As part of the administrative separation between normal users and admin users (Segregation of Duties), a secure host, or “Privileged Access Workstation (PAW)”, must exist to fully separate a standard computer from the specific privileged machine used for domain privileged maintenance. These assets are the main target of any attacker who is looking to compromise the directory, and this is why is so important to secure and protect such assets.
Each of the defined tiers or areas within this model (Admin/Tier0, Servers/Tier1 & Sites/Tier2) will have its own set of Privileged Access Workstation (PAW) for administration; is not permitted to share PAWs between Areas/Tiers. Those assets will be under control of Tier0 administrators. These assets will have a set of restrictions, used to protect the privileged access to the environment. For example, logon restrictions, web surfing or having local administrative privileges.
Using the same workstation for daily work and for administering the environment is not a good idea. By simply having a segregated workstation, we are effectively increasing the security. The following table can give us a rough estimation on how much can we increase the security of our environment.
Measure effort
| Action | Percent |
| Have a separated workstation exclusively for administration | 30% |
| Have latest OS on separated workstation | 20% |
| Hardening of the OS image | 10% |
| Secure boot & encrypt disk | 10% |
| Have a separate patching procedure for these assets | 10% |
| Software restrictions | 5% |
| Logon restrictions | 5% |
| Reduced attack surface | 5% |
Bear in mind that there is no absolute solution. What can be enough for some company might be insufficient for another.
These equipment’s will have a hardened OS implementation and toolsets designed exclusively for secure administration tasks. The access to these equipment’s will be restricted based on the delegated rights of the user and the Tiering definition. In other words, only users with privileged rights granted will be able to logon into these computers.
Jerry Devore, a Microsoft Premier Field Engineer has a nice walkthrough of PAW concept.
Why Privileged Access Workstations (PAW) Are Essential in Any IT Environment
Microsoft “Privileged Access Devices” documentation.
In today’s threat landscape, securing privileged access is non-negotiable. Whether your infrastructure is fully on-premises, hybrid, or entirely cloud-based, the need to isolate and protect privileged credentials remains constant. This is where Privileged Access Workstations (PAWs) play a critical role.
A PAW is a hardened and dedicated endpoint used exclusively for sensitive administrative tasks, such as managing Active Directory, Azure AD, or cloud workloads. It is deliberately segregated from everyday usage like web browsing, email, or office applications—common vectors for phishing, malware, and token theft.
On-Premises Environments
In classic on-prem infrastructures, especially those built around Active Directory, PAWs help protect Tier 0 assets such as domain controllers, schema masters, and enterprise admin roles. A single compromised workstation with cached admin credentials can cascade into a full domain compromise. Using PAWs, admins interact with privileged systems from a secure, locked-down context—minimizing lateral movement and pass-the-hash exposure.
Hybrid Environments
Hybrid IT adds complexity by bridging on-prem and cloud identities. Admins often manage both AD and Azure AD from the same device. Without PAWs, this overlap becomes a security liability. A compromised hybrid admin device could leak tokens or credentials to both realms. PAWs create a boundary that upholds Zero Trust principles by ensuring privileged access sessions are initiated from trusted, verifiable endpoints.
Cloud-Only Environments
Even in cloud-native infrastructures, privileged accounts remain prime targets. Azure AD, Microsoft 365, and cloud management portals like Azure Resource Manager (ARM) all grant access to high-impact controls. Compromising a cloud admin’s device often leads directly to data exfiltration or service disruption. Cloud-based attacks like token replay, consent phishing, and session hijacking can be mitigated when administrators operate from PAWs that enforce endpoint compliance, multi-factor authentication, and hardened configurations.
Final Thoughts
Regardless of your infrastructure’s location, privileged access is a risk multiplier—and its exposure must be minimized. Implementing PAWs ensures that administrative access originates from secure, purpose-built devices that reduce attack surface and enforce operational discipline.
Security doesn’t start in the cloud or on the domain—it starts at the keyboard. PAWs make that keyboard resilient.