# 51 Privileged Access Workstation for admins

> v0.0.3 · role: Prevent · edition: All (CAA gating: Ent/Edu/Frontline Std+, Ent Essentials Plus) · [policy: #4 · #25](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

A dedicated, hardened device from which admins do all Admin Console and Cloud Console work, so a privileged session never lives on the same machine that reads mail and browses the web. On its own it is only a convention; the enforcement half is a device-bound Context-Aware Access level that only the PAW can satisfy, configured in [14 Basic Context-Aware Access (IP/geo)](caa-basic.md) and [27 Device-trust CAA via MDM](device-trust-caa.md).

Documentation: [Security best practices for administrator accounts](https://knowledge.workspace.google.com/admin/users/security-best-practices-for-administrator-accounts) · [Protect your business with Context-Aware Access](https://knowledge.workspace.google.com/admin/security/protect-your-business-with-context-aware-access)

## Caveats

- Without a CAA gate the PAW is just a convention — the gate needs Enterprise Standard+, Education Standard+, Frontline Standard+, Enterprise Essentials Plus or Cloud Identity Premium; without it an admin can still sign in from their daily-driver laptop and nothing objects.
- It only covers the sessions that actually start there — one admin doing 'just one thing' from the everyday laptop spends the whole control.

_Process control — carried out offline; no Admin Console walkthrough._

## Ongoing maintenance

- **[automatable: script]** Keep the PAW patched and its allowed-software image current.
- **[requires a human]** Quarterly: attest the PAW is still used exclusively for admin work and holds no browsing profile.

## How to verify

1. Search the login audit log for the admin accounts and check every session originates from the PAW’s egress IP — an admin session from a daily-driver machine is the finding.
