How to Implement Privileged Access Workstations for Active Directory Admins

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The most common path to domain compromise is credential theft from an administrator's general-purpose workstation. When a domain admin opens a phishing email, visits a compromised website, or opens a malicious document on the same machine they use to connect to domain controllers, their privileged credentials are exposed to whatever malware is running in that user context.
A PAW eliminates this risk by complete separation: the admin's privileged credentials are only ever used on a machine with no internet access, no email, no productivity software, and a hardened configuration that prevents credential extraction. The attack surface for privileged credentials is reduced to physical compromise of the PAW itself.
PAW Hardware and OS Configuration
Minimum PAW hardware requirements:
- Dedicated physical machine (NOT a VM: hypervisor escape attacks)
Exception: Cloud admin PAWs can use cloud VMs if the hypervisor itself is trusted
- TPM 2.0 chip (required for BitLocker with Secure Boot and Credential Guard)
- UEFI with Secure Boot enabled
- Minimum 16GB RAM for running Credential Guard (requires VBS)
- No Bluetooth, no external USB (if possible: use USB restriction via GPO/BIOS)
OS configuration:
- Fresh Windows 11 installation from verified ISO (not restored from image)
- Domain-joined to a dedicated PAW OU (separate from user workstations)
- BitLocker enabled with TPM+PIN (not TPM-only)
- Windows Defender Credential Guard enabled
- Windows Defender Application Guard enabled (if using any browser)
Software allowed on PAW:
✓ Remote Desktop Connection (for accessing managed servers)
✓ Server administration tools (RSAT, AD Users & Computers, etc.)
✓ Privileged management tools (Veeam console, VMware vSphere client)
✓ MFA authenticator app
✓ Certificate management tools
Software NOT allowed on PAW:
✗ Email clients (Outlook, Thunderbird)
✗ Web browsers for general browsing
✗ Microsoft Office / productivity software
✗ Communication tools (Teams, Slack): use on standard workstation
✗ Any software not required for administration
GPO Hardening for PAW
Create a dedicated GPO linked to the PAW OU:
GPO name: PAW-Security-Hardening
Link: PAW OU (not domain root)
--- Network Restrictions ---
Windows Firewall: Outbound connections = Block (whitelist only)
Allowed outbound (whitelist):
- DC IPs on ports 389, 636, 88, 53, 445, 135
- Management server IPs on management ports
- WSUS server for updates
- NTP server
- Nothing else
Deny outbound to internet:
All traffic to 0.0.0.0/0 except whitelisted management IPs
--- Credential Protection ---
Enable Windows Defender Credential Guard:
Computer Configuration > Administrative Templates > System > Device Guard >
"Turn On Virtualization Based Security": Enabled
Platform Security Level: Secure Boot and DMA Protection
Credential Guard Configuration: Enabled with UEFI Lock
Enable LSA Protection:
Computer Configuration > Windows Settings > Security Settings >
Local Policies > Security Options >
"Network security: Restrict NTLM: NTLM authentication in this domain": Deny All
Registry: Enable RunAsPPL for LSASS:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
RunAsPPL = 1
--- Application Control ---
Enable Windows Defender Application Control (WDAC):
Create a policy that allows ONLY IT-approved applications
Block everything not on the allowlist:
- Windows system binaries (signed by Microsoft)
- Admin tools (RSAT, approved vendor tools)
- Nothing else
This prevents: malware execution, unknown tools, USB drop attacks
--- User Restriction ---
Computer Configuration > Windows Settings > Security Settings >
Local Policies > User Rights Assignment >
"Log on locally": Only PAW-Admins group (not standard users, not Domain Users)
"Deny log on locally": Domain Users, standard workstation users
"Allow log on through Remote Desktop Services": Deny all (no inbound RDP to PAW)
--- USB and Peripheral Control ---
Computer Configuration > Administrative Templates > System > Device Installation >
"Prevent installation of devices not described by other policy settings": Enabled
This blocks unknown USB devices (USB drives, potentially hostile peripherals)
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Network Segmentation for PAW
PAW network requirements:
- PAWs should be on a dedicated network segment (VLAN/subnet)
