As part of the administration separation between normal users and admin users (Segregation of Duties), a secure host, or “Privileged Access Workstation”, must exist in order to fully separate a standard computer from the specific privileged machine used for domain privileged maintenance. These assets are the main target of any attacker who is looking to compromise the directory, and this is why is so important to secure and protect such assets.
Each of the defined tiers or areas within this model (Admin/Tier0, Servers/Tier1 & Sites/Tier2) will have its own set of PAWs for administration; is not permitted to share PAWs between Areas/Tiers. Those assets will be under control of Tier0 administrators. These assets will have a set of restrictions used to protect the privileged access to the environment; for example, logon restrictions, web surfing or having local administrative privileges.
These equipment’s will have a hardened OS implementation and toolsets designed exclusively for secure administration tasks. The access to these equipment’s will be restricted based on the delegated rights of the user and the Tiering definition; in other words, only users with privileged rights granted will be able to logon into these computers.
Jerry Devore, a Microsoft Premier Field Engineer provides a nice walkthrough of PAW concept.