Privileged Access Workstations for tier-0 administration

What the control is

A Privileged Access Workstation (PAW) is a hardened, dedicated, single-purpose endpoint used exclusively for administering tier-0 systems — the directory service, the cloud-tenant root, the certificate authority, the privileged-access management infrastructure, the build-pipeline and code-signing service. The PAW does not browse the general internet, does not run an email client, does not host productivity software, and does not have any reachable path from the corporate user network. The administrator’s general-purpose work — email, web, documents, meetings — happens on a separate, lower-tier device that holds no tier-0 credentials and cannot reach the tier-0 systems.

The control is the device-level analogue of identity tiering. NIST and Microsoft articulate the same principle as the “clean source” or “tier-0 administrative segregation” pattern: the device used to administer a system must be at least as trustworthy as the system being administered. A general-purpose corporate laptop is, by virtue of its attack surface, less trustworthy than the tier-0 systems an administrator touches from it; the PAW closes that asymmetry.

PAWs are not a control to apply tenant-wide. They are scoped to the small population of tier-0 administrative roles — domain admin, schema admin, enterprise admin, cloud-tenant global admin, certificate-authority admin, code-signing admin, Privileged Identity Management admin. The population is typically a few dozen people in a large enterprise.

Why it matters

The catalogue of tier-0 compromises is unusually consistent in shape. SolarWinds Sunburst: build-pipeline credentials with persistent admin capability over the signing infrastructure, used from general-purpose corporate endpoints with full internet and email access. LastPass 2022: a DevOps engineer with persistent privileged access to the vault backup, compromised on a home machine via a vulnerable third-party application. Operation Aurora at Google in 2010: source-code management admin compromise via browser-based exploit on a general-purpose engineer workstation. The OPM breach in 2015: contractor laptops with standing access to federal background-check systems. Target 2013: HVAC contractor pivot via shared corporate-network access into point-of-sale. Microsoft Exchange Hafnium 2021: post-exploitation involved compromising on-premises Exchange admin sessions running on general-purpose admin laptops. Okta’s 2022 Lapsus$ event: a contractor support-engineer’s general-purpose laptop became the entry point to Okta’s tier-0 systems. Uber 2022: same pattern.

In every one of those, the gap was the same. A privileged credential or session existed on a device whose trust posture was set by general-purpose user requirements — email, browser, productivity software — and which therefore had a far larger attack surface than the privilege it held justified. The PAW pattern eliminates the asymmetry. The administrator’s general-purpose work happens on the lower-tier device; the privileged session happens on the dedicated, hardened, internet-isolated device; neither device holds the credentials of the other tier.

Where the regulators sit

Microsoft’s “Securing privileged access” architecture documentation is the canonical reference and the originator of the modern PAW pattern. NCSC’s “Secure system administration” collection is the UK government articulation, with explicit guidance on dedicated administrative endpoints and management networks. The NSA’s Active Directory tier-0 hardening guidance — published in joint advisories with CISA — specifies clean-source administration and PAWs by name. NIST SP 800-53 control AC-3 (Access Enforcement) and SC-7 (Boundary Protection) cover the administrative-isolation principles at the policy level. MITRE ATT&CK Mitigation M1028 (“Operating System Configuration”) maps the control to specific lateral-movement and credential-theft techniques it counters.

The framework view has been consistent for a decade. The implementation pattern is well-documented; the operational discipline is the bottleneck.

Where it usually breaks

Two failure modes recur. The first is the cultural objection: administrators do not want to carry two devices and switch between them. The objection is real and has to be addressed at the policy level rather than at the device level — the alternative interpretation is that the most-privileged users in the organisation are choosing convenience over the protection of the systems they administer, which is not a position that survives a serious post-incident review. The fix is leadership commitment to the pattern, with the inconvenience treated as the cost of the role.

The second is the cloud-administration scope. Modern enterprises increasingly have more cloud-tenant administrative power than on-prem AD admin power, and the PAW pattern has historically been articulated against the on-prem world. The fix is to extend the device-tiering pattern to cloud administration explicitly: cloud-tenant-root and cloud-IAM administration happens from the PAW, not from the general-purpose laptop, with the same device-level controls.

A third common failure is the “PAW lite” pattern — using a dedicated browser profile or a virtual machine on the general-purpose laptop instead of a separate device. The standards-body view is consistent that this is insufficient: the host operating system’s compromise compromises the guest’s privilege. The PAW has to be a separate physical device with no reachable path back to the user environment.

What good looks like

A documented inventory of every tier-0 administrative role across on-prem and cloud. A separate physical device issued to every administrator holding a tier-0 role, hardened to the platform’s published baseline, with no internet browsing, no email, no productivity tools, no path back to the corporate user network. Network-level isolation between the PAW network and the user network. Conditional access requiring the PAW device identity for any tier-0 administrative session. Quarterly review of who holds tier-0 privilege and whether their PAW is in use.

The cost is the device fleet plus the operational discipline. The benefit is that a compromised general-purpose endpoint stops being a tier-0 compromise.