How to Set Up Privileged Access Workstation (PAW) on Windows Server 2025

How to Set Up Privileged Access Workstation (PAW) on Windows Server 2025

A Privileged Access Workstation (PAW) is a dedicated, hardened computer used exclusively for performing administrative tasks against sensitive systems such as domain controllers, Active Directory, and critical servers. Unlike a standard workstation that is used for browsing, email, and general productivity, a PAW is locked down to prevent credential theft, lateral movement, and compromise from everyday threats. Windows Server 2025 environments benefit enormously from a PAW strategy because it enforces the principle of least privilege at the hardware and session level, significantly reducing the attack surface available to adversaries who are attempting to escalate privileges or move laterally within your network. This guide walks through designing, deploying, and maintaining a PAW environment integrated with a tiered administrative model in an Active Directory domain running Windows Server 2025.

Prerequisites

• Windows Server 2025 domain controller with Active Directory Domain Services installed
• A dedicated physical or virtual machine to serve as the PAW (physical hardware is strongly preferred for high-security environments)
• Domain Admin or equivalent credentials to create OUs and apply Group Policy
• Windows 11 or Windows 10 LTSC on the PAW workstation (Windows 11 preferred)
• Active Directory Users and Computers (ADUC) and Group Policy Management Console (GPMC) installed on your management station
• PowerShell 5.1 or later with RSAT modules available
• Optionally: a smart card infrastructure or Windows Hello for Business for strong authentication

Step 1: Understand the Tiered Administration Model

The PAW strategy is built on Microsoft’s tiered administration model, which segregates administrative accounts and systems into three tiers to contain the blast radius of a compromise:

• Tier 0: Active Directory, domain controllers, and certificate authorities — the most sensitive systems in the environment.
• Tier 1: Member servers, applications servers, and cloud management planes.
• Tier 2: Workstations, user devices, and helpdesk assets.

A PAW assigned to Tier 0 administration is only used to manage domain controllers and AD. Tier 0 admin credentials must never touch a Tier 1 or Tier 2 device. Each tier may have its own PAW, each configured to allow only the appropriate administrative tools and network connections. This guide focuses on a Tier 0 PAW, but the principles apply at any tier.

Step 2: Create the PAW Organizational Unit Structure in Active Directory

Isolating PAW computer accounts in their own OU allows you to apply hardened Group Policy exclusively to those machines without affecting general workstations.

# Create top-level Admin OU and nested PAW sub-OUs
Import-Module ActiveDirectory

$domainDN = (Get-ADDomain).DistinguishedName

# Create Tier0 Admin OU
New-ADOrganizationalUnit -Name "Admin" -Path $domainDN -ProtectedFromAccidentalDeletion $true

# Create PAW sub-OU under Admin
New-ADOrganizationalUnit -Name "PAW" -Path "OU=Admin,$domainDN" -ProtectedFromAccidentalDeletion $true

# Optionally segment by tier
New-ADOrganizationalUnit -Name "Tier0" -Path "OU=PAW,OU=Admin,$domainDN"
New-ADOrganizationalUnit -Name "Tier1" -Path "OU=PAW,OU=Admin,$domainDN"
New-ADOrganizationalUnit -Name "Tier2" -Path "OU=PAW,OU=Admin,$domainDN"

# Move the PAW computer account into the correct OU
Get-ADComputer -Identity "PAW-T0-01" | Move-ADObject -TargetPath "OU=Tier0,OU=PAW,OU=Admin,$domainDN"

Block inheritance on the Admin OU in GPMC so that no existing domain-wide GPOs that are appropriate only for user workstations will apply to your PAWs.

Step 3: Create and Link a Hardened PAW Group Policy Object

Create a dedicated GPO and link it to the PAW OU. The GPO should enforce the following restrictions:

# Create GPO via PowerShell
Import-Module GroupPolicy

$gpoDomain = (Get-ADDomain).DNSRoot
$gpoName   = "PAW-Tier0-Hardening"

New-GPO -Name $gpoName -Domain $gpoDomain -Comment "Tier 0 PAW hardening policy"

# Link GPO to the Tier0 PAW OU
New-GPLink -Name $gpoName -Target "OU=Tier0,OU=PAW,OU=Admin,$domainDN" -LinkEnabled Yes -Enforced Yes

In the GPO editor, configure the following key settings under Computer Configuration → Policies → Windows Settings → Security Settings:

• Restrict logon rights: Only Tier 0 admin accounts should appear in “Allow log on locally.” Deny standard users via “Deny log on locally.”
• AppLocker / Windows Defender Application Control: Whitelist only approved administrative tools (PowerShell ISE, ADUC, DNS Manager, GPMC). Block browsers such as Edge and Chrome entirely on Tier 0 PAWs.
• Windows Defender Firewall outbound rules: Block outbound SMB (TCP 445) from the PAW to all destinations except domain controllers and explicitly approved file servers. This prevents the PAW from being used as a pivot for lateral movement.
• No email clients: Remove or block Outlook and webmail access at the firewall level.
• Disable USB storage: Set “All Removable Storage classes: Deny all access” to prevent exfiltration via thumb drives.

Step 4: Enable Credential Guard on the PAW

Credential Guard uses Virtualization-Based Security (VBS) to isolate LSASS credentials in a protected container, preventing Pass-the-Hash and Pass-the-Ticket attacks even if the PAW OS is compromised at the kernel level.

