How to Set Up Privileged Access Workstations on Windows Server 2016

How to Set Up Windows Server 2016 Privileged Access Workstation

A Privileged Access Workstation (PAW) is a dedicated, hardened workstation used exclusively for administrative tasks. The PAW concept is a Microsoft best practice for protecting high-value accounts and systems from credential theft and lateral movement. By separating privileged administration from everyday user activity, a PAW dramatically reduces the attack surface for accounts with access to domain controllers, sensitive servers, and critical infrastructure.

Why PAWs Are Critical

Standard workstations used for both browsing and administration expose administrator credentials to drive-by downloads, malicious email attachments, and browser exploits. If an attacker steals an admin’s credentials from their everyday workstation, they gain access to your most sensitive systems. A PAW ensures that administrative credentials are never entered on potentially compromised systems.

PAW Tiers

Microsoft’s tiered administration model classifies accounts and systems into three tiers:

• Tier 0: Identity infrastructure (domain controllers, Azure AD Connect, AD admin tools).
• Tier 1: Enterprise servers and applications (member servers, applications).
• Tier 2: User workstations and devices.

Each tier should have dedicated PAWs and accounts. A Tier 0 admin should use a Tier 0 PAW and should never log in to Tier 1 or Tier 2 systems with their Tier 0 account.

Step 1: Provision a Dedicated PAW

The PAW should be a physical machine (not a VM) or a well-isolated VM with no internet access. Install Windows Server 2016 or Windows 10 Enterprise with only the necessary management tools.

Install-WindowsFeature -Name RSAT-ADDS, RSAT-AD-Tools, RSAT-DNS-Server, GPMC, RSAT-DHCP -IncludeManagementTools

Step 2: Enable Windows Defender Credential Guard

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlLSA" -Name "LsaCfgFlags" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlDeviceGuard" -Name "EnableVirtualizationBasedSecurity" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlDeviceGuard" -Name "RequirePlatformSecurityFeatures" -Value 3 -Type DWord

Step 3: Restrict User Logons to the PAW

Prevent non-admins and lower-tier accounts from logging into the PAW. Configure via GPO — User Rights Assignment > “Allow log on locally”: restrict to PAW Users group only.

Create a dedicated PAW Users security group:

New-ADGroup -Name "PAW-Users-Tier0" -GroupScope Global -GroupCategory Security -Path "OU=PAWGroups,DC=corp,DC=local"

Step 4: Block Internet Access from the PAW

Configure Windows Firewall to block outbound internet traffic on the PAW. Allow only management traffic to specific servers:

New-NetFirewallRule -DisplayName "Block Internet Outbound" -Direction Outbound -RemoteAddress Internet -Action Block
New-NetFirewallRule -DisplayName "Allow DC Management" -Direction Outbound -RemoteAddress "10.0.0.10","10.0.0.11" -Action Allow

Step 5: Enable BitLocker on the PAW

Enable-BitLocker -MountPoint "C:" -TpmAndPinProtector -Pin (ConvertTo-SecureString "ComplexPIN123" -AsPlainText -Force)
Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId (Get-BitLockerVolume C:).KeyProtector[-1].KeyProtectorId

Step 6: Restrict Software Installation

Configure AppLocker to allow only authorized admin tools:

Get-AppLockerFileInformation -Directory "C:Windows","C:Program Files","C:Program Files (x86)" -Recurse -FileType Exe | New-AppLockerPolicy -RuleType Publisher -User "Everyone" -Xml | Out-File "C:PAWAppLockerPolicy.xml"
Set-AppLockerPolicy -XmlPolicy "C:PAWAppLockerPolicy.xml"

Step 7: Enable Enhanced Audit Logging

auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
auditpol /set /subcategory:"Process Creation" /success:enable
auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable

Step 8: Configure Just-in-Time (JIT) Administration

Use time-limited group membership for Tier 0 admin accounts. With PowerShell and AD, simulate JIT by using time-to-live group membership (requires Windows Server 2016 functional level):

Add-ADGroupMember -Identity "Domain Admins" -Members "AdminJohnDoe" -MemberTimeToLive (New-TimeSpan -Hours 4)

Step 9: Disable Lateral Movement Capabilities

Set-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" -Name "LocalAccountTokenFilterPolicy" -Value 0 -Type DWord
Disable-NetFirewallRule -DisplayGroup "File and Printer Sharing"

Summary

A Privileged Access Workstation is a fundamental component of Microsoft’s tiered administration model. By isolating administrative activity to hardened, purpose-built workstations with restricted network access, Credential Guard, BitLocker, AppLocker, and detailed audit logging, organizations can protect their most sensitive accounts from the credential theft attacks that are the primary attack vector in modern enterprise breaches.