGI) § 8a BSIG Prüfverfahrenskompetenz Ausbilderprüfung (IHK)
