Key points
- Segment Roles and Tiers: Define privileged roles using a security tier model (Tier 0 for Identity, Tier 1 for Servers, and Tier 2 for End-users) to ensure strict boundaries and prevent lateral movement between administrative tasks.
- Apply Hardening via GPO: Use Group Policy Objects to enforce consistent security settings, such as deactivating local administrator accounts, blocking removable storage, and enabling Credential Guard.
- Encrypt and Secure Hardware: Enforce BitLocker with XTS-AES 256 encryption and utilize hardware with TPM 2.0 and Secure Boot to protect the workstation from firmware-level attacks and unauthorized disk access.
- Isolate Network Traffic: Configure host-based firewalls to block all outbound internet traffic while creating explicit “allow” rules for essential internal infrastructure like Domain Controllers and management servers.
- Restrict Applications with AppLocker: Implement AppLocker rules to allow only trusted administrative tools (e.g., PowerShell, MMC) while strictly denying high-risk software like web browsers and email clients.
- Secure Remote Access: Mandate VPN and Multi-Factor Authentication (MFA) for all RDP sessions, and utilize Certificate-Based Authentication for Tier 0 PAWs to ensure only authorized physical devices can connect.
Privileged Access Workstations (PAWs) are dedicated computer setups for sensitive administrative tasks. They offer a secure and isolated environment while catering to individuals with elevated privileges, safeguarding them from threats and vectors.
Separating daily-use devices from PAWS reduces the attack surface and mitigates lateral movement risks from phishing, malware, or browser-based threats.
For a visual breakdown of this topic, watch How to Implement Privileged Access Workstations (PAWs) for Technicians.
Secure admin sessions and reduce attack vectors with NinjaOne Endpoint Management.
Implementing PAWS: A step-by-step guide
Deploying PAWs requires numerous steps, most of which require native Windows security features, Group Policy, and PowerShell. The steps below let you build hardened, policy-driven administrative endpoints.
📌 Prerequisites:
- Windows 10/11 Enterprise or Pro edition
- Access to the Group Policy Management Console and PowerShell
- Optional: Access to NinjaOne for post-deployment monitoring
Step 1: Define PAW use cases and segmentation
Defining PAW use cases helps build a zero-trust model for administrative access. This step creates a boundary between devices used for daily use and workstations used for privileged operations.
📌 Use Case: Separates daily-use devices and workstations used for privileged operation
(A) Identify privileged roles
List the users who need elevated or privileged access within the team. List the users who need elevated or privileged access within the team. To prevent credential theft, roles should be segmented using the Tiered Security Model:
Updated Tiered Security Model
- Tier 0 (Highest)
- Direct control of Enterprise Identity (Active Directory, Domain Controllers, Azure AD/Entra ID). These users require the most restricted, physical PAWs.
- Tier 1
- Enterprise Servers, Database management, and Cloud Infrastructure. These users access sensitive data but not the “keys to the kingdom.”
- Tier 2
- End-user devices and standard support. These admins manage workstations and help-desk tasks.
Critical Rule: Access only flows down, never up. A Tier 0 admin uses a Tier 0 PAW to manage Tier 0, 1, and 2. A Tier 2 admin cannot access a Tier 0 PAW.
(B) Define PAW purposes
Assign PAWs according to tiers to isolate and protect privileged operations.
- Tier 0: Identity Management
- Admins managing tier 0 are responsible for administering Active Directory (AD), Domain Controllers (DC), and other system components. Tier 0 users have the highest access privileges and can create or modify user accounts, manage security policies, and control network settings.
- Tier 1: Server Administration
-
- Admins managing Tier 1 are responsible for infrastructure servers, application deployment, and maintenance. They have the authority to manage services but cannot access Tier 0 identity functions.
- Tier 2: End-user support
- Admins managing Tier 2 provide end-user support and routine maintenance, including software installations and troubleshooting. These privileges are limited to avoid affecting server or network-wide functionality.
💡 Tip: There should be no lateral movement between tiers. This means admins managing tier 0 resources should never log in to tier 1 or 2 systems from the same PAW.
(C) Restrict usage to enforce security
You should harden PAWs to prevent compromise by adding software restrictions and usage policies:
- No internet browsing
- Block HTTP and HTTPS traffic or restrict it to approved internal update services because internet access is a significant attack vector.
- No email clients
- Emails are high-risk vectors for phishing and malware. Instead, use a separate workstation or Virtual Desktop Infrastructure (VDI) session for email access.
