Privileged Access Workstations (PAWs)
A Privileged Access Workstation is a hardened, dedicated machine that exists for one purpose: administering critical infrastructure without exposing credentials to everyday threats.
If you use the same laptop to check email and manage Domain Controllers, a single phishing email can give an attacker your Domain Admin credentials. A Privileged Access Workstation (PAW) solves this by being a completely separate, locked-down computer dedicated solely to admin tasks. No email. No web browsing. No personal files. Just a hardened machine that connects only to the systems you need to manage. Even if your regular workstation is fully compromised, your admin credentials are safe because they were never typed on that machine.
Semiconductor factories have "clean rooms" — sealed environments where workers wear full protective suits and the air is filtered to remove even microscopic particles, because a single speck of dust can ruin a chip. A PAW is the IT equivalent: a clean, isolated workstation stripped of email, browsing, and all unnecessary software, so that admin credentials are never exposed to the dust and dirt of everyday computing threats like phishing emails and drive-by downloads.
Key Takeaways
- PAWs are dedicated, hardened machines used exclusively for privileged administration.
- No email, web browsing, or personal use on a PAW — admin tasks only.
- Credential Guard and application whitelisting are essential PAW protections.
- Use Restricted Admin mode or Remote Credential Guard for RDP from PAWs.
- PAW tiers should match the tiered administration model (Tier 0 PAW for DCs, etc.).
The most common AD compromise path starts with credential theft from an admin's daily-use workstation. A PAW eliminates this attack surface entirely by ensuring privileged credentials never touch untrusted systems.