# Check Credential Guard status
Get-CimInstance -Namespace rootMicrosoftWindowsDeviceGuard -ClassName Win32_DeviceGuard |
    Select-Object SecurityServicesRunning, VirtualizationBasedSecurityStatus

# Enable Credential Guard via registry (requires reboot)
# This mirrors the GPO: Computer Config → Admin Templates → System → Device Guard
$vbsKey = "HKLM:SYSTEMCurrentControlSetControlDeviceGuard"
Set-ItemProperty -Path $vbsKey -Name "EnableVirtualizationBasedSecurity" -Value 1
Set-ItemProperty -Path $vbsKey -Name "RequirePlatformSecurityFeatures"   -Value 3   # Secure Boot + DMA protection

$cgKey = "HKLM:SYSTEMCurrentControlSetControlLsa"
Set-ItemProperty -Path $cgKey -Name "LsaCfgFlags" -Value 1  # Enable Credential Guard without UEFI lock

For maximum security, enable Credential Guard with a UEFI lock (value 2) so it cannot be disabled without clearing UEFI variables, preventing attackers who gain OS-level access from turning it off. Configure this via GPO at Computer Configuration → Administrative Templates → System → Device Guard → Turn On Virtualization Based Security.

Step 5: Require Smart Card Logon for Administrative Accounts

Requiring smart card authentication for Tier 0 accounts ensures that even if an admin password is captured via phishing or keylogging, it cannot be used to log on without the physical card.

# Enforce smart card requirement on individual admin accounts
$adminAccounts = @("adm-jsmith-t0","adm-bjones-t0","adm-krogers-t0")

foreach ($account in $adminAccounts) {
    Set-ADUser -Identity $account -SmartcardLogonRequired $true
    Write-Host "Smart card logon required set for: $account"
}

# Verify the setting
Get-ADUser -Identity "adm-jsmith-t0" -Properties SmartcardLogonRequired |
    Select-Object SamAccountName, SmartcardLogonRequired

Additionally, configure the GPO setting Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → Interactive logon: Require smart card to Enabled on the PAW GPO to enforce smart card at the machine level as well.

Step 6: Block Lateral Movement — Outbound Firewall Restrictions

A PAW should never be able to initiate RDP connections to other PAWs or to non-server systems. It should only communicate outbound to the specific Tier 0 assets it manages.

# Create outbound firewall rules on the PAW via PowerShell
# Block outbound RDP to any destination except domain controllers
New-NetFirewallRule -DisplayName "PAW - Block Outbound RDP to Workstations" `
    -Direction Outbound `
    -Protocol TCP `
    -RemotePort 3389 `
    -RemoteAddress "10.0.0.0/8" `
    -Action Block `
    -Profile Domain

# Allow outbound RDP only to DC subnet (override rule with higher priority)
New-NetFirewallRule -DisplayName "PAW - Allow Outbound RDP to DC Subnet" `
    -Direction Outbound `
    -Protocol TCP `
    -RemotePort 3389 `
    -RemoteAddress "10.10.1.0/24" `
    -Action Allow `
    -Profile Domain

# Block outbound SMB broadly
New-NetFirewallRule -DisplayName "PAW - Block Outbound SMB" `
    -Direction Outbound `
    -Protocol TCP `
    -RemotePort 445 `
    -Action Block `
    -Profile Domain

# Block inbound RDP from non-PAW sources
New-NetFirewallRule -DisplayName "PAW - Block Inbound RDP from Non-PAW" `
    -Direction Inbound `
    -Protocol TCP `
    -LocalPort 3389 `
    -Action Block `
    -Profile Domain

Step 7: Establish an Isolated Update Path

PAWs must be patched, but they should not receive updates via the same WSUS server or Windows Update path as general workstations, as a compromised WSUS server could be used to push malicious payloads. Configure a dedicated WSUS group or use Microsoft Update directly through an authenticated proxy.

# Point PAW to a dedicated WSUS server for PAW-class machines
$wsusServer = "https://wsus-paw.corp.example.com:8531"

Set-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdate" `
    -Name "WUServer" -Value $wsusServer
Set-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdate" `
    -Name "WUStatusServer" -Value $wsusServer
Set-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU" `
    -Name "UseWUServer" -Value 1

# Verify WSUS configuration
Get-ItemProperty "HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdate" |
    Select-Object WUServer, WUStatusServer

Step 8: Validate and Audit PAW Compliance

Use Windows Event Logs and Advanced Audit Policy to track who is logging onto PAWs, what commands are being run, and whether any policy violations have occurred.

# Enable advanced audit policy for PAW
# Logon/Logoff: Success and Failure
auditpol /set /subcategory:"Logon"              /success:enable /failure:enable
auditpol /set /subcategory:"Logoff"             /success:enable
auditpol /set /subcategory:"Special Logon"      /success:enable
auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable

# Process Creation (for AppLocker monitoring and PowerShell usage)
auditpol /set /subcategory:"Process Creation"   /success:enable

# Review recent PAW logon events (Event ID 4624)
Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4624]]" |
    Where-Object { $_.TimeCreated -gt (Get-Date).AddDays(-1) } |
    Select-Object TimeCreated, Message |
    Format-List

Conclusion

Implementing a Privileged Access Workstation strategy on Windows Server 2025 is one of the highest-impact security controls available to enterprise administrators. By isolating administrative tasks to dedicated, hardened machines — separated from everyday user activity, email, and general browsing — you dramatically reduce the risk of credential theft and lateral movement by adversaries. The combination of dedicated Active Directory OUs, enforced Group Policy, Credential Guard, smart card authentication, and tight outbound firewall rules creates multiple overlapping defensive layers. Integrated with the tiered administration model, a properly configured PAW environment makes it exceptionally difficult for attackers to escalate from a compromised workstation all the way to domain administrator. Treat PAW deployment as a foundational investment in your Active Directory security posture, and review and re-audit the configuration quarterly to ensure ongoing compliance.