Take a PAWs for your Privileged Accounts website banner

Consultant’s Corner

Welcome to Quorum’s Consultant’s Corner. A place where our Consulting team can drop knowledge, talk about the issues that are currently on their minds, give us an insight into their passions, or just have a good old rant.

These articles won’t be released with any specific cadence, but they will always be useful and topical!

Andrew Kemp

Andrew Kemp

Senior Consultant

Following his article on Global Admins and privileged access, he’s taking a look at Privileged Access Workstations (PAWs).

Andy is a specialist in Microsoft 365 Modern Work, helping customers secure, use, and get the most out of their Microsoft 365 Subscription.

He has a deep understanding of security and compliance measures.

For anyone who may be unfamiliar, a PAW is a dedicated workstation, specifically designed for sensitive tasks and accounts that require heightened security measures. It is tailored to protect against internet attacks and other threat vectors, providing a separate and secure operating system used exclusively for accessing privileged resources.

Sounds like a “Jump Box”, right? In a manner of speaking it can be, however, a jump box can have multiple meanings and I have often seen them used in much the same way as an everyday workstation/device has been used.

Why use a PAW?

Some companies I have engaged with over the years have said they secure their access to privileged roles to either hybrid joined or compliant devices. OK, that’s good, but it’s still a risk! Others have just looked at me blankly, wondered what in the world I was talking about and have responded that they do secure their privileged access, with MFA. That’s a good first step but still a risk, so, let me ask you a couple of questions:

Would you allow access to privileged roles from a device that has potential access to malware through social media sites, access to personal email and used on a daily basis, by a regular user?

And would you allow access to social media sites from an account and device that can perform privileged tasks?

I would hope that the answer to both of these would be ‘NO’! This is when a PAW is introduced.

You might restrict access to a compliant device or, it may be hybrid joined, but it is still a device that is also used every day by a regular user, and has pretty much free access to the internet, Facebook, X (the artist service formerly known as Twitter), webmail and any number of other sites with potential malware.

This is why PAWs are so important! You can create a PAW and lock it down completely to only allow access to the Microsoft 365 Admin Centre using the tools available to you within Microsoft 365.

Considerations on how to deploy a PAW

You can prevent access to the Microsoft 365 Admin Centres using device extension attributes and using a block Conditional Access policy to all devices, except those tagged as PAW. You could then use Microsoft Defender for Endpoint Plan 2 to further secure the PAW by using a very tight Attack Surface Reduction policy and limiting its internet access. You could even go to the extent of blocking access to everything on the internet except the Admin Centres by setting a proxy server on the device as the loopback address and then setting the exclusion to only the Microsoft URL’s. This would be the most restrictive option, but most secure.

If you wanted to be less restrictive, you could look at opening up to other URL’s, for example, I use Visual Studio Code for my PowerShell Scripts and sync them to GitHub. You could also allow access to this, deploy Visual Studio Code and the GitHub Desktop client via Intune to the device so you can then access your scripts. , However, be careful as opening up to other sites and services potentially opens up more risk!

Microsoft provide some good guidance on deploying a PAW Deploying a privileged access solution | Microsoft Learn, but guidance is all it is. One thing that I would challenge on the article (at the time of writing this post) is that when creating the block policy for all devices except for those tagged as a PAW, I would block access to everything, not just Microsoft Azure Management like Microsoft suggest! Why? Because you can still access the admin portals and you are still able to perform tasks via PowerShell and Microsoft Graph from all other devices. I’d also look at implementing a Conditional Access policy for your privileged accounts to use phishing resistant MFA for authentication, and enforce the use of FIDO2 Keys as well. However, PowerShell will require a password for connecting as it currently does not support passwordless authentication.

Is it best to use a physical or virtual PAW?

What makes a good PAW? I’ve looked at various options, ultimately a second device is the best solution, however that is not always practical. With that in mind, my preferred route would be Windows 365.

One argument I have heard against this is that you can access Windows 365 from anywhere, so I decided to look at the use of the device extension attributes again and using conditional access policies you are able to lock down access to Windows 365 so only the users everyday PC has access to the Windows 365 PAW. They are unable to access it from their home PC or another company owned device outside of IT for example.

Furthermore, through using the Enterprise Mobility and Security E5 suite, you can then use Intune, Autopatch, MDE, PIM, Access Packages and Access Reviews to better secure the device and the privileged account.

Final Thoughts

I think that it’s safe to say there is no one ‘correct’ way to deploy a PAW or restrict access, it’s what fits in-line with your needs and requirements that is ultimately the driver for this.

Security doesn’t need be overly complicated, as overcomplicating can potentially introduce risks and make things harder to access than they need to be.

The key objective is to provide a secure, dedicated device that is specifically configured for users with privileged accounts to carry out sensitive tasks. This device is designed to block access to potentially malicious websites, safeguarding the user from malware. Concurrently, it ensures that a user’s regular workstation, which is more vulnerable to malware infections, does not have access to critical admin centres in Microsoft 365.

If you’d like to discuss any of this, please do get in touch.

Articles

AWARDS & RECOGNITION

FOLLOW US

CONTACT INFO

Quorum

18 Greenside Lane Edinburgh

UK EH1 3AH

Phone: +44 131 652 3954

Email: marketing@quorum.co.uk

© 2024 Quorum All Rights Reserved. | Environmental Policy | Sitemap | Privacy Policy

CONTACT INFO

Quorum
18 Greenside Lane Edinburgh
UK EH1 3AH
Phone: +44 131 652 3954
Email: marketing@quorum.co.uk

FOLLOW US

AWARDS & RECOGNITION

© 2024 Quorum All Rights Reserved. | Environmental Policy | Sitemap | Privacy Policy