Protecting Privileged Accounts with Secure Access Workstations (SAW)

Protecting Privileged Accounts with Secure Access Workstations (SAW)

11/08/2024

This technical and educational article aims to guide security analysts, IT administrators and systems engineers in implementing Secure Access Workstations (SAW), also known as Privileged Access Workstations (PAW), to protect privileged accounts and tasks. SAWs are designed to create a highly secure and isolated computing environment, minimizing the risk of compromise of highly privileged accounts, which are the most valuable targets for attackers [1].

Introduction

Compromising privileged credentials is one of the most devastating attack vectors. The traditional approach of using the same workstation for administrative and productivity tasks (email, browsing) exposes privileged credentials to unacceptable risk. SAWs solve this problem by being dedicated and hardened computers, used exclusively for administrative tasks, following the Clean Source Principle: a higher security system should never be managed from a lower security system [2].

Why are SAWs crucial?

  • Credential Isolation: Prevents privileged credentials from being exposed to less secure environments.
  • Attack Surface Reduction: Minimizes the attack vectors available on the administrative workstation.
  • Strict Control: Allows the application of strict security policies, such as application control, that would be impractical on general-purpose workstations.

Prerequisites

  1. Licensing: Windows 10/11 Enterprise. Tools like Microsoft Intune are highly recommended for management.
  2. Administrative Access: Privileges to configure security policies (GPO or Intune).
  3. Dedicated Hardware or Secure Virtualized Environment: Physical computers or isolated VMs.

Step by Step: Implementing a SAW

1. Defining the Tiering Model

Microsoft's privileged access model categorizes assets into tiers. SAW is essential to protect access to the highest tiers:

  • Tier 0: Direct control of the infrastructure (Ex: Domain Controllers, Azure AD Global Admins).
  • Tier 1: Servers and mission-critical applications.
  • Tier 2: End user workstations.

A Tier 0 SAW should only be used to administer Tier 0 resources.

2. SAW Provisioning and Hardening

  1. Clean Install: Install a clean copy of Windows 10/11 Enterprise. Do not install unnecessary software.
  2. Updates: Apply all the latest security patches.
  3. Windows Firewall: Configure the firewall to block all inbound traffic by default and only allow outbound traffic strictly necessary for administrative tasks (e.g. RDP to specific servers, access to cloud portals).
  4. Disable Unnecessary Services: Use PowerShell to disable non-essential services. powershell # Example to disable the print spooler service Set-Service -Name "Spooler" -StartupType Disabled Stop-Service -Name "Spooler"
  5. Apply Security Baselines: Use Microsoft or CIS (Center for Internet Security) security baselines to apply hundreds of security settings at once via GPO or Intune.

3. Implementing Application Control

This is one of the most important controls on a SAW. Only explicitly permitted applications should be able to run.

  • Windows Defender Application Control (WDAC): It is the preferred and most secure technology. WDAC creates code integrity policies that are enforced at the kernel level, preventing any unauthorized software or scripts from running. The configuration is more complex, but offers the highest level of security [3].
  • AppLocker: Easier to manage, but considered a legacy technology with known bypasses. It can be used as a complementary layer to WDAC for specific scenarios.

Basic implementation with AppLocker (via GPO):

  1. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker.
  2. Create Default Rules to allow file executionWindows howls.
  3. Create rules to only allow executables, scripts and installers of necessary administrative tools (e.g. mmc.exe, Remote Desktop Connection).
  4. Configure the Application Identity service to start automatically.

4. Restricting Access to the Internet and Local Resources

  • Network Isolation: The SAW must be on an isolated VLAN or network segment, with strict firewall rules controlling inbound and outbound traffic.
  • Browsing Blocking: Internet access must be blocked or, at a minimum, restricted to a very small list of trusted sites (e.g. portal.azure.com, portal.office.com) through a proxy server or firewall.
  • Removable Media Blocking: Use device policies to block the use of USB drives and other removable storage.
  • Separation of Accounts: The SAW user must be a standard user on the machine, not a local administrator. The account used to log into SAW must not be the same account with domain or cloud privileges. Elevation of privileges should only occur when connecting to the target resource (e.g. using runas or entering credentials in the administration tool).

5. SAW Management and Maintenance

  • Updates: SAW must have a rigorous process for receiving and applying security patches.
  • Monitoring: SAW must be closely monitored by your SIEM (such as Microsoft Sentinel) and EDR solution (Microsoft Defender for Endpoint). Any anomalous activity should generate a high priority alert.

Example of Daily Use

  1. The administrator logs into their user workstation (Tier 2) for productivity tasks (email, Teams).
  2. When it needs to perform an administrative task (e.g. manage a Domain Controller), it physically moves to its SAW (Tier 0) or connects to it via a secure method.
  3. In SAW, he logs in with his standard SAW user account.
  4. It opens the administrative tool (ex: Active Directory Users and Computers). The tool runs, and when connecting to the Domain Controller, it uses your Domain Administrator (Tier 0) credentials.
  5. After completing the task, he closes the tool and logs out of SAW. Tier 0 credentials were never typed or exposed outside of SAW.

Conclusion

Implementing Secure Access Workstations is an essential defense-in-depth measure to protect an organization's "keys to the kingdom." By isolating administrative tasks in a hardened, tightly controlled environment, SAWs break the attack chain that adversaries use to escalate privileges and move laterally. While it requires planning and discipline, investing in creating a secure management environment is one of the most important steps an organization can take to protect itself against advanced cyberattacks.

References

[1] Microsoft. (2023). Securing privileged access overview. [2] Microsoft. (2023). Clean source principle. [3] Microsoft. (2023). Windows Defender Application Control (WDAC). [4] Microsoft. (2023). Privileged access model.