How to Implement Privileged Access Workstations (PAWs) for Technicians

Privileged Access Workstations (PAWs) are dedicated computer setups for sensitive administrative tasks. They offer a secure and isolated environment while catering to individuals with elevated privileges, safeguarding them from threats and vectors.

Separating daily-use devices from PAWS reduces the attack surface and mitigates lateral movement risks from phishing, malware, or browser-based threats.

Implementing PAWS: A step-by-step guide

Deploying PAWs requires numerous steps, most of which require native Windows security features, Group Policy, and PowerShell. The steps below let you build hardened, policy-driven administrative endpoints.

📌 Prerequisites:

• Windows 10/11 Enterprise or Pro edition
• Access to the Group Policy Management Console and PowerShell
• Optional: Access to NinjaOne for post-deployment monitoring

Step 1: Define PAW use cases and segmentation

Defining PAW use cases helps build a zero-trust model for administrative access. This step creates a boundary between devices used for daily use and workstations used for privileged operations.

📌 Use Case: Separates daily-use devices and workstations used for privileged operation

(A) Identify privileged roles

List the users who need elevated or privileged access within the team. Operational tiers and role criticality should segment these:

• Tier 0 support
  • Tier 0 support emphasizes self-service solutions. It empowers users to resolve issues themselves with guidance from FAQs, knowledge, and community forums.

• Tier 1 support
  • Tier 1 support acts as the first line of defense. This team responds to and resolves customer inquiries, which requires basic troubleshooting knowledge on simple issues without assistance.

• Tier 2 support
  • Tier 2 support is a step above tier 1, as this team specializes in resolving more complex technical support issues, such as diagnosing and repairing hardware-related issues.

• Tier 3 support
  • Tier 3 support is the last line of defense for IT support. This team takes action when tiers 1 and 2 can’t resolve problems. Tier 3 usually consists of skilled, experienced IT professionals who can fix complex issues.

• Tier 4 support
  • Third parties typically provide Tier 4 support. This team is usually hired by organizations that don’t have the in-house expertise or resources to resolve issues.

(B) Define PAW purposes

Assign PAWs according to tiers to isolate and protect privileged operations.

• Tier 0: Active Directory management
  • Admins managing tier 0 are responsible for administering Active Directory (AD), Domain Controllers (DC), and other system components. Tier 0 users have the highest access privileges and can create or modify user accounts, manage security policies, and control network settings.

• Tier 1: Server administration
  • Admins managing tier 1 are responsible for servers that provide services like application deployment, updates, and maintenance. Tier 1 users have the authority to manage services but cannot access AD functions.

• Tier 2: End-user support

• Admins managing tier 2 are responsible for providing end-user support and routine maintenance tasks, including password resets, software installations, and troubleshooting. Users managing tier 2 have limited privileges and can’t perform actions that affect server functionality or network settings.

💡 Tip: There should be no lateral movement between tiers. This means admins managing tier 0 resources should never log in to tier 1 or 2 systems from the same PAW.

(C) Restrict usage to enforce security

You should harden PAWs to prevent compromise by adding software restrictions and usage policies:

• No internet browsing
  • Block HTTP and HTTPS traffic or restrict it to approved internal update services because internet access is a significant attack vector.

• No email clients
  • Emails are high-risk vectors for phishing and malware. Instead, use a separate workstation or Virtual Desktop Infrastructure (VDI) session for email access.

• No personal applications
  • Ban non-approved apps, such as chat applications, productivity software, media players, browsers, etc.

Step 2: Apply Group Policy for hardening and app restrictions

Group Policy Objects (GPOs) are scalable and enforceable methods for implementing consistent security settings across all PAWs. This step ensures system behaviors are locked down, high-risk features are disabled, and access control mechanisms are uniformly applied.

📌 Use Case: Standardizes workstation hardening through enforceable GPO settings

📌 Prerequisite: Administrator privileges

1. Press Win + R, type gpedit.msc, and tap Enter.
2. Navigate the following paths, then turn the feature on or off, depending on need.
   • To block access to removable storage:
     • Computer Configuration > Administrative Templates > System > Removable Storage Access
   • To deactivate the local administrator account:
     • Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
   • To enable Credential Guard and Device Guard:
     • Computer Configuration > Administrative Templates > System > Device Guard

Step 3: Enable BitLocker and device encryption

This step enables and enforces BitLocker with strong encryption standards aligned with organizational security policies.