Example: 10.0.0.0/24 = PAW network
10.1.0.0/24 = Domain Controllers
10.2.0.0/24 = User workstations
Firewall rules for PAW segment:
Allow:
PAW subnet → DC subnet: AD/Kerberos/LDAP ports (88, 389, 636, 53, 445)
PAW subnet → Server management subnet: RDP (3389), WinRM (5985), specific admin ports
PAW subnet → WSUS server: 8530 (Windows Update)
PAW subnet → Internet: BLOCKED
PAW subnet → User workstation subnet: BLOCKED
Deny:
User workstation subnet → PAW subnet: ALL (users cannot reach PAWs)
Internet → PAW subnet: ALL
Server subnet → PAW subnet: ALL (servers cannot initiate connections to PAWs)
# The PAW should be able to reach what it manages, nothing else
# Nothing should be able to initiate a connection TO the PAW from a less trusted zone
Domain controller access restriction (only from PAW):
GPO on Domain Controllers: Restrict DC access to PAW IPs only
Computer Configuration > Windows Settings > Security Settings >
Windows Firewall with Advanced Security > Inbound Rules:
New Rule:
Protocol: TCP
Local ports: 3389 (RDP), 5985 (WinRM)
Remote IP: [PAW subnet ONLY, e.g., 10.0.0.0/24]
Action: Allow
Block all other inbound to these ports:
Protocol: TCP
Local ports: 3389, 5985
Remote IP: Any except PAW subnet
Action: Block
# DCs should be accessible via RDP/WinRM ONLY from PAW IPs
# Any attempt to RDP to a DC from a user workstation = blocked at firewall
Just-in-Time Privilege and Monitoring
Entra ID Privileged Identity Management (PIM) for JIT admin:
For hybrid environments with Entra ID:
Entra admin center > Identity Governance > Privileged Identity Management >
Azure AD roles > Settings > Global Administrator:
Activation: Eligible (not Permanent)
Maximum activation duration: 4 hours
Require MFA on activation: Yes
Require justification on activation: Yes
Require approval: Optional (recommended for Global Admin)
Users eligible for Global Admin can activate for up to 4 hours,
requiring MFA + justification. The activation is logged.
After 4 hours, the elevation expires automatically.
For on-premises AD: Microsoft Identity Manager (MIM) PAM:
# Alternative: time-limited group membership via PowerShell
# (simple JIT without MIM infrastructure)
function Grant-TemporaryGroupMembership {
param(
[string]$User,
[string]$Group,
[int]$DurationHours = 4
)
# Add user to privileged group:
Add-ADGroupMember -Identity $Group -Members $User
Write-Host "Granted $User membership in $Group for $DurationHours hours"
# Schedule removal (requires Task Scheduler or a scheduled job):
$removeTime = (Get-Date).AddHours($DurationHours)
$action = New-ScheduledTaskAction -Execute 'PowerShell.exe' \
-Argument "-Command Remove-ADGroupMember -Identity '$Group' -Members '$User' -Confirm:\$false"
$trigger = New-ScheduledTaskTrigger -Once -At $removeTime
Register-ScheduledTask -TaskName "RemovePriv-$User-$Group" \
-Action $action -Trigger $trigger -RunLevel Highest
# Log the grant:
Write-EventLog -LogName Security -Source 'PAW-JIT' \
-EventId 4728 \
-Message "JIT: $User added to $Group until $removeTime"
}
# Usage:
Grant-TemporaryGroupMembership -User 'jsmith' -Group 'Domain Admins' -DurationHours 2
Monitor PAW for anomalous activity:
// Alert: privileged account logon from non-PAW IP
// (Domain Admin account logged in from workstation, not PAW subnet)
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4624 // Successful logon
| where LogonType in (2, 3, 10) // Interactive, network, remote
// Check if the source IP is in the PAW subnet:
| extend IsPAWAddress = IpAddress startswith "10.0.0."
// Enrich with group membership for Domain Admins:
| where TargetUserName in ("user1", "user2") // Domain admin accounts
// Alert on non-PAW source:
| where IsPAWAddress == false
| project TimeGenerated, TargetUserName, IpAddress, LogonType, WorkstationName
The bottom line
A PAW implementation requires three components working together: dedicated hardened hardware (TPM 2.0, Credential Guard enabled, no internet access), GPO enforcing application allowlisting (WDAC), network isolation from user workstations, and user rights restriction (only PAW-Admins can log in locally). Network segmentation enforces that DCs are accessible via RDP/WinRM only from the PAW subnet. Use Entra ID PIM for Just-in-Time privilege activation (4-hour maximum, MFA required, justification logged). Alert on any Domain Admin account authenticating from a non-PAW IP: this is a reliable indicator of credential compromise or policy bypass.
