Privileged Access Workstations (PAW): Taking No Chances


What Are Privileged Access Workstations (PAW)?

A privileged access workstation (PAW) is an endpoint security solution for employees with privileged credentials. A PAW provides a specialized operating system for privileged user access. You can use PAWs to prevent attackers from compromising privileged accounts and escalating permissions.

Organizations can provide dedicated PAWs for privileged business and IT users. A privileged access management (PAM) platform manages the access permissions of each user. Users must log into the privileged access workstation through the PAM to access protected accounts. If PAWs are in use, users should access all privileged activities using dedicated operating systems or devices.

The privileged access management platform works together with PAW solutions, providing access controls, password vaults, monitoring, and behavioral analytics. You can leverage a PAM platform to secure and control all access to privileged accounts, including the individuals granted permissions, the duration of access, and the actions allowed.

Related content: Read our guide to endpoint privilege management.

Privileged Access Workstation Features

A PAW is a dedicated hardened system that offers high security for sensitive tasks and accounts. A PAW is used for very sensitive roles. If an attacker breached accounts connected to these roles, this would negatively impact the organization.

PAW configuration features security policies and controls that limit local administrative access and productivity tools. These features make it hard for attackers to breach the PAW device as it blocks typical phishing attacks vectors: web browsing and email. To enable productivity for these users, you should provide separate workstations and accounts for web browsing and productivity applications.

A privileged workstation is hardened and features strict control over applications, device configuration, and credentials. These measures help protect the user from malicious activity. Organizations should encrypt every local disk, and web traffic should be limited to a finite set of permitted destinations.

A PAW has these characteristics:

  • Built on trustworthy hardware with clean source media, monitored and instrumented for complete visibility.
  • Features automated patching of security updates to provide system security.
  • Greater security for IT administrators dealing with high-risks applications and servers. For example, web servers, Active Directory and administrative access to databases, and application servers featuring high-risk data.

Types of Privileged Access Workstation Solutions

There are two main types of PAWs: physical and virtual.

Physical PAW

This type is suitable for companies with very stringent security requirements. It requires users to use a company-provided hardened physical device for administrative tasks.

Physical PAW solutions are based on the assumption of “clean sources”—the organization assumes that a trusted system can be depended on, while an untrusted system cannot. Physical PAWs must prevent access to the Internet, email, or any other content that may violate the clean source principle.

Another aspect of the clean source approach is the use of accounts. An administrator must log in using a privileged account management (PAM) tool but cannot have an administrator account on the PAW workstation itself.

Using a virtual machine (VM) for administrative tasks violates this principle because it relies on the security of the hypervisor and the agent that provides it. The management workstation must be a physical device under the full control of the organization to ensure the source is clean.

Virtual PAW

A physical PAW is the most secure solution but is not often impractical. Having a dedicated workstation for administrative tasks can be difficult to implement, especially when users are working remotely. Some level of Internet access is requested for the PAW to connect to the required administrative resources, and this Internet connection violates the clean source principle.

A virtual PAW is a secured virtual machine used by administrators for privileged access. When performing day-to-day activities like email and Internet access, they will work on their regular device. For administrative access, they will only use the secured VM.

PAW Hardening Best Practices

A PAW is a very important target for attackers and requires additional protection to significantly reduce damage. Here are steps you can take to protect a PAW:

Operating system hardening

  • Use an operating system with all security features enabled
  • Apply security patches and updates promptly
  • Regularly scan for vulnerabilities and malware
  • Wipe a PAW and reimage it every 30 days

Account protection and authentication

  • Never give a PAW user administrative access to the device
  • Users should have a standard user account on the PAW and use a PAM tool to log into sensitive corporate resources
  • Prohibit pass-through authentication to the PAW—users must re-authenticate with every access attempt
  • Make multi-factor authentication (MFA) for access to the PAW
  • Use aggressive session inactivity limits—require users to reconnect after 5 minutes of inactivity and 1 minute of disconnection
  • Never store cached credentials in the PAW
  • Delete all user profiles when logging out of the PAW

Blocking applications

  • Block Internet access on the PAW
  • Pre-install all required management tools on the device
  • Use application allowlist technologies such as Windows Defender Application Control
  • Limit the use of command-line tools like PowerShell, and if they are enabled, perform strict monitoring and auditing

Secure Privileged Access with Hysolate

Privileged Access Workstations provide a dedicated operating system for sensitive tasks that is protected from Internet attacks and other threat vectors. Separating these sensitive tasks and accounts from daily activities that can introduce risk provides very strong protection from phishing attacks, application and OS vulnerabilities, various impersonation attacks, and credential theft attacks such as keystroke logging, Pass-the-Hash, and Pass-The-Ticket.

Hysolate makes PAW practical to adopt at scale, and without degrading the user’s productivity. With Hysolate, a privileged user can keep using a single device, while under the hood everything the user does runs in one of two segregated operating systems running side by side – one for productivity tasks such as email, Internet, etc and another strictly for privileged access, and all in a single seamless familiar Windows environment and without needing to install, manage, or patch another operating system.
Try Hysolate Free for Sensitive Access, or request a Hysolate demo here.