8 hours
recommended maximum activation window for just-in-time privileged role access via Azure PIM or AWS IAM Identity Center; standing access must be eliminated for all Tier 0 roles
FIDO2
the only MFA standard that is phishing-resistant for privileged accounts; origin-bound key signatures prevent real-time proxy attacks that defeat TOTP and SMS OTP
0 inbound ports
required for EC2 instances managed via AWS Systems Manager Session Manager; no SSH or RDP port exposure means no bastion host and no SSH key management overhead
CIS Level 2
benchmark profile recommended for PAW OS hardening; Level 1 provides basic controls while Level 2 adds stricter settings appropriate for high-value administrative devices

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The attack path from phishing email to domain admin is well documented and exploited daily. A user receives a credential-harvesting phishing email, opens it on their daily-use laptop where domain admin credentials are cached, malware captures the credentials, and the attacker uses them to access domain controllers or cloud infrastructure directly. The privileged access workstation model exists specifically to break this chain by ensuring administrative credentials never touch the same device that receives email.

Implementing a PAW program does not require purchasing dedicated hardware for every administrator, though that is the ideal architecture. Hardened VMs, cloud-based virtual desktops, and modern tools like AWS Systems Manager Session Manager each provide layers of the PAW model at different cost and complexity points.

PAW architecture: isolation is the core property

The defining security property of a PAW is complete isolation from the networks, applications, and user behaviors that create credential theft opportunities on daily-use endpoints. This means separate network segments with egress restrictions to only administrative destinations, no email clients or general-purpose browsers, application allowlisting that prevents unapproved software from executing, and EDR configured at maximum sensitivity. AWS Systems Manager Session Manager provides a modern implementation of the network isolation principle for cloud infrastructure by routing all EC2 shell access through IAM-authenticated HTTPS rather than inbound SSH ports, eliminating both the attack surface of open ports and the operational overhead of SSH key management and bastion host maintenance.

Network egress restriction is as important as device hardening

A PAW that can browse the general internet is not a PAW — it is a hardened workstation, which provides less isolation than intended. The administrative network segment from which PAW devices reach production systems should restrict outbound connections to specific destinations on specific ports: HTTPS to cloud console domains, RDP or SSH to specific administrative host IP ranges, and DNS to a controlled resolver. No other outbound traffic should be permitted. This restriction means that even if malware executes on the PAW (which the application allowlisting and EDR should prevent), it cannot reach external command-and-control infrastructure through the administrative network.

Replace SSH key management with Session Manager for AWS EC2 access

AWS Systems Manager Session Manager eliminates three PAW-related operational problems simultaneously: it removes the need for inbound SSH ports on EC2 instances (reducing attack surface), eliminates SSH key management (a common source of unauthorized access via leaked or unrevoked keys), and provides built-in session logging to CloudWatch Logs and S3. Configure IAM policies to allow only administrators to start sessions, require MFA as a condition for ssm:StartSession, and restrict sessions to specific instance resource ARNs so each administrator can only reach the instances relevant to their role. The SSM agent is available for Windows and Linux EC2 instances and is preinstalled on Amazon Linux 2.

Authentication: hardware keys and just-in-time access

Phishing-resistant MFA and just-in-time role activation are the authentication controls that close the gaps that network isolation and device hardening leave open. Hardware security keys implementing FIDO2 perform origin-bound authentication that prevents real-time phishing proxy attacks from succeeding even when a user completes an MFA challenge on a spoofed login page, which is the attack vector that defeats authenticator app TOTP codes and SMS OTP. Just-in-time access via Azure PIM or AWS IAM Identity Center eliminates standing privileged role membership so that compromised credentials outside an activation window cannot be used for administrative tasks, limiting the blast radius of any credential theft incident to the duration of the activation window rather than indefinitely.

Require hardware security keys for all privileged account authentication

Enforce FIDO2 hardware security key enrollment as a condition of privileged account provisioning. In Azure AD, configure a conditional access policy requiring hardware security key authentication for any sign-in to privileged roles (Global Administrator, Security Administrator, Privileged Role Administrator, and the cloud workload equivalents). In AWS, configure IAM policies with a Condition key requiring MFA for all sensitive API calls and configure the MFA device to require a hardware TOTP device rather than virtual authenticator. Distribute hardware keys (YubiKey 5 series or equivalent) to each administrator before provisioning the privileged account, and document the key serial number in the identity management system for audit purposes.

Implement just-in-time access for privileged roles rather than standing access

Standing privileged role membership means administrators carry high-privilege credentials at all times, increasing the window of exposure if credentials are compromised. Just-in-time (JIT) access requires administrators to request and receive approval for time-bounded role assignment before performing administrative tasks. In Azure AD, use Privileged Identity Management (PIM) to require MFA-authenticated activation for Global Admin and other privileged roles with a maximum 8-hour activation window. In AWS, use IAM Identity Center permission sets with time-bounded role assumption and require additional MFA verification for production account access. JIT access limits the exposure window for compromised credentials to the maximum activation duration.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

The bottom line

Privileged access workstations address the most common enterprise compromise pattern: credential theft from a general-purpose user endpoint that cached administrative access. The full PAW architecture uses dedicated hardware, a separate administrative network segment, application allowlisting, hardware security keys for MFA, and session recording for audit. For organizations without dedicated hardware budget, hardened VMs and cloud-based virtual desktops in isolated network segments provide the core isolation property at lower cost. AWS Systems Manager Session Manager eliminates the bastion host and SSH key management overhead for cloud infrastructure access. The priority order is: hardware MFA first, network isolation second, device hardening third, session recording fourth.

