Privileged Access Workstations (PAW): A Mitigation Strategy for Pass-the-Hash, Phishing, Credential Theft Attacks and more

The Windows IT Administrator tends to be the most high-risk user in the organization.

IT Administrators have the potential to perform everyday user tasks with domain admin level accounts; they are most likely to have the ability to use external media in their PCs freely; and, even in the case where the admin user is thoughtfully elevating their permissions to admin level on only an as-needed basis, these users still expose domain admin password hashes to malware and create an opportunity for credential theft attacks like “pass-the-hash” by using the credentials on high risk systems.

Introduction to Privileged Access Workstations (PAWs) and the Microsoft Security Tier Model

If you dig into Microsoft’s guidance on mitigating credential theft attacks, they introduce the idea of creating something called a Privileged Administrative Workstation (PAW) to protect accounts with admin rights. A PAW is a specially hardened workstation designated as the only place from which an admin should be performing administrative tasks.

To get started with implementing a PAW infrastructure, Microsoft first suggests organizing all users and computers into three tiers of trust, with accounts in one tier not being permitted to access or execute outside of its designated tier.

  • Tier 0 is the highest risk environment where administration and control of the forest and domain resides. Resources include Domain Controllers and any resources that might be leveraged to grant access to Domain Controllers (such as SCCM and other configuration management applications).
  • Tier 1 includes application servers and database servers. In most organizations, this tier would be considered just as mission critical as Tier 0, but permissions to this tier and Tier 0 should be segregated to prevent malicious users gaining access to a Tier 1 tier from elevating access to Tier 0 resources and potentially moving laterally within the organization.
  • Tier 2 contains the least trusted devices. Any user account being used to manage devices in this tier should not be allowed to log in to systems here.

What about Jump Servers?

Many organizations rely on Jump Servers to reach network segmentations established for administration and groups of application servers. The first question I asked myself when learning about PAWs was, what is the difference between that and a traditional Jump Server?

A Jump Server is an administrative server that users will typically log into via remote desktop (RDP) or a virtual desktop (e.g. VDI or Citrix Server), bridging the gap between separate network segments. From there the user will log into a domain controller with their administrative privileges.

The key difference between a PAW and a Jump Server is the extreme amount of hardening and security controls Microsoft is suggesting within their PAW configuration standard.  While a Jump Server is typically hardened, I am yet to see any organization apply the level of controls to a Jump Server as Microsoft has laid out in their PAW configuration.

Key Attributes of Privileged Access Workstations (PAW)

In researching for this post, I found a great article by Brandon Wilson which does an amazing job of distilling Microsoft’s recommendations for configuring a PAW.  Here’s a quick summary:

  1. Use Verified Media to Ensure a Clean Build: Brandon suggests downloading a trusted image from two sources and generating a hash of each and comparing them. The Microsoft File Checksum tool can get the job done.
  2. Apply a Hardening Security Baseline from Microsoft Security Compliance Manager (SCM): The “Security Compliance” template lets you implement all of Microsoft’s recommendations with a few clicks.
  3. Enable Secure Boot: You’ll need UEFI enabled.
  4. Impose Software Restrictions using AppLocker: I wrote a solid post on implementing AppLocker. It’s great (both the post and the utility)!
  5. Enable Full Disk Encryption.
  6. Impose Restrictions on USB ports.
  7. Implement Network Isolation via host firewall: This means blocking all incoming connections except what is minimally necessary, at the Windows Firewall level.
  8. Install and configure the Enhanced Mitigation Experience Toolkit (EMET): EMET stops zero-day exploits by blocking many of the functionalities utilized by malicious code.
  9. Use Windows 10: Microsoft really wants all the Windows 7 holdouts to migrate already.
  10. Don’t allow Internet access from a browser.
  11. Install Minimal Software.
  12. Allow Minimal Administrative Accounts: This means no local admins and only, preferably, limit a PAW to a single admin user (i.e. each user having its own PAW for admin work).
  13. Implement a Hardened OU. Microsoft has published scripts to implement and harden these OUs.

A Deep Dive into Implementing a Microsoft PAW Infrastructure

Microsoft has published an extremely detailed guide for implementing a Privileged Access Workstations infrastructure. Read more about it in the Microsoft article: Privileged Access Workstations.

Additionally, get a shorter, more concise read through on PAWs, including tips on the type of form factor to use (dedicated laptop, vs virtual machine on the desktop, to a VDI approach) and some quick tips on setting up OUs and GPOs to enforce admin login rights, by checking out Brandon Wilson’s Microsoft Technet blog post on the subject.

Let’s grab coffee!

If you’re in the Atlanta area and would like to grab coffee and talk more about Infrastructure, information security or hacking, shoot me a message on Linkedin or by using the contact link on my homepage.

Leave comments and corrections below!

Leave a Reply