Tier 0
The highest privilege tier in the Active Directory tiered administration model: includes domain controllers, ADCS certificate authorities, and AD synchronization servers; Tier 0 admin work must only be performed from Tier 0 PAWs
Cred Guard
Windows Defender Credential Guard: uses virtualization-based security (VBS) to protect NTLM hashes and Kerberos tickets in a secure enclave, preventing mimikatz-style credential extraction from LSASS
Just-in-time
Just-in-Time (JIT) administration: privileged group memberships granted for a limited time window (1-8 hours) only when needed, using Entra ID PIM or Microsoft Identity Manager; reduces standing privilege exposure
Jump server
An alternative to physical PAWs: a highly hardened jump server accessible only from trusted networks, with session recording; lower cost but single point of compromise vs. distributed PAW model

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The most common path to domain compromise is credential theft from an administrator's general-purpose workstation. When a domain admin opens a phishing email, visits a compromised website, or opens a malicious document on the same machine they use to connect to domain controllers, their privileged credentials are exposed to whatever malware is running in that user context.

A PAW eliminates this risk by complete separation: the admin's privileged credentials are only ever used on a machine with no internet access, no email, no productivity software, and a hardened configuration that prevents credential extraction. The attack surface for privileged credentials is reduced to physical compromise of the PAW itself.

PAW Hardware and OS Configuration

Minimum PAW hardware requirements:
- Dedicated physical machine (NOT a VM: hypervisor escape attacks)
  Exception: Cloud admin PAWs can use cloud VMs if the hypervisor itself is trusted
- TPM 2.0 chip (required for BitLocker with Secure Boot and Credential Guard)
- UEFI with Secure Boot enabled
- Minimum 16GB RAM for running Credential Guard (requires VBS)
- No Bluetooth, no external USB (if possible: use USB restriction via GPO/BIOS)

OS configuration:
- Fresh Windows 11 installation from verified ISO (not restored from image)
- Domain-joined to a dedicated PAW OU (separate from user workstations)
- BitLocker enabled with TPM+PIN (not TPM-only)
- Windows Defender Credential Guard enabled
- Windows Defender Application Guard enabled (if using any browser)

Software allowed on PAW:
✓ Remote Desktop Connection (for accessing managed servers)
✓ Server administration tools (RSAT, AD Users & Computers, etc.)
✓ Privileged management tools (Veeam console, VMware vSphere client)
✓ MFA authenticator app
✓ Certificate management tools

Software NOT allowed on PAW:
✗ Email clients (Outlook, Thunderbird)
✗ Web browsers for general browsing
✗ Microsoft Office / productivity software
✗ Communication tools (Teams, Slack): use on standard workstation
✗ Any software not required for administration

GPO Hardening for PAW

Create a dedicated GPO linked to the PAW OU:

GPO name: PAW-Security-Hardening
Link: PAW OU (not domain root)

--- Network Restrictions ---
Windows Firewall: Outbound connections = Block (whitelist only)
Allowed outbound (whitelist):
  - DC IPs on ports 389, 636, 88, 53, 445, 135
  - Management server IPs on management ports
  - WSUS server for updates
  - NTP server
  - Nothing else

Deny outbound to internet:
  All traffic to 0.0.0.0/0 except whitelisted management IPs

--- Credential Protection ---
Enable Windows Defender Credential Guard:
Computer Configuration > Administrative Templates > System > Device Guard >
"Turn On Virtualization Based Security": Enabled
  Platform Security Level: Secure Boot and DMA Protection
  Credential Guard Configuration: Enabled with UEFI Lock

Enable LSA Protection:
Computer Configuration > Windows Settings > Security Settings >
Local Policies > Security Options >
"Network security: Restrict NTLM: NTLM authentication in this domain": Deny All

Registry: Enable RunAsPPL for LSASS:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
  RunAsPPL = 1
--- Application Control ---
Enable Windows Defender Application Control (WDAC):
Create a policy that allows ONLY IT-approved applications
Block everything not on the allowlist:
  - Windows system binaries (signed by Microsoft)
  - Admin tools (RSAT, approved vendor tools)
  - Nothing else

This prevents: malware execution, unknown tools, USB drop attacks

--- User Restriction ---
Computer Configuration > Windows Settings > Security Settings >
Local Policies > User Rights Assignment >
"Log on locally": Only PAW-Admins group (not standard users, not Domain Users)
"Deny log on locally": Domain Users, standard workstation users
"Allow log on through Remote Desktop Services": Deny all (no inbound RDP to PAW)

--- USB and Peripheral Control ---
Computer Configuration > Administrative Templates > System > Device Installation >
"Prevent installation of devices not described by other policy settings": Enabled
This blocks unknown USB devices (USB drives, potentially hostile peripherals)
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Network Segmentation for PAW

