Privileged Access Workstation (PAW)

What is a PAW?

A privileged access workstation (PAW) is a security-hardened and dedicated computing environment developed to secure sensitive accounts and tasks. A PAW separates sensitive business functions, accounts with administrative privileges, and accounts of employees who deal with highly sensitive information from non-administrative computer use such as accessing e-mail or browsing the internet.

Employing PAWs can help protect your organization from adversaries by isolating and securing highly sensitive accounts and privileged tasks.

Characteristic features of PAW

A dedicated, and locked down PAW ensures high security assurance for sensitive accounts and tasks.
A PAW is built on secure and trusted hardware with clean source media, hence, is protected against vulnerabilities and loopholes.
All the activities that take place in PAWs are continuously monitored to give complete visibility.
The up-to-date secure operating system provides top-notch security features, such as timely automated patching of security updates.

PAW hardware profiles

Privileged administrative users happen to perform standard activities too. In addition to performing privileged administrative tasks; these users also typically check emails, and access other business productivity applications. It might become a second nature for many privileged users to use their privileged account to perform daily tasks. However, from a security standpoint, this is not a good practice. On the other hand, having very stringent security policies in place might hamper productivity. To achieve a compromise between productivity and security, Microsoft provides two hardware profiles to implement privileged access workstations in an organization's network.

Dedicated hardware

Different dedicated devices for standard user tasks and administrative tasks.

Simultaneous Use

A single device that runs user tasks and administrative tasks concurrently by taking advantage of OS or presentation virtualization. The physical system runs two operating systems locally.

It is important to note that implementation of PAW can't protect an organization's IT environment from an adversary that has already gained administrative access over an Active Directory Forest.

Simplify workstation auditing and reporting with ADAudit Plus

Get your free trial

Fully functional 30-day trial

Monitoring privileged access workstations with ADAudit Plus

Privileged access workstations, involve a dedicated operating system or device used exclusively for handling privileged operations. Any unauthorized access to PAWs could result in malicious users being granted access to sensitive information and compromise of an organization's network infrastructure. Tracking activities that occur in privileged access workstations is essential to spot suspicious activities and expedite forensic analysis in the occurrence of a mishap. ADAudit Plus simplifies monitoring of workstations by offering predefined User Logon Reports along with intuitive graphical representation of the same for the ease of comprehension.

Steps to track activities in a PAW

Once ADAudit Plus has been installed, it can automatically configure audit policies required for Active Directory auditing. To enable automatic configuration:
Log in to the ADAudit Plus web console → Domain Settings → Audit Policy: Configure.

Privileged access workstations can be monitored by following the below mentioned steps:

Login to ADAudit Plus.
Select the required Domain from the dropdown list.
Go to the Reports tab.
Navigate to User Logon Reports.
Select Last Logon on Workstations.

The Last Logon on Workstations report provides clear information about when a workstation was last accessed, by whom, the status of logon among other details. By analyzing this report you can identify users who are attempting to gain unauthorized access to a privileged access workstation and take corrective actions.

The following are some of the other reports which can help you audit privileged access workstations:

Workstation Logon Activity - This report provides information about the logon activities that take place in workstations, along with the username, domain controller details, logon time, and so on.
PAWs that employ a dedicated computer, can be monitored using the reports under the Computer Management division of the Reports tab. These reports provide information about all the critical functions that take place in PAWs with exclusive hardware.

On PAW devices, only the built-in local administrator account and PAW maintenance user account should be a part of local administrators group. When users are added as local administrators to PAWs, it might indicate an unauthorized privilege escalation, such activities can be identified by exploring the Recently Added Members to Groups report (The path to access this report has been provided below). A list of all the new members who have been added to privileged access groups can be found in this report. It also provides information about the user who added the members, to which group and domain controller names.

Sever Audit -> Local Account Management -> Recently Added Members to Groups.

About ADAudit Plus

ADAudit Plus is a real-time, web-based Windows Active Directory (AD) change reporting software that audits, reports and alerts on Active Directory, Windows servers and workstations, and NAS storage devices to meet the demands of security, and compliance requirements. It helps to monitor privileged access workstations continuously and gain comprehensive insights about the critical resources within an organization's network. In total, the solution has 200+ reports and real-time alerts to keep your network environment secure. To learn more, visit https://www.manageengine.com/active-directory-audit/

More related links

✕
Native auditing becoming a little too much?

Try ADAudit Plus login monitoring tool to audit, track, and respond to malicious login and logoff actions instantaneously.
Try ADAudit Plus for free