top of page
Service IT+ Logo Header

9 Best Practices for Privileged Access Workstations

Writer: ServiceIT+ServiceIT+

Updated: Feb 27



Implementing a Privileged Access Workstation: 9 Best Practices

To ensure the security and effectiveness of a Privileged Access Workstation (PAW), it must meet certain essential attributes. These key characteristics are vital in protecting sensitive operations and minimizing cybersecurity risks.


  1. Hardened, Dedicated Assets

    A PAW should operate on dedicated, physical or virtual assets that are actively monitored for all activity. This includes monitoring keystrokes, application launches, and command-line tools. Continuous real-time monitoring helps detect and address suspicious behavior promptly, adding an extra layer of security.

  2. Least Privilege

    Following the principle of least privilege is crucial. Every operation on the PAW should grant users the minimum permissions required for their tasks. Limiting access helps contain potential breaches, reducing the overall attack surface and making it easier to manage user permissions.

  3. Application Allow and Block Listing

    The PAW must use application allow and block listing to control which applications are permitted to run. Only authorized applications should be allowed, and unauthorized ones should be blocked. This prevents malicious software or harmful tools from being executed, further protecting the system from attacks.

  4. Modern Hardware with TPM Support

    PAWs should be installed on modern hardware that supports Trusted Platform Module (TPM), preferably version 2.0 or higher. TPM enhances security by enabling strong encryption methods and storing sensitive data, such as biometrics, securely. This ensures that only authorized users can access the PAW.

  5. Vulnerability and Patch Management

    To protect against exploits, the PAW should be actively managed for vulnerabilities, with automated patch management in place. This ensures that the system receives timely security updates and fixes, keeping it protected from known weaknesses and minimizing the risk of an attack.

  6. Multifactor Authentication (MFA)

    MFA should be a mandatory requirement to access sensitive resources on the PAW. For high-risk operations, step-up authentication adds an additional layer of security, ensuring that only authorized individuals can perform critical actions. This significantly reduces the likelihood of unauthorized access.

  7. Dedicated, Segmented Network

    PAWs must operate within a dedicated and trusted network, isolated from networks that may contain untrusted or potentially insecure devices. Network segmentation is crucial for preventing unauthorized access to the PAW and ensuring that it is protected from attacks originating from less secure networks.

  8. Wired Network Connection

    Only wired network connections should be used for PAWs. Wireless communications, such as Wi-Fi or cellular connections, are inherently less secure and vulnerable to interception. A wired connection ensures that communications are more secure, maintaining the integrity of the PAW’s operations.

  9. Physical Security

    Physical security measures are crucial, particularly for portable devices like laptops. Tamper-resistant cables and other security measures should be used to prevent device theft, especially in high-traffic areas. This protects the PAW from unauthorized physical access.


While PAWs significantly improve security, they should not be used for activities such as internet browsing, accessing email, or messaging applications. Additionally, using unsecure network connectivity like Wi-Fi, connecting unauthorized USB devices, or permitting remote access to the PAW should be strictly avoided.


To streamline PAW operations and avoid needing two physical devices, many organizations use virtualization technologies. This enables running both the PAW and the primary operating system on the same device. However, for better security, both systems should be virtualized on a hardened OS, and segmentation should be maintained. If this is not feasible, the PAW should be fully isolated from the primary OS.


For more information on securing your PAW strategy and enhancing your organization’s cybersecurity, contact ServiceIT+ at inquiries@serviceitplus.com



 
 
bottom of page