PAW network requirements:
- PAWs should be on a dedicated network segment (VLAN/subnet)
  Example: 10.0.0.0/24 = PAW network
           10.1.0.0/24 = Domain Controllers
           10.2.0.0/24 = User workstations

Firewall rules for PAW segment:
Allow:
  PAW subnet → DC subnet: AD/Kerberos/LDAP ports (88, 389, 636, 53, 445)
  PAW subnet → Server management subnet: RDP (3389), WinRM (5985), specific admin ports
  PAW subnet → WSUS server: 8530 (Windows Update)
  PAW subnet → Internet: BLOCKED
  PAW subnet → User workstation subnet: BLOCKED

Deny:
  User workstation subnet → PAW subnet: ALL (users cannot reach PAWs)
  Internet → PAW subnet: ALL
  Server subnet → PAW subnet: ALL (servers cannot initiate connections to PAWs)

# The PAW should be able to reach what it manages, nothing else
# Nothing should be able to initiate a connection TO the PAW from a less trusted zone

Domain controller access restriction (only from PAW):

GPO on Domain Controllers: Restrict DC access to PAW IPs only

Computer Configuration > Windows Settings > Security Settings >
Windows Firewall with Advanced Security > Inbound Rules:

New Rule:
  Protocol: TCP
  Local ports: 3389 (RDP), 5985 (WinRM)
  Remote IP: [PAW subnet ONLY, e.g., 10.0.0.0/24]
  Action: Allow

Block all other inbound to these ports:
  Protocol: TCP
  Local ports: 3389, 5985
  Remote IP: Any except PAW subnet
  Action: Block

# DCs should be accessible via RDP/WinRM ONLY from PAW IPs
# Any attempt to RDP to a DC from a user workstation = blocked at firewall

Just-in-Time Privilege and Monitoring

Entra ID Privileged Identity Management (PIM) for JIT admin:

For hybrid environments with Entra ID:

Entra admin center > Identity Governance > Privileged Identity Management >
Azure AD roles > Settings > Global Administrator:
  Activation: Eligible (not Permanent)
  Maximum activation duration: 4 hours
  Require MFA on activation: Yes
  Require justification on activation: Yes
  Require approval: Optional (recommended for Global Admin)

Users eligible for Global Admin can activate for up to 4 hours,
requiring MFA + justification. The activation is logged.
After 4 hours, the elevation expires automatically.

For on-premises AD: Microsoft Identity Manager (MIM) PAM:

# Alternative: time-limited group membership via PowerShell
# (simple JIT without MIM infrastructure)

function Grant-TemporaryGroupMembership {
    param(
        [string]$User,
        [string]$Group,
        [int]$DurationHours = 4
    )
    
    # Add user to privileged group:
    Add-ADGroupMember -Identity $Group -Members $User
    Write-Host "Granted $User membership in $Group for $DurationHours hours"
    
    # Schedule removal (requires Task Scheduler or a scheduled job):
    $removeTime = (Get-Date).AddHours($DurationHours)
    $action = New-ScheduledTaskAction -Execute 'PowerShell.exe' \
        -Argument "-Command Remove-ADGroupMember -Identity '$Group' -Members '$User' -Confirm:\$false"
    $trigger = New-ScheduledTaskTrigger -Once -At $removeTime
    Register-ScheduledTask -TaskName "RemovePriv-$User-$Group" \
        -Action $action -Trigger $trigger -RunLevel Highest
    
    # Log the grant:
    Write-EventLog -LogName Security -Source 'PAW-JIT' \
        -EventId 4728 \
        -Message "JIT: $User added to $Group until $removeTime"
}

# Usage:
Grant-TemporaryGroupMembership -User 'jsmith' -Group 'Domain Admins' -DurationHours 2

Monitor PAW for anomalous activity:

// Alert: privileged account logon from non-PAW IP
// (Domain Admin account logged in from workstation, not PAW subnet)
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4624  // Successful logon
| where LogonType in (2, 3, 10)  // Interactive, network, remote
// Check if the source IP is in the PAW subnet:
| extend IsPAWAddress = IpAddress startswith "10.0.0."
// Enrich with group membership for Domain Admins:
| where TargetUserName in ("user1", "user2")  // Domain admin accounts
// Alert on non-PAW source:
| where IsPAWAddress == false
| project TimeGenerated, TargetUserName, IpAddress, LogonType, WorkstationName

The bottom line

A PAW implementation requires three components working together: dedicated hardened hardware (TPM 2.0, Credential Guard enabled, no internet access), GPO enforcing application allowlisting (WDAC), network isolation from user workstations, and user rights restriction (only PAW-Admins can log in locally). Network segmentation enforces that DCs are accessible via RDP/WinRM only from the PAW subnet. Use Entra ID PIM for Just-in-Time privilege activation (4-hour maximum, MFA required, justification logged). Alert on any Domain Admin account authenticating from a non-PAW IP: this is a reliable indicator of credential compromise or policy bypass.