- No personal applications
- Ban non-approved apps, such as chat applications, productivity software, media players, browsers, etc.
Step 2: Apply Group Policy for hardening and app restrictions
Group Policy Objects (GPOs) are scalable and enforceable methods for implementing consistent security settings across all PAWs. This step ensures system behaviors are locked down, high-risk features are disabled, and access control mechanisms are uniformly applied.
📌 Use Case: Standardizes workstation hardening through enforceable GPO settings
📌 Prerequisite: Administrator privileges
- Press Win + R, type gpedit.msc, and tap Enter.
- Navigate the following paths, then turn the feature on or off, depending on need.
- To block access to removable storage:
- Computer Configuration > Administrative Templates > System > Removable Storage Access
- To deactivate the local administrator account:
- Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
- To enable Credential Guard and Device Guard:
- Computer Configuration > Administrative Templates > System > Device Guard
- To block access to removable storage:
Step 3: Enable BitLocker and device encryption
This step enables and enforces BitLocker with strong encryption standards aligned with organizational security policies.
📌 Use Case: Encrypts PAW system drives using strong encryption to prevent unauthorized access to disk data and credentials
📌 Prerequisite: Administrator privileges
To enable BitLocker using PowerShell, follow the steps below:
- Press Win, type PowerShell, and click Run as administrator.
- Copy and paste the following script into the prompt, then press Enter:
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector -RecoveryPasswordProtector
Hardware Integrity Check
For the highest security, use hardware that supports TPM 2.0 and Secure Boot. If possible, choose devices that are Secured-core PCs. This protects the PAW from firmware-level attacks (rootkits) that standard antivirus software might miss.
💡 Note: Create a backup recovery key in case you need it in the future. To do so, follow the steps below:
- Press Start, type BitLocker, and select Manage BitLocker from the list of results.
- Select Back up your recovery key next to the drive you want to back up.
- Select where you want the key backed up.
- Press Finish.
⚠️ Warning: TPM misconfiguration may cause boot failure or unrecoverable encryption (For more info, refer to: Things to look out for.)
Step 4: Configure network and firewall isolation
Tightly control a PAW’s network communication to minimize its attack surface.
📌 Use Case: Prevents PAWs from accessing the public internet while allowing connectivity to internal management servers and update infrastructure
📌 Prerequisite: Administrator privileges
- Press Win, type PowerShell, and click Run as administrator.
- Copy and paste the following script into the prompt, then tap Enter:
New-NetFirewallRule -DisplayName "Block Internet" -Direction Outbound -RemoteAddress 0.0.0.0/0 -Action Block
After blocking outbound traffic, create specific allow rules for critical infrastructure:
- Update endpoints
- RMM or management servers
- Logging or monitoring systems
- DNS servers and internal name resolution
Also, consider placing PAWs in their own dedicated VLAN (Virtual Local Area Network). Allow traffic only to:
- Internal admin services
- Controlled update infrastructure
VLANs offer enforceable boundaries at the network level.
Step 5: Lock down application access
This step ensures that only trusted administrative tools can run, blocking potentially dangerous and unnecessary apps that could serve as attack vectors.
📌 Use Case: Prevents execution of non-essential or high-risk software on PAWs
📌 Prerequisite: Administrator privileges
Pro-Tip: Don’t Get Locked Out
Before switching AppLocker to “Enforce Rules,” set it to “Audit Only” for 3–5 days.
- Check the Event Viewer: Navigate to Applications and Services Logs > Microsoft > Windows > AppLocker.
- Identify blocks: Look for entries that flag critical admin tools (like specific RMM plugins, NinjaOne agents, or specialized diagnostics) that would have been blocked.
- Adjust rules: Add exceptions for these tools before you turn on the hard restriction to avoid bricking your own workflow.
To configure AppLocker:
- Press Win + R, type gpmc.msc, and press Enter.
- Navigate the following path:
Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker
-
- Allow:
- MMC
- PowerShell
- Admin consoles
- Deny:
- Browsers, email clients, social media, and messaging apps
- Allow:
Step 6: Configure remote access and MFA enforcement
Enforcing MFA (Multi-Factor Authentication), VPN access, and controlled session management ensures remote administrative connections are secure and limited to authorized users.
📌 Use Case: Enables secure, policy-driven RDP access to privileged hosts, enforcing VPN, MFA, session limits, and endpoint-based access control
📌 Prerequisite: Administrator privileges
(A) Requiring VPN for remote RDP access (Remote Desktop Protocol)
- Require all remote administrative access to traverse a secure VPN tunnel.
