Privileged Access Workstations (PAW): Implementation Guide for Active Directory Environments

The credential theft problem is architectural. When a domain administrator logs into a server or runs management tools from their daily-use workstation, the following happens:

• The privileged credential (kerberos tickets, NTLM hashes, or plaintext credentials depending on the logon type) is loaded into LSASS memory
• Any malware running on that workstation with SYSTEM or SeDebugPrivilege can extract those credentials
• The extracted credentials provide direct access to every system in the tier that credential covers

The attacker's toolchain for this is mature: Mimikatz can extract credentials from LSASS in seconds. LSASSS dumps can be analyzed offline. Credential Guard mitigates some extraction techniques but not all, and requires both hardware support and correct configuration to be effective.

The general-purpose workstation also has a large software attack surface: web browsers with hundreds of extensions, productivity applications, PDF readers, video conferencing clients, and personal software installed by the user. Each of these applications is a potential initial access vector. An attacker who compromises any of these applications inherits the workstation's credential cache.

The fundamental principle: Privileged credentials should never exist on a machine that is also used for general-purpose computing. The PAW enforces this by providing a dedicated machine that is used exclusively for administrative tasks and has the general-purpose attack surface eliminated at the hardware and policy level.

Microsoft's Enterprise Access Model (successor to the ESAE tiering model) organizes resources into three tiers based on their blast radius if compromised.

Tier 0 -- Control Plane: Active Directory Domain Controllers, Azure AD Connect, AD Federation Services, PKI/CA infrastructure, privileged identity management systems, and PAW management infrastructure. Tier 0 compromise equals full domain compromise. Domain Admin credentials are Tier 0 assets.

Tier 1 -- Management Plane: Enterprise servers (application servers, database servers, cloud management systems). Server administrators, cloud platform administrators, and application owners operate at Tier 1.

Tier 2 -- User Access Plane: User workstations, mobile devices, printers, and other end-user devices. Workstation administrators and helpdesk operate at Tier 2.

PAW implementation scope: A full PAW program provides dedicated workstations for each tier that require privileged access:

• Tier 0 PAW: Used only for Domain Admin-level operations. Physical or hardware-isolated. Never connected to the general corporate network or internet directly.
• Tier 1 PAW: Used for server administration tasks. Less strict than Tier 0 but still isolated from general workstation traffic and internet browsing.
• Tier 2 PAW: Used for workstation management and helpdesk. Many organizations de-prioritize Tier 2 PAWs and instead focus on Tier 0 and Tier 1.

Logical separation enforcement: PAW machines must be in separate Active Directory OUs with Group Policy that prevents privileged accounts from logging into non-PAW machines (User Rights Assignment: "Allow log on locally" restricted to the appropriate admin accounts on the appropriate machine tier). This prevents an attacker who has captured a Domain Admin credential from using it on a general workstation.

A PAW is not simply a standard workstation with extra software. The hardware requirements matter for the security guarantees.

Hardware requirements:

• TPM 2.0: Required for BitLocker with TPM-only protection (no pre-boot PIN requirement eliminates friction for always-on encryption) and for Credential Guard virtualization-based security
• UEFI Secure Boot: Prevents bootkit and rootkit attacks that operate below the OS level
• Virtualization extensions (Intel VT-x or AMD-V): Required for Credential Guard, which uses virtualization-based security (VBS) to isolate LSASS credentials in a hypervisor-protected container
• Dedicated hardware: Do not use shared infrastructure, VMs, or RDP sessions from general workstations as PAWs. A VM running on a compromised hypervisor host provides no isolation. The PAW must be dedicated physical hardware or, in exceptional cases, hardware-isolated using Microsoft's Secured-Core PC profile.

