The most common response to domain controller vulnerability advice — whether from this publication, Microsoft documentation, or post-incident analysis — is agreement that PAWs would have helped, followed by deferral because PAW deployment is operationally disruptive. The disruption is real. The consequence of continued deferral is also real, as CVE-2026-41089 demonstrated: domain administrators authenticating to domain controllers from standard workstations create a credential exposure path that no amount of network segmentation fully addresses.
What Makes a PAW Effective
A PAW is not a hardened workstation for general use. It is a single-purpose machine whose attack surface is designed specifically around administrative tasks. Its effectiveness comes from the combination of:
No internet access: The majority of initial access techniques (phishing, drive-by download, browser exploitation, malvertising) require internet connectivity. A PAW with no route to the internet eliminates these vectors entirely. Administrators checking email on a PAW defeats the purpose; the PAW should have no email client, no browser (beyond what is needed for vendor portals accessed via proxy), and no general-purpose applications.
Physical or strong logical isolation: PAW machines are connected only to the management network, not the corporate user network. A PAW that is connected to both the management network and the user VLAN is not a PAW — it is a dual-homed workstation that inherits both attack surfaces.
Minimal software: The PAW runs the operating system, security monitoring software, and administrative tools (ADUC, DNS Manager, Group Policy Management Console, PowerShell with RSAT modules). No productivity suite, no document viewer beyond what is required for administrative procedures.
Strong device integrity: UEFI Secure Boot enabled. BitLocker protecting the disk. Windows Defender Application Control (WDAC) restricting execution to signed administrative tools. Automatic lock after 5 minutes of inactivity.
Deployment Architecture
Hardware options:
Dedicated physical hardware is the strongest option. The PAW is a separate machine that administrators physically use only for administrative tasks. This eliminates any software isolation bypass risk. Appropriate hardware: a business-class laptop (Dell Latitude 7000 series, HP EliteBook, Lenovo ThinkPad T-series) with TPM 2.0.
Hardened admin jump server accessed from a PAW client: a Remote Desktop or Windows App session to a dedicated jump server on the management network, authenticated from a locked-down client device. The client device must still meet PAW standards — this approach does not relax client security requirements.
Admin Secure Workstation (ASW) on VM: A dedicated VM on a workstation hypervisor that connects to the management network via a separate virtual NIC, with the host VM never connecting to the management network. This approach requires hypervisor trust and is less preferred than dedicated hardware.
Network configuration:
- Management VLAN: reachable from PAWs, reaches DC network on required administrative ports (RDP 3389, WinRM 5985/5986, LDAP 389/636)
- DC network: reachable from management VLAN, NOT reachable from corporate user VLAN
- PAW management interface: no route to internet; allowed egress only to management VLAN and necessary update services (WSUS, Windows Update via proxy)
Group Policy for PAW:
Apply a dedicated GPO to the PAW OU:
- Restrict interactive logon to PAW: only T0-Admins and T0-ServiceAccounts
- Enable BitLocker with TPM requirement
- Enable WDAC policy (start with audit mode to identify applications, then switch to enforcement)
- Enable Credential Guard
- Configure Windows Update to use internal WSUS (no direct internet Windows Update)
- Disable all unnecessary services: Bluetooth, Wi-Fi (PAW uses wired management network), print spooler
Handling Operational Resistance
The most common operational objection is convenience: administrators want to do administrative tasks from their regular workstations. The response to this objection must be calibrated to the risk:
In a post-CVE-2026-41089 environment, the cost of a domain compromise — krbtgt rotation, credential rotation for all service accounts, DC rebuild, potential ransomware response — is measurable in days of operations disruption and incident response costs. The inconvenience of working from a dedicated PAW for Tier 0 tasks is real but orders of magnitude smaller than that cost.
Start with a PAW pilot for the smallest number of Tier 0 administrators (often 3–5 people in a mid-sized organisation). Address the specific workflow friction points identified during the pilot before expanding. The goal is a security control that administrators use consistently — a PAW that administrators work around is less useful than one they accept as normal workflow.
Share this article