- Restrict RDP at the network perimeter using firewalls.
This adds a secure layer and ensures the client is on a trusted network segment. This setup prevents RDP ports from being directly exposed to the internet.
Note: For Tier 0 PAWs, rely on Certificate-Based Authentication via your VPN. This ensures that only the specific, physical PAW device can even attempt a connection to the management network, effectively blocking any unauthorized devices from even seeing the login screen.
(B) Creating an inbound firewall rule for RDP
- Press Win, type cmd, and press Run as administrator.
- Copy and paste the following script into the prompt, then press Enter:
netsh advfirewall firewall add rule name="Allow Admin RDP" dir=in action=allow protocol=TCP localport=3389
⚠️ Troubleshooting/Things to look out for
| Symptoms or risks | Likely causes or potential consequences | Resolutions or reversals |
| Admin tools not launching | A misconfigured AppLocker policy is blocking required applications because of missing allow rules. | Open the AppLocker Event Logs at Event Viewer > Applications and Services Logs > Microsoft > Windows > AppLocker and look for the rules blocking execution. |
| GPO settings “disappearing” (Policy Drift) | Local overrides or conflicting Domain GPOs are overwriting your settings. | Run gpresult /h report.html in CMD to identify which policy is winning the conflict. |
| Credential Guard Error | Virtualization-based security (VBS) is disabled in BIOS. | Enter BIOS/UEFI and ensure “Virtualization Technology” and “VT-d” are enabled. |
| Network disconnected | Firewall outbound rules are restrictive. Traffic to internal update servers, DNS, or domain controllers is blocked. | Review the firewall ruleset and create explicit allow rules for internal management IP ranges, WSUS servers, DNS, and authentication systems. |
| BitLocker key not stored | TPM (Trusted Platform Module) is not initialized or ready for BitLocker encryption. | Open TPM.msc to verify status. If unavailable, initialize the TPM from BIOS/UEFI or the OS. |
| RDP blocked unexpectedly | GPO or registry settings have disabled remote access or restricted access to authorized networks only. | Check the Remote Desktop configuration under System Properties > Remote Settings. |
| Risks | Potential consequences | Reversals |
| TPM misconfiguration or incorrect GPOs may cause boot failure or unrecoverable encryption | You may lose data due to a lack of recovery keys | Back up recovery keys to AD or Azure AD. |
NinjaOne services to scale PAW deployment
With NinjaOne, MSPs can scale PAW deployment, maintain standardization, and reduce risk without sacrificing productivity. Specifically, NinjaOne enhances the PAW strategy by:
- Deploying hardened baselines using GPO-equivalent policy scripts
- Running PowerShell scripts remotely to validate firewall, BitLocker, or app restrictions
- Monitoring admin workstation health and patch status
- Tagging PAWs separately in inventory for reporting, auditing, and compliance
- Alerting on unauthorized software installs or policy drift across PAW endpoints
Improve admin session security with greater control over user access controls.
Enable secure remote administration by implementing PAWs
Privileged Access Workstations separate sensitive admin activity from general-purpose computing. Isolating credentials and securing endpoints used for domain or system administration enables MSPs and IT teams to reduce the risk of breach escalation or identify compromise.
Related topics:
- What Is Privileged Access Management (PAM)?
- What Is Identity & Access Management (IAM)?
- What Is a Workstation?
- How to Enable or Disable Networking in Windows Sandbox
- Streamline Security and Permissions with Role Based Access Control
Quick-Start Guide
NinjaOne provides several security features that can support implementing Privileged Access Workstations (PAWs) for Technicians:
- Role-Based Access Control:
- NinjaOne offers granular technician roles and permissions
- You can create custom roles with specific access levels
- Technicians can be assigned roles with limited or controlled access to devices and systems
- Device Role Management:
- Ability to create and assign custom device roles
- Configure specific policies and access controls for different device types
- Supports advanced device role assignment upon registration
- Remote Access Controls:
- Configurable remote access settings
- Can restrict and control how technicians access devices
- Supports various remote access tools with granular permissions
- Security Scripts:
- Scripts to enhance security, such as:
- Disable Local Admin Tools
- Set Minimum Password Requirements
- Enable/Disable Windows Firewall
- Audit User Accounts
- Scripts to enhance security, such as:
While NinjaOne provides robust tools to support PAW implementation, you would need to combine these features with your organization’s specific security policies and additional hardening techniques to fully implement a Privileged Access Workstation strategy.
