How to Set Up Privileged Access Workstations on Windows Server 2012 R2

Privileged Access Workstations (PAWs) are dedicated, hardened workstations used exclusively for administrative tasks, isolating high-privilege credentials from the threats present on general-purpose workstations used for email, web browsing, and productivity applications. The PAW model is a critical defense against credential theft attacks, where administrative credentials compromised during a phishing attack or malware infection can be used to take over an entire domain. This guide covers designing, building, and enforcing a PAW infrastructure for a Windows Server 2012 R2 Active Directory environment.

Why PAWs Are Critical

The fundamental security problem PAWs address is the combination of high-privilege credentials and high-risk activities on the same machine. When a Domain Admin uses their admin account to check email on a standard workstation, their Kerberos ticket and NTLM hash are cached in LSASS memory. Any attacker who compromises that workstation via malicious email or drive-by download can extract those cached credentials and use them to take over every system in the domain. PAWs break this attack chain by creating dedicated machines where only administrative tools run and administrative accounts are used.

PAW Design Principles

A PAW implementation should adhere to the following design principles:

  • Clean source principle — All software, configurations, and access to the PAW must come from systems at least as trusted as the PAW itself
  • No internet access from PAW — Block all direct internet browsing from admin accounts and PAW machines
  • Separate admin accounts — Administrators use one account for PAW/admin tasks, a separate account for normal work
  • Restricted admin logon — PAW policies prevent non-admin accounts from logging onto PAWs, and admin accounts are blocked from general workstations
  • PAW is never used for email, web browsing, or document reading

Active Directory Structure for PAWs

Create a dedicated OU structure for PAWs and their associated admin accounts:

# Create PAW OU structure
New-ADOrganizationalUnit -Name "PAW" -Path "DC=domain,DC=com"
New-ADOrganizationalUnit -Name "PAWDevices" -Path "OU=PAW,DC=domain,DC=com"
New-ADOrganizationalUnit -Name "PAWUsers" -Path "OU=PAW,DC=domain,DC=com"

# Create Tier model OUs
New-ADOrganizationalUnit -Name "Tier0" -Path "OU=PAW,DC=domain,DC=com"  # Domain/Forest/PKI/SIEM admins
New-ADOrganizationalUnit -Name "Tier1" -Path "OU=PAW,DC=domain,DC=com"  # Server admins
New-ADOrganizationalUnit -Name "Tier2" -Path "OU=PAW,DC=domain,DC=com"  # Workstation admins

Create admin accounts with a naming convention that distinguishes them from regular accounts:

# Create a Tier0 (Domain Admin) account for a user
New-ADUser -Name "jsmith-T0" `
    -SamAccountName "jsmith-T0" `
    -UserPrincipalName "[email protected]" `
    -Path "OU=Tier0,OU=PAW,DC=domain,DC=com" `
    -AccountPassword (Read-Host -AsSecureString "Enter password") `
    -Enabled $true `
    -Description "Tier 0 Admin Account for John Smith"

# Create a Tier1 (Server Admin) account
New-ADUser -Name "jsmith-T1" `
    -SamAccountName "jsmith-T1" `
    -UserPrincipalName "[email protected]" `
    -Path "OU=Tier1,OU=PAW,DC=domain,DC=com" `
    -AccountPassword (Read-Host -AsSecureString "Enter password") `
    -Enabled $true `
    -Description "Tier 1 Admin Account for John Smith"

PAW Group Policy Configuration

Create separate GPOs for PAW computers and PAW users. The PAW Computer GPO applies to computers in the PAWDevices OU:

# PAW Computer GPO - Key settings to configure:

# 1. Restrict logon rights - only PAW admin accounts can log on locally
# Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights
# "Allow log on locally" = PAW-Admins group only
# "Deny log on locally" = Domain Users (except admins)

# 2. Block internet access via Windows Firewall
# Block all outbound traffic except to management targets and updates

# 3. Enable BitLocker
# Computer Configuration > Administrative Templates > Windows Components > BitLocker

# 4. Configure AppLocker - only allow signed software from Program Files
# Computer Configuration > Windows Settings > Security Settings > AppLocker

# 5. Disable USB storage
# Computer Configuration > Administrative Templates > System > Removable Storage Access
# "All Removable Storage classes: Deny all access" = Enabled

# 6. Require screen lock after 5 minutes
# Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
# "Interactive logon: Machine inactivity limit" = 300 seconds

Configure the firewall to block outbound internet access from PAWs while allowing connections to managed servers and DCs:

# Script to configure Windows Firewall outbound rules on PAW
# Block all outbound internet - allow only internal network

# Allow DNS to internal DNS servers
New-NetFirewallRule -DisplayName "PAW Allow DNS" -Direction Outbound -Protocol UDP `
    -RemotePort 53 -RemoteAddress "192.168.1.0/24" -Action Allow

