Build Greenfield Windows Server 2016 Active Directory – Part 2 – Privilege Access Workstations

Privileged Access Workstations (PAWs) provide a dedicated operating system for sensitive tasks that is protected from Internet attacks and threat vectors. Separating these sensitive tasks and accounts from the daily use workstations and devices provides very strong protection from phishing attacks, application and OS vulnerabilities, various impersonation attacks, and credential theft attacks such as keystroke logging, pass-the-hash, or pass-the-ticket

The current threat environment for organizations is rife with sophisticated phishing and other internet attacks that create continuous risk of security compromise for internet exposed accounts and workstations.

This threat environment requires organizations to adopt an “assume breach” security posture when designing protections for high value assets like administrative accounts and sensitive business assets. These high value assets need to be protected against both direct internet threats as well as attacks mounted from other workstations, servers, and devices in the environment.

This figure depicts risk to managed assets if an attacker gains control of a user workstation where sensitive credentials are used. An attacker in control of an operating system has numerous ways in which to illicitly gain access to all activity on the workstation and impersonate the legitimate account. A variety of known and unknown attack techniques can be used to gain this level of access. The increasing volume and sophistication of cyberattacks have made it necessary to extend that separation concept to separate client operating systems for sensitive accounts

The PAW approach is an extension of the well-established recommended practice to use separate admin and user accounts for administrative personnel. This practice uses an individually assigned administrative account that is completely separate from the user’s standard user account. PAW builds on that account separation practice by providing a trustworthy workstation for those sensitive accounts.

PAW’s don’t require a one to one mapping of a user to a workstation, but that can be a common configuration. PAWs provide a hardened environment that can be used by multiple accounts

PAW Profiles

I think there has often been some confusion about when and where a PAW is used, and we must remember that Administrators also have a standard \ office account that we need to factor in, as they need to access emails.

With that in mind, there are two options for PAW deployment;

  1. Additional PAW that is used as well as a normal business laptop
  2. Simultaneous use – one device that has both scenarios.

Both of these have Pros and Cons to each one as this table shows;

UsageProsCons
Additional HardwareSecurity separation
Additional desk coverage
Additional cost of hardware
Simultaneous UseSingle device
Reduce hardware cost
Sharing of keyboard\mouse can led to additional risk

Deployment Scenarios

Dedicated Hardware

With dedicated hardware for the PAW, the Admin person would have a separate device that would have all the admin tools and software they need to carry out their tasks. They would also have a separate device that would be used for email, internet, documents, printing etc.

The PAW device should not have internet access, and would not be in a VDI environment either.

This obviously can be a pain to the Admin person as they have to now carry two devices (assuming here they are laptops). Given that some enterprise organisations have potentially outsourced some of their AD support, and support can be completed remotely, you have to consider how these users would connect a PAW to the on-premises AD from an external location, given they should not have internet access.

Simultaneous Use

In this simultaneous use scenario, a single PC is used for both administration tasks and daily activities like email, document editing, and development work. In this configuration, the user operating system is available while disconnected (for editing documents and working on locally cached email), but requires hardware and support processes that can accommodate this disconnected state.

The physical hardware runs two operating systems locally:

  • Admin OS – The physical host runs Windows 10 on the PAW host for Administrative tasks
  • User OS – A Windows 10 client Hyper-V virtual machine guest runs a corporate image

With Windows 10 Hyper-V, a guest virtual machine (also running Windows 10) can have a rich user experience including sound, video, and Internet communications applications such as Skype for Business.

In this configuration, daily work that does not require administrative privileges is done in the user OS virtual machine which has a regular corporate Windows 10 image and is not subject to restrictions applied to the PAW host. All administrative work is done on the Admin OS.

Depending on your circumstances, I prefer to recommend a simultaneous user deployment as this keeps the hardware costs down, and also the end-user then only has one piece of hardware to use.

When To Use A PAW

So we now know what a PAW is and what type of scenario we will use. But we need to also think about “Who” or “What Type Of User” should actually be enforced to use a PAW.

Active Directory Administrators – Tier 0

Virtualisation Admins – Tier 0 or 1

Server Admins – Tier 1

LoB, SQL, SharePoint, or Messaging – Tier 0 or 1

PAWs can also be deployed to manage your cloud resources, for example you could have an Office 365 Admin PAW that would only allow connectivity to the Microsoft online resources.

In the next part of this blog series, I will talk about how to build and configure your PAW devices

Leave a Reply

Your email address will not be published. Required fields are marked *