Secure High Privilege Credentials with Privileged Access Workstations

imageFrom what kind of device do you use to manage your IT infrastructure, applications and data?

Do you use: A general purpose workstation? A workstation on a dedicated management subnet? Any laptop or desktop you can get your hands on? A tablet? A phone?

No matter what device you use – that device needs to hardened and designed from the ground up to protect high privilege credentials. Those high privilege credentials are your keys to the kingdom. Once an attacker is able to get those, all you have might end up the hands of others.

The fact is that one of the most common methods attackers use to gain a foothold and move laterally through your network (often as part of an advanced persistent threat attack), is to extract high privilege credentials from machines that aren’t designed to protect against credential theft. With those credentials, they can slowly and silently weave through your infrastructure to gain access to what they want to steal, change or destroy.

And it doesn’t matter if the device you’re using is managing an on-premises environment, an Azure environment, or a hybrid IT infrastructure.

What you need is a Privileged Access Workstation (PAW). We have a lot of experience with workstations that are built for secure access to our cloud services, so we worked with Microsoft’s new Enterprise Cybersecurity Group to help them produce a set of documents that will help you create your own Privileged Access Workstations:


A lot of people throughout Microsoft worked on these documents – Microsoft Consulting Services Enterprise Security Group, Microsoft IT and other internal security teams, us (members of the Azure Security Engineering Team), Premiere Field Engineers, and the Microsoft Content Services and International (CSI) team.

It was an intense labor of love, with a lot of ups and downs as we discovered, uncovered, and recovered from fits and starts and unexpected findings. In the end, we distilled guidance that we believe will make a significant difference in protecting your privileged access accounts so that your on-premises and Azure resources can be more secure.


Tom Shinder
Program Manager, Azure Security
@tshinder | Facebook | LinkedIn | Email | Web | Bing me! | GOOG me!


Comments (0)

Skip to main content