A Privileged Access Workstation (PAW) is a dedicated computing setup specifically designed for tasks requiring heightened security. These workstations, safeguarded from internet threats and other attack vectors, cater to individuals with elevated privileges. The objective is to insulate critical operations and fend off attackers targeting high-privilege network access.
Workstations that are used by individuals with privileged credentials make attractive targets for attackers looking to compromise privileged accounts and escalate permissions, then traverse networks undetected. The best practice for protecting privileged user workstations is to provide a dedicated operating system exclusively for privileged access—a privileged access workstation.
Thus, IT and business users are supplied with a dedicated workstation (privileged access workstation) for privileged use. When logging into their PAWs, users access privileged accounts through a Privileged Access Management (PAM) platform that manages all access rights and permissions.
Microsoft, for example, recommends that users access privileged accounts from a dedicated device or operating system that is only used for privileged activities.
Software tools that provide privileged access management are essential to managing privileged access through PAWs. PAM solutions, for example encompass password vaults, access controls, privileged access monitoring, behavioral analytics, and more. PAM solutions control and secure who gains access to privileged accounts, how long they have access, and what they can do with that access.
To maximize the protection of privileged accounts, PAW configurations typically require:
A PAW provides increased security for IT administrators working with servers and applications that pose a higher risk if compromised. This includes Active Directory and administrative access to databases, web servers, and application servers that contain sensitive data.
The dedicated PAWs or OS cannot be used for web browsing, email, and other risky applications. They should also incorporate app whitelisting. Connections to external Wi-Fi networks or to external USB devices must be avoided. And, PAWs must not accept connections from a non-privileged OS.
To avoid forcing privileged users to use two separate devices, many organizations leverage virtualization technologies (VirtualBox/Hyper-V) that allow a single device such as a laptop to run two isolated operating systems side-by-side. One system is used for daily productivity tasks and the other for privileged access.
Jump servers are servers in the data center, while PAWs are dedicated workstations. They are both dedicated to privileged use only, not for general tasks.
A privileged access workstation can be used by an administrator in basically any location, including home, depending on a company’s security policies. A jump server, in contrast, could typically have limitations on how and where it is accessed. Both jump servers and PAWs are exceptional in that they must be hardened, controlled, and closely monitored.
A jump server typically requires connectivity between the endpoint and the server, while a PAW may not require connectivity depending on how it has been deployed.
While most PAWs require a dedicated physical machine, some organizations virtualize the dedicated Operating System. In some cases, companies can put two separate Virtual Machines (VMs), each running its own separate OS, on the same hardware.
It depends on your specific needs. There are many organizations that use both a PAW and a jump server together. In these situations, it’s best to assure that administrators access sensitive resources from a dedicated operating system and use a jump server for added security and productivity benefits.
More resources:
Video
What is a Privileged Access Workstation?