As part of the administrative separation between normal users and admin users (Segregation of Duties), a secure host, or “Privileged Access Workstation (PAW)”, must exist to fully separate a standard computer from the specific privileged machine used for domain privileged maintenance. These assets are the main target of any attacker who is looking to compromise the directory, and this is why is so important to secure and protect such assets.
Each of the defined tiers or areas within this model (Admin/Tier0, Servers/Tier1 & Sites/Tier2) will have its own set of Privileged Access Workstation (PAW) for administration; is not permitted to share PAWs between Areas/Tiers. Those assets will be under control of Tier0 administrators. These assets will have a set of restrictions, used to protect the privileged access to the environment. For example, logon restrictions, web surfing or having local administrative privileges.
Using the same workstation for daily work and for administering the environment is not a good idea. By simply having a segregated workstation, we are effectively increasing the security. The following table can give us a rough estimation on how much can we increase the security of our environment.
|Have a separated workstation exclusively for administration||30%|
|Have latest OS on separated workstation||20%|
|Hardening of the OS image||10%|
|Secure boot & encrypt disk||10%|
|Have a separate patching procedure for these assets||10%|
|Reduced attack surface||5%|
Bear in mind that there is no absolute solution. What can be enough for some company might be insufficient for another.
These equipment’s will have a hardened OS implementation and toolsets designed exclusively for secure administration tasks. The access to these equipment’s will be restricted based on the delegated rights of the user and the Tiering definition. In other words, only users with privileged rights granted will be able to logon into these computers.
Jerry Devore, a Microsoft Premier Field Engineer has a nice walkthrough of PAW concept.