Secure High Privilege Credentials with Privileged Access Workstations

From what kind of device do you use to manage your IT infrastructure, applications and data?

Do you use: A general purpose workstation? A workstation on a dedicated management subnet? Any laptop or desktop you can get your hands on? A tablet? A phone?

No matter what device you use – that device needs to hardened and designed from the ground up to protect high privilege credentials. Those high privilege credentials are your keys to the kingdom. Once an attacker is able to get those, all you have might end up the hands of others.

The fact is that one of the most common methods attackers use to gain a foothold and move laterally through your network (often as part of an advanced persistent threat attack), is to extract high privilege credentials from machines that aren’t designed to protect against credential theft. With those credentials, they can slowly and silently weave through your infrastructure to gain access to what they want to steal, change or destroy.

And it doesn’t matter if the device you’re using is managing an on-premises environment, an Azure environment, or a hybrid IT infrastructure.

What you need is a Privileged Access Workstation (PAW). We have a lot of experience with workstations that are built for secure access to our cloud services, so we worked with Microsoft’s new Enterprise Cybersecurity Group to help them produce a set of documents that will help you create your own Privileged Access Workstations:

• Securing Privileged Access – A clear view of design recommendations for securing privileged access; this document will help guide you on how to protect against attacks on privileged accounts and hosts
• Privileged Access Workstations– Explicit and prescriptive information on how to install and configure a privileged access workstation; this is a key part of the secure privileged access solution and a critical defense against credential theft attacks like pass the hash
• Securing Privileged Access Reference Material, that we use regularly including the administrative tier model and the clean source principle
• How to Enable Restricted Mode for Remote Desktop – an important configuration function required when you choose using RDP and high privilege credentials.

A lot of people throughout Microsoft worked on these documents – Microsoft Consulting Services Enterprise Security Group, Microsoft IT and other internal security teams, us (members of the Azure Security Engineering Team), Premiere Field Engineers, and the Microsoft Content Services and International (CSI) team.

It was an intense labor of love, with a lot of ups and downs as we discovered, uncovered, and recovered from fits and starts and unexpected findings. In the end, we distilled guidance that we believe will make a significant difference in protecting your privileged access accounts so that your on-premises and Azure resources can be more secure.

Thanks!

Tom
Tom Shinder
Program Manager, Azure Security
@tshinder | Facebook | LinkedIn | Email | Web | Bing me! | GOOG me!