Compartilhar via


Privileged Access Workstation(PAW)

At Ignite conference last month, Dean and I presented a session on PAW. Originally we were planning to just talk about the concept of PAW and how it is deployed in Microsoft. A week before the conference, we decide to share our early design based on the Windows 10 1709 release, so that we can gauge the interest from our customers about this solution, and make decision to as to whether we should build a backend service to support the solution.

The response was overwhelming, many customers came to visit us at the Expo during the conference, and signed up to evaluate the solution. It motivated us to speed up the development, so that we can offer a proof of concept. In the past few months, we have enrolled many customers to evaluate the solution, and gained valuable insight.

Meanwhile, I'm planning to write a series of blog posts that explain the details of the new PAW solution, from the host configuration to the template we are building. This blog is the first one in the series, aiming at providing an overview of the PAW solution.

Solution overview

Below is a high-level topology view of the deployment:

The PAW device is running the Windows 10 1709 release, which has a new feature "Guarded host"?. This feature supports the physical device performing remote health attestation against a Host Guardian Server (HGS) and running shielded VMs. If you would like to learn about the benefit of shielded VM, you can find more details here. The shielded VM was first introduced in Windows Server 2016 to protect virtual machines running sensitive workload, and is now made available in Windows client to run the PAW VMs.

The design of the PAW host is locked down to run the minimum set of binaries while moving all functionality into the virtual machines running on that host. Compared to the current PAW solutions that use separate physical machines running different workloads, this design is less costly and has better usability.

  • the desktop VM will handle user daily productivity workload, such as email, internet access;
  • the PAW VM will be dedicated for secure workload, which can be locked down, such as network access; application whitelisting etc.

One key backend service to support the PAW device is the HGS server. If you want to deploy the Host Guardian Server on-premises, you can follow this deployment document to set up the HGS server. For evaluation, you can create a single node HGS server, with self-signed certificates.

(Note: update 2018/04, the PAW TAP program has been closed for now. I have publish guidelines on how to deploy PAW on-prem  guide, see links below)

I also created user voice links, if you'd like to see this offered by Microsoft, please vote here:

HGS as service Azure PAW

Our goal is to build a simple solution for customers to deploy PAW, which offers a good user experience and does not require dedicated resources for ongoing operational management. We are inviting you to join us on this development journey.

I have purposefully stayed at a very high level in this first blog about the PAW solution. Deep dive blogs will follow. Feel free to share your questions in the comment section, so I can make sure to address in the upcoming posts.

Update

I have published a number of blog posts on the PAW solution, below is a reference list:

Comments

  • Anonymous
    October 13, 2017
    I can see why this garnered so much attention post-session. This is a very strong demo and offers a very intriguing solution for a difficult problem domain. Personally, I have a basic Azure VM and feel dirty doing a simple search on it in case I have to do so. Having a locked-down VM equivalent with a partitioned desktop as prescribed would be incredibly valuable to me as an Azure VM owner. Nothing beats the warm n' fuzzies when it comes to security. :) I hope this catches on and becomes the norm for Azure virtualization.
  • Anonymous
    October 15, 2017
    Hi,the demo was awesome and i'm already using PAW model in my organization and i have the same pain points that you mentioned regarding having two laptops and cost as well, I'm interesting to know more about this topic and i faced some issues related to the network configuration when i tried to have Tier0 & Tier1 on the same machine using Hyper-v on windows 10 client, So if you can share any article about network configuration and routing in this scenario it will be appreciated, Also please to consider this in development phase to make it much easier from enrollment perspective and to be light touch enrollment as well, Thanks and Good luck
    • Anonymous
      October 17, 2017
      @Ayman, I'm planning to have a dedicated article on networking from our networking experts. Stay tuned...For the enrollment, we are creating an ISO image which will provision the PAW host end to end. It will come out in a week.