Privileged Access Workstations (PAWs)

Where your administrators log in matters just as much as how they log in. If a domain administrator checks email, browses the web, and manages Active Directory from the same laptop, a single phishing email or compromised website can give an attacker direct access to the organisation’s most powerful credentials. Privileged Access Workstations — commonly known as PAWs — solve this problem by providing dedicated, hardened devices that are used exclusively for administrative tasks and nothing else.

PAWs are not a luxury reserved for large enterprises. The concept can be adapted for organisations of any size, from a dedicated physical laptop to a locked-down virtual machine. This lesson explains the PAW architecture, why it matters, and how to deploy it in phases without disrupting your team’s productivity.

Why Standard Workstations Are Dangerous for Admin Tasks

A typical corporate workstation is designed for productivity: email, web browsing, document editing, messaging, and dozens of installed applications. Each of these activities introduces potential attack vectors:

• Email — Phishing attacks deliver malware directly to the user’s inbox. If that user is an administrator, the malware inherits their elevated session tokens.
• Web browsing — Drive-by downloads and malicious advertisements can exploit browser vulnerabilities. An admin browsing the web on the same machine used for server management creates a direct path from the internet to your infrastructure.
• Personal applications — Shadow IT applications, personal cloud storage, and browser extensions expand the attack surface significantly.
• Cached credentials — When an administrator logs into a standard workstation, their credentials are often cached locally. An attacker who compromises that workstation can extract those cached credentials and reuse them.

The fundamental problem is that productivity activities and administrative activities have completely different risk profiles but are being performed on the same device. PAWs separate these two worlds.

What a PAW Looks Like

A PAW is a hardened workstation — either physical or virtual — configured with the following characteristics:

• No email client — Administrators do not read email on the PAW.
• No web browsing — Internet access is either completely blocked or restricted to a whitelist of management portals (e.g., Azure Portal, AWS Console).
• No personal applications — Only approved management tools are installed.
• Application whitelisting — Only explicitly approved executables can run. Everything else is blocked by default.
• Full disk encryption — BitLocker or equivalent protects data at rest.
• Separate network segment — The PAW connects to a dedicated management VLAN or network segment, isolated from the general corporate network.
• Multi-factor authentication required — Every login to the PAW requires MFA, typically with a hardware token.
• Enhanced logging — All activity on the PAW is logged and forwarded to the SIEM for monitoring.

The Tiered Administration Model

Microsoft’s recommended approach organises administrative access into three tiers, and PAWs are used at each tier with increasing levels of security:

• Tier 0 — Identity and forest admin — Domain Controllers, Active Directory, Azure AD, PKI. This tier requires the most secure PAWs with the strictest controls. A compromise here affects the entire organisation.
• Tier 1 — Server and application admin — Member servers, databases, middleware, line-of-business applications. PAWs at this tier are hardened but may have slightly broader network access to reach managed servers.
• Tier 2 — Workstation and user admin — Help desk functions, user workstation management, password resets. These PAWs may be virtual machines on the help desk team’s standard workstations, providing a lower-cost entry point.

Phased Deployment Approach

Deploying PAWs does not require purchasing new hardware for every administrator on day one. A practical phased approach looks like this:

• Phase 1 — Virtual PAWs for cloud admin — Create a hardened virtual machine image (Windows with application whitelisting, no email, restricted browsing) that cloud administrators use to access Azure, AWS, or GCP management portals. This can be deployed in days using existing virtualisation infrastructure.
• Phase 2 — Dedicated PAWs for Tier 0 admins — Purchase or repurpose dedicated laptops for your Active Directory, Azure AD, and identity administrators. These devices should be physically separate and never used for general productivity.
• Phase 3 — Extend to Tier 1 server admins — Deploy PAWs (physical or virtual) for server and database administrators. Focus on those managing systems that hold sensitive data.
• Phase 4 — Help desk and Tier 2 — Provide virtual PAW capability for help desk staff performing user administration tasks.

For very small organisations, a practical starting point is simply using a separate browser profile or a dedicated virtual machine for admin tasks — anything that separates administrative activity from email and web browsing on the same session.

Why This Matters

The most devastating breaches in recent years — including SolarWinds, Colonial Pipeline, and numerous ransomware campaigns — involved attackers compromising administrative credentials on standard workstations and using them to move laterally to critical infrastructure. PAWs break this attack chain by ensuring that administrative credentials are only ever used on hardened, isolated devices where the attack surface is minimal. For SMEs, even a basic PAW implementation (a dedicated VM for admin tasks) dramatically reduces the risk of credential theft during routine administrative work. The cost is modest; the risk reduction is substantial.

What to Do Now

• Identify which administrators currently perform admin tasks from their everyday workstations.
• Create a hardened virtual machine image with no email client, restricted web browsing, and only approved management tools.
• Deploy this VM image to your Tier 0 administrators (Active Directory, Azure AD, cloud subscription owners) within 30 days.
• Block admin portals from being accessed on non-PAW devices using Conditional Access policies (Azure AD) or firewall rules.
• Document the PAW policy: which tasks must be performed from a PAW and which can be done from standard workstations.

Evidence to Collect

• Inventory of PAW devices or VMs with assigned administrators.
• Conditional Access policy screenshots showing admin portal access restricted to PAW-compliant devices.
• PAW build document or image configuration showing hardening measures (application whitelisting, disabled services, network restrictions).
• Logs showing admin portal access only originating from PAW IP addresses or device identifiers.
• Policy document defining which administrative tiers require PAW usage.

Common Mistakes

• Allowing email on the PAW — The entire point of a PAW is to eliminate productivity-related attack vectors. The moment you install an email client, you’ve negated the security benefit.
• Not enforcing PAW usage — If administrators can still access admin portals from their standard workstations, they will. You must use Conditional Access policies or network controls to block admin access from non-PAW devices.
• Over-engineering the first phase — Don’t wait for a perfect PAW implementation. A locked-down virtual machine is a meaningful improvement over performing admin tasks from a fully open workstation.
• Forgetting physical security — A PAW that is left unattended in a shared office with no screen lock defeats the purpose. Enforce aggressive screen lock timeouts and require MFA for every unlock.
• Not providing a separate device for productivity — If you take away an admin’s ability to check email on their PAW but don’t provide a second device for daily work, they will find workarounds.

---

Knowledge Check

---