Frequently asked questions

What is a Privileged Access Workstation and why is it required?

A Privileged Access Workstation (PAW) is a dedicated, hardened computer used exclusively for administrative tasks: domain admin, cloud admin, and server management operations. It has no internet access, no email, no productivity software, and a GPO-enforced application allowlist. The requirement is that privileged credentials (domain admin, global admin) are never entered on a machine that also browses the internet or opens email: because any malware on that machine can steal those credentials. Without a PAW, a successful phishing attack against an admin's general-purpose workstation gives attackers domain admin credentials.

Can a virtual machine be used as a PAW instead of a physical machine?

A VM can serve as a PAW for cloud administration tasks if the underlying hypervisor is trusted and managed by the security team. For on-premises Active Directory administration, physical PAWs are strongly preferred: a compromised hypervisor host can extract memory from VMs, defeating the credential isolation that PAWs provide. Microsoft's guidance allows cloud-based PAWs (Azure virtual desktops with conditional access and strict policies) for administrative work against cloud resources, but recommends physical hardware for Tier 0 (domain controller) administration.

What security hardening is required on a Privileged Access Workstation?

PAW hardening requirements: no internet browsing (DNS blocked at firewall level or host-based; Chromium/Edge removed from the allowlist); no email client; GPO-enforced application allowlist (WDAC or AppLocker) permitting only approved admin tools; BitLocker full disk encryption with a PIN required at boot; Windows Defender Credential Guard enabled to protect admin credentials in memory; automatic screen lock after 1 minute of inactivity; all USB ports disabled except for keyboard/mouse and security key. PAWs should be joined to a separate OU in Active Directory (or a separate domain for Tier 0) with GPOs that apply hardening independent of production OU policies.

How do I manage a fleet of Privileged Access Workstations at scale?

PAW fleet management at scale: join PAWs to a dedicated Admin OU in Active Directory (or a separate Admin forest for Tier 0) and apply hardening GPOs at the OU level. Use Microsoft Intune or SCCM for OS patching, configuration management, and compliance reporting — do not use production SCCM servers to manage PAWs (an attacker with SCCM admin access could push malicious scripts to PAWs). Use Microsoft Defender for Endpoint to monitor PAWs for any unexpected processes, network connections, or privilege use. Create a separate admin account on each PAW for break-glass local access (in case Entra ID or domain connectivity is unavailable). Conduct quarterly compliance audits: verify each PAW has not had internet browsing software reinstalled and that allowlist policies remain enforced.

What is the difference between a PAW and a jump server?

A jump server (also called a bastion host or jump box) is a single hardened server that admins connect to via RDP or SSH from their regular workstations, then connect onward to managed systems. A PAW is a dedicated workstation that the admin physically sits at to perform administration. Key differences: a jump server does not protect credentials on the admin's workstation — a keylogger on their regular laptop captures every keystroke typed into the jump server RDP session. A PAW protects credentials because the admin's privileged credentials are never entered on a machine that also browses the internet. For highest security: combine both — admins use their PAW to connect to a jump server, which connects to managed systems, providing both endpoint and network isolation.

How do you enforce that domain admin accounts are only ever used from PAW subnet IPs, and alert when they are not?

Enforcement combines a GPO-level firewall restriction on domain controllers with a SIEM detection rule. On the domain controller OU, apply a GPO that blocks inbound RDP (TCP 3389) and WinRM (TCP 5985/5986) from any source except the PAW subnet CIDR (for example 10.0.0.0/24): this makes it technically impossible to RDP directly to a DC from a workstation, even with valid credentials. For alerting, create a Sentinel or Splunk rule that queries Windows Security Event ID 4624 Logon Types 2, 3, and 10 where TargetUserName is a member of Domain Admins and IpAddress does not fall within the PAW subnet range. Populate the domain admin account list in a Sentinel watchlist rather than hardcoding names in the rule so the list stays current as admins are added or removed. This alert should be Priority 1 and page the on-call security team immediately: a domain admin account authenticating from a non-PAW IP is either a PAW policy bypass, a PAW that was stolen or compromised, or active credential theft and abuse.

Sources & references

  1. Microsoft: Privileged Access Workstations
  2. Microsoft: Tiered Administration Model
  3. NSA: Adopting Zero Trust Security Model

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.