In every business, there are some users who need global administration privileges (and other admin privileges) to conduct work. Sometimes this work is client-facing, other times internal. Usually, these permissions apply to the most privileged IT team members. If these accounts are compromised in any way, it can lead to costly breaches and big trouble for a business.
However, many IT groups struggle to regulate privileged account use in a truly secure capacity. For those looking to implement best-practice security in-depth processes, privileged access workstations (sometimes referred to as secure access workstations) are a valuable tool.
What is a Privileged Access Workstation (PAW)?
A Privileged access workstations (PAW) is a secure workstation (virtual or physical) dedicated to performing unique and sensitive tasks. The main idea behind a PAW is to intentionally segregate work that requires the highest privileges from work that does not. For businesses where IT admins may work in client environments, this is especially important. PAWs are meant to prevent and mitigate credential theft that can expose and harm your business.
PAWs are an extra layer of defense in “least privileged access” – a security strategy that only allows end-users permissions to the unique resources needed for their productivity. By sequestering these privileged access workstations from others that are used on a day-to-day basis, administrators can ensure a strong line of defense against OS and app vulnerabilities, phishing and malware attacks. PAWs should be used on when elevated privilege work needs to be performed.
For modern managed services providers privileged access workstations are separate machines used solely for client administration by our IT administrators. These admins have unique privileges to securely access client environments while keeping others out. The PAWs themselves are typically Virtual Machines (VMs) like Azure Virtual Desktop or Windows 365.
In addition to the PAWs, privileged accounts are separated such that internal elevated accounts are separate and distinct from external facing elevated privilege accounts. Other examples may be separation of elevated accounts by tenant, or by business unit. It is important to denote that best practice when using PAWs is to establish unique privileged access accounts to coincide – separating the machine and the account adds an extra layer of security to keep bad actors from compromising everything in one attack.
Why Use Privileged Access Workstations?
Employee negligence and privilege abuse are massive sources of cyberthreat to businesses. In fact, according to a recent study from the Ponemon Institute, data breaches caused by company insiders are one of the largest security vulnerabilities and also one of the most costly.
The methodology is simple: the more employees that have access to sensitive resources, the greater the likelihood there is of a security incident occurring. By limiting users with a privileged access workstation and privileged access accounts, you’ll limit the amount of login attempts and unwanted clicks that often lead to exposure.
Note that PAWs are only one layer in your defenses. PAWs should be combined with granular delegated admin privileges and role based access controls where ever possible. PAWs are an additional tool – not a stand-alone solution to modern security.
How Privileged Access Workstations are Created
A privileged access station is created through a medium known as privileged access management. Privileged Access Management (PAM) acts as a tool for governance to specific identity settings such as access rights and permissions.
Workstations also contain a local security agent feature which stores representations of the identities able to access resources via the workstation. The local security agent limits the specific identities with access to a privileged access workstation, safeguarding crucial components of privileged identities such as local admin account credentials and antivirus service information.
PAWs should be hardened beyond a normal device. They may have extremely limited internet browsing capabilities (whitelisted sites), block application installs and browser extensions, have some Windows services disabled, and may not retain state.
How to Get Started Deploying Privileged Access Workstations
Deploying PAMs can be tricky, which is why many groups often seek outside counsel when getting started.
First off, you’ll want to make sure you have the correct licensing requirements necessary to launch a privileged access workstation. Often, it will require a Microsoft 365 Enterprise E5 license or a similar SKU.
Then you’ll want to establish profiles for three security levels in your business. This guide from Microsoft allows you to learn about the tiers.
Beyond the basics of licensing and security levels, the rest is all about getting the right configuration established for your business. This often includes Intune, Azure AD, and conditional access configurations. Because every business is unique, your configurations are likely to be as well.
Check out this step-by-step guide from Microsoft addressing privileged access deployment. It will give you the foundation you need to start thinking about how privileged access workstations will function best for you and your business’s purposes.
Contact us to learn more about Privileged Access Workstations