Frequently asked questions
What is a Privileged Access Workstation and why is it required?
A Privileged Access Workstation (PAW) is a dedicated, hardened computer used exclusively for administrative tasks: domain admin, cloud admin, and server management operations. It has no internet access, no email, no productivity software, and a GPO-enforced application allowlist. The requirement is that privileged credentials (domain admin, global admin) are never entered on a machine that also browses the internet or opens email: because any malware on that machine can steal those credentials. Without a PAW, a successful phishing attack against an admin's general-purpose workstation gives attackers domain admin credentials.
Can a virtual machine be used as a PAW instead of a physical machine?
A VM can serve as a PAW for cloud administration tasks if the underlying hypervisor is trusted and managed by the security team. For on-premises Active Directory administration, physical PAWs are strongly preferred: a compromised hypervisor host can extract memory from VMs, defeating the credential isolation that PAWs provide. Microsoft's guidance allows cloud-based PAWs (Azure virtual desktops with conditional access and strict policies) for administrative work against cloud resources, but recommends physical hardware for Tier 0 (domain controller) administration.
What security hardening is required on a Privileged Access Workstation?
PAW hardening requirements: no internet browsing (DNS blocked at firewall level or host-based; Chromium/Edge removed from the allowlist); no email client; GPO-enforced application allowlist (WDAC or AppLocker) permitting only approved admin tools; BitLocker full disk encryption with a PIN required at boot; Windows Defender Credential Guard enabled to protect admin credentials in memory; automatic screen lock after 1 minute of inactivity; all USB ports disabled except for keyboard/mouse and security key. PAWs should be joined to a separate OU in Active Directory (or a separate domain for Tier 0) with GPOs that apply hardening independent of production OU policies.
How do I manage a fleet of Privileged Access Workstations at scale?
PAW fleet management at scale: join PAWs to a dedicated Admin OU in Active Directory (or a separate Admin forest for Tier 0) and apply hardening GPOs at the OU level. Use Microsoft Intune or SCCM for OS patching, configuration management, and compliance reporting — do not use production SCCM servers to manage PAWs (an attacker with SCCM admin access could push malicious scripts to PAWs). Use Microsoft Defender for Endpoint to monitor PAWs for any unexpected processes, network connections, or privilege use. Create a separate admin account on each PAW for break-glass local access (in case Entra ID or domain connectivity is unavailable). Conduct quarterly compliance audits: verify each PAW has not had internet browsing software reinstalled and that allowlist policies remain enforced.
What is the difference between a PAW and a jump server?
A jump server (also called a bastion host or jump box) is a single hardened server that admins connect to via RDP or SSH from their regular workstations, then connect onward to managed systems. A PAW is a dedicated workstation that the admin physically sits at to perform administration. Key differences: a jump server does not protect credentials on the admin's workstation — a keylogger on their regular laptop captures every keystroke typed into the jump server RDP session. A PAW protects credentials because the admin's privileged credentials are never entered on a machine that also browses the internet. For highest security: combine both — admins use their PAW to connect to a jump server, which connects to managed systems, providing both endpoint and network isolation.
How do you enforce that domain admin accounts are only ever used from PAW subnet IPs, and alert when they are not?
Enforcement combines a GPO-level firewall restriction on domain controllers with a SIEM detection rule. On the domain controller OU, apply a GPO that blocks inbound RDP (TCP 3389) and WinRM (TCP 5985/5986) from any source except the PAW subnet CIDR (for example 10.0.0.0/24): this makes it technically impossible to RDP directly to a DC from a workstation, even with valid credentials. For alerting, create a Sentinel or Splunk rule that queries Windows Security Event ID 4624 Logon Types 2, 3, and 10 where TargetUserName is a member of Domain Admins and IpAddress does not fall within the PAW subnet range. Populate the domain admin account list in a Sentinel watchlist rather than hardcoding names in the rule so the list stays current as admins are added or removed. This alert should be Priority 1 and page the on-call security team immediately: a domain admin account authenticating from a non-PAW IP is either a PAW policy bypass, a PAW that was stolen or compromised, or active credential theft and abuse.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