# Allow RDP to managed servers only
New-NetFirewallRule -DisplayName "PAW Allow RDP to Servers" -Direction Outbound `
    -Protocol TCP -RemotePort 3389 -RemoteAddress "192.168.10.0/24" -Action Allow

# Allow WinRM to managed servers
New-NetFirewallRule -DisplayName "PAW Allow WinRM to Servers" -Direction Outbound `
    -Protocol TCP -RemotePort @(5985,5986) -RemoteAddress "192.168.10.0/24" -Action Allow

# Allow access to DCs
New-NetFirewallRule -DisplayName "PAW Allow DC Access" -Direction Outbound `
    -Protocol TCP -RemoteAddress "192.168.1.10","192.168.1.11" -Action Allow

# Block all other outbound internet traffic
New-NetFirewallRule -DisplayName "PAW Block Internet Outbound" -Direction Outbound `
    -Protocol Any -RemoteAddress Internet -Action Block

Preventing Admin Account Use on Non-PAW Workstations

Use Authentication Policy Silos (available in WS2012 R2 domain functional level) to restrict admin accounts to PAW machines only:

# Create an Authentication Policy that limits TGT to PAW machines
New-ADAuthenticationPolicy -Name "PAWAdminPolicy" `
    -UserTGTLifetimeMins 240 `
    -ProtectedRequired $true `
    -Description "Restrict admin TGTs to PAW machines"

# Create the silo
New-ADAuthenticationPolicySilo -Name "PAWSilo" `
    -UserAuthenticationPolicy "PAWAdminPolicy"

# Add admin accounts and PAW computers to the silo
Grant-ADAuthenticationPolicySiloAccess -Identity "PAWSilo" -Account "jsmith-T0"
Grant-ADAuthenticationPolicySiloAccess -Identity "PAWSilo" -Account "PAW01$"

Set-ADUser -Identity "jsmith-T0" -AuthenticationPolicySilo "PAWSilo"
Set-ADComputer -Identity "PAW01" -AuthenticationPolicySilo "PAWSilo"

Configuring PAW User Restrictions

Admin accounts used on PAWs should also be added to the Protected Users group and have strict logon hours and workstation restrictions:

# Add T0 and T1 admin accounts to Protected Users
$AdminAccounts = Get-ADUser -Filter * -SearchBase "OU=PAW,DC=domain,DC=com"
$AdminAccounts | ForEach-Object {
    Add-ADGroupMember -Identity "Protected Users" -Members $_
}

# Restrict admin accounts to log on only from PAW computers
Set-ADUser -Identity "jsmith-T0" `
    -LogonWorkstations "PAW01,PAW02"

# Set admin accounts to require smart card logon for additional security
Set-ADUser -Identity "jsmith-T0" `
    -SmartcardLogonRequired $true

PAW Software Build and Maintenance

PAWs should be built from a clean, known-good image and managed strictly:

# On the PAW, after OS install, immediately harden:

# 1. Apply all Windows Updates via WSUS (must be on internal network)
Install-Module PSWindowsUpdate -Force
Get-WindowsUpdate -Install -AcceptAll

# 2. Enable Windows Firewall - all profiles
Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled True

# 3. Enable BitLocker with TPM
Enable-BitLocker -MountPoint C: -EncryptionMethod Aes256 -TpmProtector

# 4. Disable SMBv1 (common lateral movement protocol)
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Set-SmbClientConfiguration -EnableBandwidthThrottling $false -Force

# 5. Configure local admin password (use LAPS for management)
# Install LAPS agent (see Post 36 for LAPS setup)

Monitoring PAW Usage

Configure auditing to detect if admin accounts are used on non-PAW machines:

# Monitor logon events for admin accounts from unexpected computers
# Alert on Event 4624 (logon) where account is in PAW admin OU but
# workstation name is not a PAW

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} -MaxEvents 1000 |
    Where-Object {$_.Message -like "*jsmith-T0*" -and $_.Message -notlike "*PAW*"} |
    Select-Object TimeCreated, Message | Format-List

Summary

Privileged Access Workstations provide an architectural defense against credential theft by isolating administrative credentials to purpose-built, heavily hardened machines. The implementation requires: a tiered Active Directory structure, dedicated admin accounts per tier, PAW-specific Group Policy blocking internet and USB access, AppLocker whitelisting only approved administrative tools, Authentication Policy Silos limiting admin ticket use to PAW computers, and the Protected Users group for all admin accounts. While complex to implement, PAWs are one of the highest-impact security controls available in a Windows Server 2012 R2 environment.