📌 Use Case: Encrypts PAW system drives using strong encryption to prevent unauthorized access to disk data and credentials

📌 Prerequisite: Administrator privileges

To enable BitLocker using PowerShell, follow the steps below:

1. Press Win, type PowerShell, and click Run as administrator.
2. Copy and paste the following script into the prompt, then press Enter:
   • Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector -RecoveryPasswordProtector

💡 Note: Create a backup recovery key in case you need it in the future. To do so, follow the steps below:

1. Press Start, type BitLocker, and select Manage BitLocker from the list of results.
2. Select Back up your recovery key next to the drive you want to back up.
3. Select where you want the key backed up.
4. Press Finish.

⚠️ Warning: TPM misconfiguration may cause boot failure or unrecoverable encryption (For more info, refer to: Things to look out for.)

Step 4: Configure network and firewall isolation

Tightly control a PAW’s network communication to minimize its attack surface.

📌 Use Case: Prevents PAWs from accessing the public internet while allowing connectivity to internal management servers and update infrastructure

📌 Prerequisite: Administrator privileges

1. Press Win, type PowerShell, and click Run as administrator.
2. Copy and paste the following script into the prompt, then tap Enter:
   • New-NetFirewallRule -DisplayName "Block Internet" -Direction Outbound -RemoteAddress 0.0.0.0/0 -Action Block

After blocking outbound traffic, create specific allow rules for critical infrastructure:

• Update endpoints
• RMM or management servers
• Logging or monitoring systems
• DNS servers and internal name resolution

Also, consider placing PAWs in their own dedicated VLAN (Virtual Local Area Network). Allow traffic only to:

• Internal admin services
• Controlled update infrastructure

VLANs offer enforceable boundaries at the network level.

Step 5: Lock down application access

This step ensures that only trusted administrative tools can run, blocking potentially dangerous and unnecessary apps that could serve as attack vectors.

📌 Use Case: Prevents execution of non-essential or high-risk software on PAWs

📌 Prerequisite: Administrator privileges

1. Press Win + R, type gpmc.msc, and press Enter.
2. Navigate the following path:

Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker

• • Allow:
    • MMC
    • PowerShell
    • Admin consoles
  • Deny:
    • Browsers, email clients, social media, and messaging apps

Step 6: Configure remote access and MFA enforcement

Enforcing MFA (Multi-Factor Authentication), VPN access, and controlled session management ensures remote administrative connections are secure and limited to authorized users.

📌 Use Case: Enables secure, policy-driven RDP access to privileged hosts, enforcing VPN, MFA, session limits, and endpoint-based access control

📌 Prerequisite: Administrator privileges

(A) Requiring VPN for remote RDP access (Remote Desktop Protocol)

• Require all remote administrative access to traverse a secure VPN tunnel.
• Restrict RDP at the network perimeter using firewalls.

This adds a secure layer and ensures the client is on a trusted network segment. This setup prevents RDP ports from being directly exposed to the internet.

(B) Creating an inbound firewall rule for RDP

1. Press Win, type cmd, and press Run as administrator.
2. Copy and paste the following script into the prompt, then press Enter:
   • netsh advfirewall firewall add rule name="Allow Admin RDP" dir=in action=allow protocol=TCP localport=3389

⚠️ Troubleshooting/Things to look out for

NinjaOne services to scale PAW deployment

With NinjaOne, MSPs can scale PAW deployment, maintain standardization, and reduce risk without sacrificing productivity. Specifically, NinjaOne enhances the PAW strategy by:

• Deploying hardened baselines using GPO-equivalent policy scripts
• Running PowerShell scripts remotely to validate firewall, BitLocker, or app restrictions
• Monitoring admin workstation health and patch status
• Tagging PAWs separately in inventory for reporting, auditing, and compliance
• Alerting on unauthorized software installs or policy drift across PAW endpoints

Enable secure remote administration by implementing PAWs

Privileged Access Workstations separate sensitive admin activity from general-purpose computing. Isolating credentials and securing endpoints used for domain or system administration enables MSPs and IT teams to reduce the risk of breach escalation or identify compromise.

Related topics:

• What Is Privileged Access Management (PAM)?
• What Is Identity & Access Management (IAM)?
• What Is a Workstation?
• How to Enable or Disable Networking in Windows Sandbox
• Streamline Security and Permissions with Role Based Access Control