Introduction to Privileged Access Workstations (PAW)
A Privileged Access Workstation (PAW) is a dedicated, hardened computer used exclusively for performing sensitive administrative tasks. The concept was formalized by Microsoft as part of the Privileged Access strategy to counter the most common attack vectors used by threat actors to compromise administrative accounts — credential theft, pass-the-hash, pass-the-ticket, and browser-based malware. On Windows Server 2022 environments, implementing a PAW is one of the highest-impact security controls you can deploy.
The core principle of a PAW is simple: a privileged account should never be used on a machine that is also used for browsing the web, reading email, or running general productivity applications. Malware on a standard workstation can harvest credentials from memory, intercept authentication tokens, or log keystrokes. A PAW removes that attack surface entirely by ensuring the administrative machine never touches untrusted content.
The PAW Tier Model
Microsoft’s PAW architecture is built around the Tiered Administration Model, which segments administrative access into three layers based on the blast radius of a credential compromise.
Tier 0 covers the most sensitive assets: domain controllers, Azure AD Connect servers, Active Directory Federation Services (AD FS), PKI certificate authorities, and any system that can directly or transitively control every other system in the environment. A Tier 0 PAW is used exclusively for managing Tier 0 assets. Tier 0 accounts must never log into Tier 1 or Tier 2 systems.
Tier 1 covers member servers — application servers, database servers, file servers, and other infrastructure that is not directly part of the identity plane. A Tier 1 PAW is used to manage these servers. Tier 1 accounts must never log into Tier 0 systems or Tier 2 (end user) devices.
Tier 2 covers end-user workstations and devices. Help desk and desktop support staff use Tier 2 PAWs to manage these machines. Tier 2 accounts must not be used on Tier 0 or Tier 1 systems.
The goal of the tier model is containment: even if a Tier 2 account is compromised, the attacker gains no useful privilege on Tier 0 or Tier 1 systems because those accounts are never present on Tier 2 machines.
PAW Hardware Requirements
A PAW should be a dedicated physical machine or a carefully isolated VM. For Tier 0 PAWs, a dedicated physical device is strongly preferred because hypervisor-level attacks can compromise VMs. For Tier 1 and Tier 2, a hardened VM running on a Tier 0 Hyper-V host can be acceptable depending on your threat model.
Recommended hardware specifications for a PAW on Windows Server 2022 or Windows 11:
- TPM 2.0 chip (required for BitLocker with measured boot)
- UEFI firmware with Secure Boot enabled
- At least 8 GB RAM (16 GB preferred)
- 256 GB SSD with full-disk encryption via BitLocker
- No optical drives or unnecessary USB ports (use BIOS to disable)
- Wired network connection — avoid Wi-Fi on Tier 0 PAWs
The BIOS/UEFI should be password-protected and configured to boot only from the internal drive. This prevents cold-boot attacks and prevents booting from external media to bypass OS security controls.
Building and Configuring a PAW
Start with a clean installation of Windows 11 Enterprise (for admin workstations) or Windows Server 2022 Desktop Experience (if the PAW itself is a server). Join the PAW to a dedicated PAW Organizational Unit in Active Directory — do not place PAWs in the same OU as standard workstations.
Create a dedicated OU structure such as:
Corp
└── Admin
├── PAW-Tier0
├── PAW-Tier1
└── PAW-Tier2Apply Group Policy Objects to each PAW OU that enforce the lockdown settings described in the sections below. Never apply standard workstation GPOs to PAW OUs.
Enable BitLocker with TPM+PIN on the PAW drive:
manage-bde -on C: -RecoveryKey E: -TPMAndPINEnable Windows Defender Credential Guard via GPO or registry. Credential Guard uses Hyper-V virtualization-based security to isolate the LSASS process and prevent credential extraction by tools such as Mimikatz:
Computer Configuration > Administrative Templates > System > Device Guard
Turn On Virtualization Based Security: Enabled
Credential Guard Configuration: Enabled with UEFI lockRestricting PAW Internet Access
A PAW should have no access to the internet and no access to external email. The most reliable way to enforce this is through a combination of Windows Firewall rules and network-level controls (VLANs or firewall ACLs).
Create outbound Windows Firewall block rules on the PAW GPO that block all outbound traffic except to specific management subnets and domain controllers. Use the following PowerShell to add a blocking outbound rule for all external internet traffic:
New-NetFirewallRule -DisplayName "PAW - Block All Outbound Internet" `
-Direction Outbound `
-Action Block `
-RemoteAddress Internet `
-Profile Any `
-Enabled TrueThen create explicit allow rules for domain controllers, WSUS servers, and management infrastructure:
New-NetFirewallRule -DisplayName "PAW - Allow DC Communication" `
-Direction Outbound `
-Action Allow `
-RemoteAddress 10.0.1.10,10.0.1.11 `
-Profile Any `
-Enabled TrueAt the network layer, place PAWs on a dedicated VLAN with ACLs that permit only traffic to the management VLAN and block all other destinations. Many organizations also implement a dedicated PAW network segment that routes through a jump server.
Credential Isolation — Separate Accounts for Admin and Daily Use
Every administrator must have at least two accounts: a standard user account for daily tasks (email, web browsing, productivity) and a privileged account for administrative work. These accounts should have no relationship — different passwords, no shared mailbox, no forwarding.
