Privileged Access Workstations (PAWs)
What are Privileged Access Workstations?
Workstations that are used by individuals with privileged credentials are attractive targets for attackers looking to compromise privileged accounts and escalate permissions to traverse networks undetected. The best practice for protecting privileged user workstations provides a dedicated operating system exclusively for privileged access known as privileged access workstations (PAWs).
Thus, IT and business users are supplied with a dedicated workstation (privileged access workstation) for privileged use. When logging into their PAWs, users access privileged accounts through a privileged access management (PAM) platform that manages all access rights and permissions.
Microsoft, for example, recommends that users access privileged accounts from a dedicated device or operating system that is only used for privileged activities.
Software tools that provide privileged access management are essential to managing privileged access through PAWs. PAM solutions, for example encompass password vaults, access controls, privileged access monitoring, behavioral analytics and more. PAM solutions control and secure who gains access to privileged accounts, how long they have access, what they can do with that access.
To maximize protection of privileged accounts, PAW configurations typically require:
- Dedicated systems that are hardened to provide high-security protection for sensitive accounts and tasks
- Built on trusted hardware with clean source media, deployed and monitored for full visibility
- A way to deliver efficient and automated patching of security updates to ensure system security
A PAW provides increased security for IT administrators working with servers and applications that pose a higher risk if compromised. This includes Active Directory and administrative access to databases, web servers, and application servers that contain sensitive data.
The dedicated PAWs or OS cannot be used for web browsing, email, and other risky applications. They should also incorporate app whitelisting. Connections to external Wi-Fi networks or to external USB devices must be avoided. And, PAWs must not accept connections from a non-privileged OS.
To avoid forcing privileged users to use two separate devices, many organizations leverage virtualization technologies (VirtualBox/Hyper-V) that allow a single device such as a laptop to run two isolated operating systems side-by-side. One system is used for daily productivity tasks and the other for privileged access.
What is the difference between a privileged access workstation and a jump server?
Jump servers are servers in the datacenter, while PAWs are dedicated workstations. They are both dedicated to privileged use only, not for general tasks.
A privileged access workstation can be used by an administrator in basically any location, including home, depending on a company’s security policies. A jump server, in contrast, could typically have limitations on how and where it is accessed. Both jump servers and PAWs are exceptional in that they must be hardened, controlled, and closely monitored.
A jump server typically requires connectivity between the endpoint and the server, while a PAW may not require connectivity depending on how it has been deployed.
While most PAWs require a dedicated physical machine, there are organizations that virtualize the dedicated Operating System. In some cases, companies can put two separate Virtual Machines (VMs), each running their own separate OS, on the same hardware.
Does it matter if you choose a PAW or Jump Server?
It depends on your specific needs. There are many organizations that use both a PAW and a jump server together. In these situations, it’s best to assure that administrators access sensitive resources from a dedicated operating system and use a jump server for added security and productivity benefits.