Many companies are trying to better secure their administrative tools and sensitive data. Leveraging Privileged Access Workstations (PAW) is a good way to reduce the threat vector on these sensitive tasks and systems. PAW are separate client computing environments that can take advantage of added security measures like multifactor authentication (see our post on Six Design Factors for your MFA Deployment) and restricted internet access to protect against multiple threat vectors.
The key to a successful PAW implementation is making the user experience as simple as possible. Most systems that increase security come at a cost to user experience. There are several options to deploying a PAW experience. Today, we will focus on using VMware Horizon and NSX to deploy your PAW implantation. After years of experience in the space, we have dedicated a focus to delivering the platform to increase security with minimal impact to the user experience.
Here’s a quick overview to setting up Privileged Access Workstations within your organization.
Logical Account Separation
The first step to securing privileged access is to create separate accounts for users that need to perform administrative tasks. Many companies use the same username but add something like ADM or Admin to the beginning or end of the username. This makes remembering a second account easier for the end user.
These accounts are called “admin” accounts. It’s important to note that they should not be a member of the local workstation Administrators or Interactive log in security groups. These accounts should be restricted to specific workstations that are hardened to reduce the attack vector. It is difficult to maximize the effectiveness of PAW if you just create another account for users and let them log on to any workstation. You should also limit access the internet through these management accounts to remove the risk of internet-based vulnerabilities.
After creating the administrative accounts, you would start working to replace any administrative privileges assigned to the standard accounts with the new administrative accounts. Implementing a sound Identity Management framework becomes foundational in this step of the journey.
Designing the Workstation – Physical vs. Virtual
After logical account separation, you then create the physical separation for your Privileged Access Workstations for these administrative users.
Some companies provide separate dedicated hardware for PAW use. The implications here require your technical staff to have access to two devices. One for personal, work related use and a second for administrative tasks.
Although this is the strongest security separation, the increased desk space, hardware cost and reduced user experience make this solution less than ideal.
Going the Virtual Route…
A simpler solution would be to use VMware Horizon for VDI or Remote app access to the administrative tools. Deploying a pool of desktops that have the right admin tools installed and giving access to only the administrative users would be a good first step.
That pool could take advantage of multifactor authentication and be restricted to only administrative accounts. The pool of desktops could be used for both Remote App access or full desktop access. From there, you can easily restrict the account from using the internet.
This locked down virtual desktop becomes a secure avenue for all administrative tasks.
High Level Design Considerations
Using Remote applications presented from these Windows 10 virtual desktops allows for a better user experience. VMware Horizon provides users the ability to add start menu or desktop shortcuts to access these Remote Applications. We walked through the basics of Master Image Design recently. This previous post is great starting point for the discussion.
Opening these shortcuts launches the Horizon Client and prompts the user for credentials. After secure log in, the application will launch and look like it is running locally.
Networking Security & Automation
Adding an additional layer of security by implementing the NSX service defined firewall would further harden these PAWs. Using NSX to deploy Micro-segmentation policies on a per user basis will allow for very granular control of what the administrative user can access. If the user is not in the correct security group when they log on, they will be denied access to systems or tools they haven’t been granted the right to use.
“How do I know what firewall rules need to be added for all of my different applications?”
Good question! We can use vRealize Network Insight to gain visibility into all the different traffic patterns across your data center. We can use the data that vRealize Network Insight to build the firewall rules in the NSX Service-defined Firewall.
Starting the Journey
You don’t have to take this process on in one big project. A phased approach with continuous improvement will increase the chances of success.
Wherever you are on the journey, we’re glad to help. Be it architecting a secure administrative accounts, integrating MFA, or just implementing an optimized Horizon pool of desktops. Feel free to leverage our experience to help you find some quick wins to get you started on securing your administrative tools and processes.
Hit us up in the chat or give us a call at (616) 202-6518.