The PAWs deployment is focused to restrict privileged Active Directory tasks to dedicated workstations to protect against credential theft.
These workstations sole purpose in life is to perform administrative functions. It is never used for daily tasks such as checking email, browsing the web, or reading reddit. These entirety of the machines is separated from the standard workstations and servers on a domain so that there is no cross infection between PAWs and standard workstations and servers on the domain.
Microsoft’s Privilege Access Workstation (PAW) instructions are published at http://aka.ms/cyberpaw. Unfortunately this article takes 80 minutes to read from start to finish. My goal is to get you started by defining the quickest way to deploy a machine that lowers the risk of privileged credential leaks in your environment
Let’s dive right into what types of PAWs people use in the wild, where the object stays on the domain.
There are various methods that environments can work toward deploying a secure PAW environment.
Sometimes the best and most secure deployment is not possible in a short period of time. Microsoft said Phase 1 of the RedForest that the tooling “Must be set up quickly.” Keeping speed in mind, know that there are ways to secure an environment that are not ‘complete’ but provide a better base of security than what people already have in place. With that in mind, here are the methods I have seen deployed in various environments:
This isn’t a good solution, but it is better than Domain Admins and Server Admins from being used on standard workstations.
Better than a jump box, this is not the ultimate solution. However, it’s BEST QUALITY is that credentials are instantly separated from a standard workstation.…and this is quick
Better than a jump box, this is not the ultimate solution. However, it’s BEST QUALITY is that credentials are instantly separated from a standard workstation.
…and this is quick
This is the ultimate goal. Please realize it’s not easy to get here.
The next piece of work to jump into is to continued to focus on Tier 0. It’s time to take a look into securing the Tier 0 administrators and their devices they use. If tier 0 is not secure there is not much sense in securing anything else. We are going to work on securing where the Tiered administrator user accounts reside, make the users use these separate admin workstations, securing where the PAWs reside
What is the administrative OU? How to begin the Red Forest PAW. Patrol privileged credentials