Frequently asked questions

What is a privileged access workstation and why is it required?

A privileged access workstation (PAW) is a dedicated device or hardened virtual environment used exclusively for administrative tasks such as managing Active Directory, accessing cloud consoles, connecting to production servers, and performing security operations. It is required because administrative credentials used on a daily-use endpoint are at risk from every phishing email, malicious download, and browser exploit that the user encounters. If malware runs on the same machine that caches domain admin credentials, those credentials are stolen. A PAW eliminates this risk by creating a device with no email client, no general web browsing, no user applications, and no connection to the general internet, used only for the specific administrative sessions that require privileged credentials.

What should I harden on a privileged access workstation?

PAW hardening covers these controls: application allowlisting using Windows Defender Application Control or AppLocker so only approved administrative tools can execute, firewall rules restricting outbound connections to only the specific IPs and ports used for administrative tasks, no email client or browser (or a locked-down browser with no extensions that can only reach cloud consoles), EDR with the highest detection sensitivity profile, full disk encryption with pre-boot authentication, CIS Level 2 benchmark applied to the OS, USB port restrictions to block unauthorized device attachment, and no local administrator accounts beyond the required administrative account. The device should have no connection to the general user network segment.

How should I set up a bastion host for secure server access?

A bastion host (jump server) for SSH access to Linux servers should be deployed in a dedicated administrative subnet with no inbound internet access except from approved IP ranges (such as VPN exit nodes or PAW network ranges). Harden the bastion host with CIS Level 2 benchmark, disable password authentication in sshd_config (AllowPasswordAuthentication no), use SSH key authentication only, configure sshd to log all sessions (LogLevel VERBOSE), restrict which users can SSH to the bastion using AllowUsers or AllowGroups, enable fail2ban or equivalent for repeated authentication failures, and disable SSH agent forwarding to prevent credential forwarding attacks. Forward bastion SSH logs to your SIEM for session auditing.

How does AWS Systems Manager Session Manager replace a bastion host?

AWS Systems Manager Session Manager provides shell access to EC2 instances via the AWS console or CLI using IAM-authenticated HTTPS sessions without requiring inbound SSH or RDP ports on the instance or a bastion host. The SSM agent installed on the instance establishes an outbound HTTPS connection to the SSM service. To start a session, a user runs aws ssm start-session with their IAM credentials. IAM policies control which users can start sessions to which instances using resource-level conditions on the ssm:StartSession permission. Session input and output is logged to CloudWatch Logs and S3 for audit. This eliminates SSH key management, bastion maintenance, inbound firewall rules, and bastion host patching overhead.

What MFA method should I require for privileged accounts?

Phishing-resistant MFA using FIDO2 hardware security keys (such as YubiKey or Google Titan) is the required standard for privileged accounts. FIDO2 keys perform origin-bound authentication where the key only signs the challenge if the browser's current URL domain matches the domain registered during enrollment. This prevents real-time phishing attacks where an attacker proxies the authentication flow and captures the OTP in transit: even if the user completes the MFA challenge on a phishing page, the key signature includes the phishing domain and fails verification at the legitimate service. Authenticator app TOTP and SMS OTP are both susceptible to real-time phishing proxy attacks and should not be used for privileged accounts.

How do I implement the PAW model for a small team without dedicated hardware?

For small teams without budget for dedicated PAW hardware, a hardened virtual machine approach provides most of the security benefit: create a separate VM on each administrator's workstation using Hyper-V or VMware, install a minimal OS, apply CIS hardening, restrict network access to only administrative destinations using VM network rules, and use that VM exclusively for administrative sessions. Do not share clipboard or file system between the VM and the host to prevent credential leakage. Alternatively, a cloud-based PAW using a hardened Azure Virtual Desktop or AWS WorkSpaces instance in an isolated network segment provides the administrative isolation without physical hardware requirements. Require VPN connection to an administrative network before connecting to the cloud-based PAW.

How do I record and audit privileged administrative sessions?

Session recording for privileged access can be implemented at several layers. For AWS EC2 access via Session Manager, enable session logging in SSM preferences to write all terminal input and output to CloudWatch Logs and S3 with a KMS-encrypted S3 bucket. For SSH bastion access, deploy a privileged access management (PAM) tool like HashiCorp Boundary or CyberArk that proxies SSH connections and records session video. For Windows RDP access, use Azure Bastion or a PAM tool that records RDP sessions. At minimum, ensure that all privileged authentication events are logged to a SIEM with alerts for failed authentication attempts and sessions outside business hours from unexpected source IPs.

Sources & references

  1. Microsoft Privileged Access Workstation Guidance
  2. NIST SP 800-123 Guide to Server Security
  3. AWS Systems Manager Session Manager
  4. CIS Benchmarks for Workstation Hardening

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.