For Tier 0 admins, it is common to have three accounts:
jsmith— standard user account for daily work on their regular workstationjsmith-t1— Tier 1 admin account for managing member servers, used only on a Tier 1 PAWjsmith-t0— Tier 0 admin account for managing domain controllers, used only on a Tier 0 PAW
The Tier 0 and Tier 1 accounts should be in separate OUs, have no email address, and be subject to fine-grained password policies requiring long, complex passwords. These accounts should also be members of the Protected Users security group, which prevents NTLM authentication, disables credential caching, and forces Kerberos AES encryption:
Add-ADGroupMember -Identity "Protected Users" -Members "jsmith-t0","jsmith-t1"PAW Group Policy Settings
Create a dedicated GPO linked to each PAW OU. The following are the most important settings to configure:
Software Restriction / AppLocker: Restrict software execution to a whitelist of approved applications. Use AppLocker with Executable Rules that only permit code from %PROGRAMFILES%, %WINDIR%, and specific administrative tool paths. Block execution from user profile directories, temp folders, and removable media.
Disable removable storage:
Computer Configuration > Administrative Templates > System > Removable Storage Access
All Removable Storage classes: Deny all access: EnabledDisable browser access to the internet: If a browser is installed (for local admin tools), configure it via GPO to block external URLs. Better yet, do not install a general-purpose browser on Tier 0 PAWs.
Enable advanced audit policies:
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy
Logon/Logoff > Audit Logon: Success, Failure
Logon/Logoff > Audit Special Logon: Success
Account Logon > Audit Credential Validation: Success, Failure
Privilege Use > Audit Sensitive Privilege Use: Success, FailureRestricting Logon Rights
Use User Rights Assignment in Group Policy to tightly control who can log on to the PAW and to prevent admin accounts from being used inappropriately on non-PAW systems.
On the PAW GPO, configure:
- Allow log on locally: Tier 0 Admins group only (for a Tier 0 PAW)
- Allow log on through Remote Desktop Services: Empty (no remote desktop to the PAW itself)
- Deny log on as a batch job: Add Domain Admins, Enterprise Admins, Schema Admins
- Deny log on as a service: Add Domain Admins, Enterprise Admins
- Deny log on locally: Add standard user groups to prevent non-admins from using the PAW
On all other systems (DCs, member servers, standard workstations), configure the equivalent deny rules for PAW admin accounts. This creates bidirectional isolation — PAW admin accounts cannot log into standard workstations, and standard accounts cannot log into the PAW.
MFA for PAW Access
Implement multi-factor authentication for all privileged accounts. On Windows Server 2022, this can be accomplished through:
- Smart card / YubiKey with AD certificate: Enforce smart card logon via GPO (
Interactive logon: Require smart card: Enabled) and issue certificates to admin accounts from your enterprise CA. - Windows Hello for Business: Deploy WHfB to the PAW to use biometric or PIN-based authentication backed by a TPM-protected key.
- Azure AD Conditional Access with hybrid join: If the environment is hybrid, require MFA for all privileged role activations through Azure AD Privileged Identity Management (PIM).
Enforce smart card requirement in GPO:
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Interactive logon: Require smart card: EnabledMonitoring PAW Usage
All PAW activity should be forwarded to a SIEM or Security Event Log aggregator. Configure Windows Event Forwarding (WEF) on the PAW to push events to a Windows Event Collector server:
winrm quickconfig
wecutil qc
# On the collector:
wecutil cs PAW-Subscription.xmlKey event IDs to monitor from PAWs:
- 4624 / 4625 — Successful and failed logons
- 4648 — Logon using explicit credentials (pass-the-hash indicator)
- 4672 — Special privileges assigned to new logon (admin logon)
- 4697 — A service was installed on the system
- 7045 — New service installed
- 4688 — Process creation (with command line logging enabled)
Enable process command line logging via GPO to capture full command-line arguments in Event ID 4688:
Computer Configuration > Administrative Templates > System > Audit Process Creation
Include command line in process creation events: EnabledPAW Maintenance and Update Strategy
PAWs must be kept up to date, but their update process must be carefully controlled to avoid introducing malicious content through the update channel. Use a dedicated WSUS server or Microsoft Endpoint Configuration Manager (MECM/SCCM) branch that services only PAWs and is administered from a Tier 0 system.
Do not allow PAWs to update directly from Windows Update or the Microsoft Store. Block these via GPO:
Computer Configuration > Administrative Templates > Windows Components > Windows Update
Configure Automatic Updates: Enabled (Download and notify / use WSUS server)
Specify intranet Microsoft update service location: http://wsus.corp.local:8530Schedule monthly PAW health reviews to verify that:
- BitLocker is active and TPM is functioning (check with
manage-bde -status) - AppLocker policies are enforced (
Get-AppLockerPolicy -Effective) - No new local accounts have been created
- Credential Guard is running (
Get-ComputerInfo | Select-Object -Property DeviceGuard*) - All security patches are applied (run
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10)
Periodically rebuild PAWs from a known-good image rather than patching indefinitely. A rebuilt PAW from a clean image provides a higher assurance baseline than a machine that has been in service for years with accumulated configuration drift.
Summary
Deploying PAWs is one of the most effective defenses against advanced persistent threats targeting Active Directory. By physically and logically isolating administrative credentials from general-purpose computing environments, restricting internet access, enforcing MFA, and implementing tight logon policies, you dramatically reduce the attacker’s ability to harvest credentials even after an initial compromise. On Windows Server 2022, the combination of Credential Guard, BitLocker, AppLocker, and advanced audit policies provides a strong technical foundation for a PAW deployment that meets enterprise security requirements.
