Why use a PAW?

Posted on by
Reading Time: 6 minutes

Introduction

Following on from my previous post I have been asked why I use a PAW for my own tenant, and or why not just use a conditional access policy to ensure that a compliant device for the tenant is used by the privileged user. So, I reply with the question, why wouldn’t you want to use a PAW?

Why use a PAW?

Why should you use a PAW? Well, let me ask you this:

Would you be happy allowing your admins to access admin roles from a device that has been accessing everyday sites, social media, used to download and install software on?

And now, let me ask you another question:

Do you allow access to Social Media sites and general internet access from your servers?

I hope that you answered no to both those, you did, didn’t you? You may laugh and ask why am I asking such “silly” questions, especially about allowing access to the internet from servers, but, you wouldn’t! Right? So why would you allow access to the Admin Centre’s in Microsoft 365 from any device?

This also links to the recommendation (and best practice) of separating your every day user account and your privileged account. It’s always best to separate these, so it also makes sense (and is recommended) to separate your devices.

So even if you’re device is compliant, its still accessed by an every day user as well, meaning there is an over lap for the use.

Guidance on deploying a PAW

There is lots of information out there for deploying PAW’s but I found some good info on the Microsoft site: Developing a privileged access strategy – Privileged access | Microsoft Learn, NCSC: also provide some info: Use privileged access management – NCSC.GOV.UK. Other Government Institutes around the globe provide recommendations and guidance on this too like NIST.

Some of these talk about the use PAW’s, SAW’s (Secured Access Workstations) or even DAW’s (Dedicated Access Workstation). Whilst (in my view) there is some good information on them, thats all it is, information and some “guidelines”. So, I decided to dive deeper in to this.

Personally, I do not think that there is one right way to do it, but there are many ways to do it wrong. Cyber Security needn’t be complicated. In fact, my view is the more complicated you make it the more chance you’ll miss something.

I found the Microsoft Learn info on PAWs really helpful, and good starting point. With that as the base I then built out my idea of a Virtual PAW. NIST referred to using the Microsoft guidance as a reference for their Windows PAW config.

Should I use a Physical or Virtual PAW?

Do you need to carry an additional device with you? Not necessarily, Using a physical device is sometimes preferred, but lets face it its not ideal carrying a second, or even third or fourth device with you, I have know cases where someone has multiple devices, an every day device, a PAW for the Domain, a PAW for the DMZ and a PAW for specific Cloud services, so introducing Microsoft Cloud services may potentially require a 5th PAW.

Regardless of Physical or Virtual you can still lock them down in similar ways. The only difference really one is another device you need to carry. The other you’ll need to access via something like the Windows App.

I’ve had discussions with people in the past who would not even consider anything but a physical PAW, but we need to be realistic, its not always practical, and also a Virtual PAW you can potentially deploy in minutes. where as a physical would require purchasing a new device, waiting on it being delivered, autopilot etc…

Virtual PAW’s you can secure access by various means, if its on something like AVD or Windows 365 you can secure access via Conditional Access with FIDO2 Keys or Phishing resistant MFA like a Passkey. If its using another platform then you would put specific measures in place. Regardless of that you can then use things like BitLocker, Intune and MDE to protect and control the devices. My personal preference is AVD/Windows 365

Restricting Access to Cloud Portals

So regardless of how you go about creating your PAW, Physical or virtual you can apply Conditional Access Policy to restrict a device based on an extrnsionAttribute set on to the device. Filter for devices as a condition in Conditional Access policy – Microsoft Entra ID | Microsoft Learn

The idea of this policy it is block access for any of the privileged roles (except your break glass accounts of course) and add an exception based on the extensionAttribute.

Setting the device extensionAttribute

Setting this attribute is simple enough, its done via the Microsoft Graph (which I’ve been having to get used to using more and more recently).

The main thing I learned dealing with devices is that it is done against the ID, there are two ID’s ID and DeviceID, my first thought was the DeviceID, but no!

Restricting access to the PAW only

To set the extensionAttribute1 for example to be “Privileged Access Workstation you could run the following:

Connect-MgGraph -Scopes "Device.ReadWrite.All", "Directory.ReadWrite.All" -DeviceCode

$params = @{
    extensionAttributes = @{
        extensionAttribute1 = "Privileged Access Workstation"
    }
}

$devices = Get-MgDevice -Filter "startswith(displayName,'PAW-')"
foreach ($device in $devices) {
    Update-MgDevice -DeviceId $device.Id -BodyParameter $params
}

This assumes that any device with the prefix name of PAW- is a Privileged Access Workstation. Then, when you go to devices in Entra you will see the Extension Attributes associated with the device at the bottom of the

Restricting access to the PAW.

By using AVD and/or Windows 365 you are able to then restrict access to the PAW’s for the Privileged accounts so only specific devices can access connect using the Windows App by using the same principle.

Conclusion

If you’re looking secure your privileged access for your Microsoft Cloud services and you don’t want to have to carry a 2nd device, then I would seriously suggest you look at Windows 365 and/or AVD. This ensures that you have a separate “device” that is only to be used by the dedicated cloud privileged account keeping your privileged access and your every day access completely separate.

I plan to write another post on my base line suggestions for AVD/Windows 365 and what you need to consider when deploying these.

Posted in Azure, Azure Virtual Desktop, Entra, Microsoft, Microsoft Graph, Privileged Access, Virtual and tagged , , , , .

Leave a Reply

Your email address will not be published. Required fields are marked *