top of page
ServiceIT+ Logo
  • Writer's pictureServiceIT+

Implementing a Privileged Access Workstation: 9 Best Practices

Updated: Mar 13

Implementing a Privileged Access Workstation: 9 Best Practices

Below are the attributes that should be present to ensure the optimum security and effectiveness of a PAW:

  1. Uses hardened, dedicated assets (physical or virtual), which are actively monitored for all activity—from keystroke logging to application launches and command line tools

  2. Operates with the concept of least privilege for every operation

  3. Operationalizes application allow and block listing

  4. Installed on modern hardware that supports TPM (Trusted Platform Module)–preferably 2.0 or higher to support the latest biometrics and encryption

  5. Managed for vulnerabilities, and automated for timely patch management to ensure the software itself is not exploited

  6. Requires MFA for authentication into sensitive resources and step-up authentication, or even change control, for the most sensitive operations

  7. Operates on a dedicated or trusted network that is segmented away from networks that may have potentially unsecure devices

  8. Only uses a wired network connection. Wireless communications of any type are unacceptable for PAWs

  9. Is physically secured with tamper cables to prevent device theft (especially a concern if the PAW is a laptop and in a high-traffic area)

While a PAW provides increased security for any cloud administrator, it should never be used for:

  • Browsing the Internet, regardless of browser

  • Email and messaging applications

  • Activity over unsecure network connectivity, such as Wi-Fi or cellular

  • Use with USB storage media or unauthorized USB peripherals

  • Remote access into the PAW from any workstation

  • Used with applications or services in a manner that would unharden security best practices and make it potentially vulnerable in the future

To streamline this approach and avoid use of two physical computers, many organizations leverage virtualization technologies (from VMware, Microsoft, Parallels, Oracle, etc.) that allow a single asset to execute a PAW side-by-side with the base operating system. The primary system is used for daily productivity tasks, and the other serves as the PAW. When using this approach, however, it is preferred that both daily activity and the PAW be virtual on a hardened OS to provide better segmentation. However, segmentation in this manner may not always be practical. The PAW, if nothing else, should be virtualized and isolated from the OS (no clipboard sharing, file transfer, etc.) and not used as the daily productivity machine.

To learn more about Privileged Access Management , contact us at



bottom of page