Software configuration:

• Windows 11 Enterprise (current version with all security patches)
• Bitlocker with TPM 2.0 (mandatory for data-at-rest protection)
• Credential Guard enabled (mitigates pass-the-hash and pass-the-ticket against LSASS)
• Windows Defender Application Control (WDAC) policy allowing only signed, approved administrative tools -- no web browsers, no personal applications, no productivity software
• Windows Defender Antivirus with tamper protection enabled
• Attack Surface Reduction (ASR) rules configured
• AppLocker or WDAC to allowlist only required administrative tools

Software explicitly not installed on a PAW:

• No web browser for general internet use (administrative consoles accessed via browser should go through a separate secure browser profile or jump server)
• No email client
• No productivity software (Office, PDF readers)
• No personal or shadow IT applications
• No development tools unless the PAW is specifically for infrastructure-as-code management

PAW Group Policy hardening goes beyond standard CIS benchmark controls. The PAW GPO must enforce isolation and restrict credential exposure.

Critical PAW GPO settings:

User Rights Assignment (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment):

• "Allow log on locally": restrict to PAW-authorized admin accounts and local Administrators only
• "Access this computer from the network": remove standard users; retain only required administrative groups
• "Deny log on locally": explicitly deny Domain Users from logging into PAW machines
• "Deny access to this computer from the network": deny standard user groups

Credential Guard enablement:

• Enable virtualization-based security (requires UEFI Secure Boot and TPM)
• Enable Credential Guard: Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security -- set to "Enabled" with Credential Guard Configuration set to "Enabled with UEFI lock"
• "UEFI lock" prevents Credential Guard from being disabled without a UEFI configuration change, which requires physical access

Network isolation:

• Configure Windows Firewall to block all outbound connections except to explicitly allowlisted administrative destinations (domain controllers, management servers, jump servers)
• Block internet access from the PAW network segment at the perimeter firewall level
• Use a separate VLAN for PAW traffic to enforce network segmentation at the switch level

Application control: Deploy Windows Defender Application Control (WDAC) in enforced mode on PAWs. Allow only signed Microsoft binaries and a defined list of administrative tools. WDAC in enforced mode prevents any unsigned or untrusted executable from running, eliminating malware execution even if it reaches the PAW.

Do not attempt to deploy PAWs to all administrators simultaneously. The friction of adoption and the configuration complexity make a phased approach essential.

Phase 1 -- Tier 0 only (months 1-3): Deploy PAWs for the smallest group with the highest blast radius: Domain Admins and accounts with direct management access to domain controllers. This group is typically 5-15 people even in large organizations. Harden the PAW hardware, deploy Credential Guard, and configure the Tier 0 OU with restrictive GPO. Train this group on the operational model: use PAW for all domain controller management, never use Domain Admin credentials from general workstations.

Phase 2 -- Tier 1 (months 4-6): Extend to server administrators and cloud platform administrators. This group is larger and the operational model requires more flexibility (they may need to access multiple management consoles). Jump servers are typically part of the Tier 1 PAW model: administrators use their PAW to connect to a jump server, then from the jump server to managed servers.

Phase 3 -- Tier 2 and workstation admins (months 7-12): Extend to helpdesk and workstation administrators. This is the largest group and often the most resistant to behavior change. The operational impact on helpdesk (no email or browser on their admin machine) requires workflow changes and potentially a Tier 2 PAW model that is less strict than Tier 0.

Common deployment mistakes:

• Using a VM on a general workstation as a "PAW": A VM running on a compromised host provides no credential isolation. The hypervisor controls the VM; malware on the host can read VM memory.
• Allowing internet access from the PAW network: Administrative consoles (Azure Portal, AWS Console, vendor management UIs) accessed via browser on the PAW create a browser attack surface on the most privileged machine in the environment. Route browser-based admin access through a dedicated jump server, not directly from the PAW.
• Not enforcing that privileged credentials are only used from PAWs: A PAW provides no protection if administrators continue to use Domain Admin credentials from their general workstations out of convenience. Enforcement requires GPO user rights assignment and monitoring for privileged account logons from non-PAW machines.
• Skipping Credential Guard due to hardware compatibility: If existing hardware does not support Credential Guard (no TPM 2.0 or no UEFI Secure Boot), budget for new hardware for PAW use rather than deploying PAWs without Credential Guard. PAW without Credential Guard reduces but does not eliminate credential theft risk.