← All controls

51 Privileged Access Workstation for admins

A dedicated, hardened device from which admins do all Admin Console and Cloud Console work, so a privileged session never lives on the same machine that reads mail and browses the web. On its own it is only a convention; the enforcement half is a device-bound Context-Aware Access level that only the PAW can satisfy, configured in 14 Basic Context-Aware Access (IP/geo) and 27 Device-trust CAA via MDM.

Caveats

This is a process control — it is carried out offline, so there is no Admin Console walkthrough to show.

Ongoing maintenance

How to verify

  1. Search the login audit log for the admin accounts and check every session originates from the PAW’s egress IP — an admin session from a daily-driver machine is the finding.

v0.0.3Preventedition All (CAA gating: Ent/Edu/Frontline Std+, Ent Essentials Plus) policy #4 · #25 ↗