Protecting high-value assets with secure admin workstations
The following content may no longer reflect Microsoft’s current position or infrastructure. This content should be viewed as reference documentation only, to inform IT business decisions within your own company or organization.
Article, 21KB, Microsoft Word file
Certain types of security attacks are gaining prevalence in large organizational environments, and to say that IT teams are concerned is an understatement. Secure admin workstations (SAWs) can be invaluable in the security toolkit for any organization. Microsoft IT has discovered a particularly effective use for SAWs in protecting high-value assets. Learn what SAWs are, how Microsoft uses them, and why other organizations might adopt them.
Opinions vary as to what constitutes a high-value asset, but Microsoft generally categorizes its top 1 to 2 percent of assets as high-value assets. Typical examples in the software sector are source code and design specifications.
What are secure admin workstations?
Secure admin workstations (SAWs) are limited-use client machines that are built to substantially reduce the risk of compromise from malware, phishing attacks, bogus websites, and pass-the-hash (PtH) attacks, among other security risks. Although SAWs can’t be considered a “silver bullet” security solution to these attacks, Microsoft has found these clients to be helpful as part of a layered, defense-in-depth approach to security.
One of the more nefarious techniques hackers use to gain credentials on an expanding base of machines is called “pass-the-hash” attacks. SAWs are one way to combat these attacks. Read more about how to plan for and defend against PtH attacks in the white paper, “Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft.” A link is provided in the For more information section.
Microsoft partners with manufacturers to build these devices, and what’s unique about them may be what they don’t include: software such as productivity suites and other utilities that are potentially vulnerable to malware and phishing attacks. For example, users can’t be tricked into clicking a link in an email phishing attack if they don’t have an email program running.
Microsoft relies on “application whitelisting” for this effort, meaning that unless it has specifically allowed something to run on the machine, it can’t. High-risk items don’t make the list. What does make the whitelist can vary, but the point of the process is to carefully vet the list and make security a high priority. Examples of applications and tools that made the whitelist for the Microsoft SAW program are:
- Enhanced Mitigation Experience Toolkit
- Remote Desktop Connection Manager
- System Center Endpoint Protection
- Azure RemoteApp
- Skype for Business
In some ways, SAWs for HVAs are like giant smartcards. Principal IT Service Engineer
In the context of protecting high-value assets, SAWs are used for making secure connections to those assets. And that’s pretty much their only function. As one principal IT service engineer puts it, “SAWs for high-value assets (HVAs) are like giant smartcards, identifying and authenticating that the user is allowed to get in the door.”
Who has access, and when?
Given the nature of HVAs, it’s understandable that an organization would want to restrict access to SAWs and have a process in place for how these machines are assigned and distributed. For Microsoft, the sequence follows this general pattern:
An HVA environment has an owner. Employees who require access to the HVA request approval from the owner.
If the request is accepted, the owner puts in a formal request to the SAW team to create a SAW device. The SAW team coordinates with the device manufacturer.
The device manufacturer ships the device to Microsoft, and the SAW team adds the image to it and hardens the device to make it highly secure. Note that when Microsoft initially receives the device, the hardware is secure but the software isn’t. So, for example, it does have the BIOS passwords set and the machine configuration is already locked down, but it doesn’t have an operating system on it and it’s not software-managed and controlled. Microsoft recommends limiting the amount of time that the SAW is in this state to as short a time as possible.
The software-secured device is then sent to users through interoffice mail, rather than the postal system. This method ensures that the device is always in Microsoft facilities. Users can also come directly to the SAW team to pick it up if that is more convenient.
Users now have access to the device and can log in using their Microsoft credentials.
Users can start the HVA remote access process.
After approved users have the SAW, they use it as needed to access the HVAs. In practice, the SAW becomes a second device for them, with their standard machine used for normal work and the SAW used for privileged work. Users experience a bit of a learning curve as they adjust to the limited functionality of the SAW. For more information about the user experience, see the Best practices and limitations section.
How SAWs are used in the HVA program at Microsoft
The SAW can include a limited version of Internet Explorer that is filtered and uses a proxy to access the administrative sites they need.
SAW enables users to go to a web portal to check out a temporary password. The SAW isn’t granting rights to any actual asset; it merely provides a connection to a secure server, which itself connects to the HVA environment. Specifically, a SAW enables users to make a Microsoft Remote Desktop Protocol connection through a bank of Remote Desktop Gateway servers for each environment that contains HVAs.
Figure 1. The network architecture involved in using SAWs to access HVAs
The HVA program at Microsoft is relatively small, considering the size of the organization. There are 30 to 40 users currently accessing HVAs through SAWs, although that number is expected to grow because of increased demand for HVA access.
When users no longer need the SAW device, they return it to the SAW team. The software is reimaged and, if necessary, the hardware itself is re-baselined (such as for BIOS changes). The device is then returned to inventory, where it becomes available for another user who has been granted access to the HVAs. (If any device is unaccounted for, Microsoft IT can place it in BitLocker recovery mode, with no BitLocker recovery key available. This effectively locks down the device and renders it unusable.)
Microsoft can keep the size of its inventory of SAW devices small, already imaged (or reimaged) and ready to go. This helps reduce costs for the program and allows the SAW team to be more nimble and responsive to requests that come in.
Best practices and limitations
For any organization that is considering using SAWs as a mechanism for isolation, Microsoft IT makes the following recommendations:
Use whitelisting. Always vet and approve anything to be put on the workstation. Users may occasionally ask for additional software or utilities to be added. IT should do a cost-benefit analysis to determine if the benefit of user productivity or convenience is worth the potential cost in terms of security.
This interplay or negotiation with users sometimes calls for creativity. For example, let’s say that a user requests a toolkit that requires local administrative rights on the machine when the user installs it. IT may be able to preinstall that toolkit on the system, so that it can run without those administrative rights, rather than granting users the administrative rights necessary to install it themselves. Users get what they need for productivity, but IT maintains the security that a SAW requires.
Make the connection between the manufacturer (hardware) and the provisioning team (software) as short as possible. This is the least secure link in the chain.
Educate users about how to work with SAWs. For example, if users leave the device at home, they’ll need to go back and get it. There is no workaround for such a locked-down workstation.
Carefully track SAW inventory. Collect usage metrics on the devices, to look for stale computers and devices that aren’t being used. Many IT departments practice this already for their standard hardware and will find it easy to extend this to their SAW inventory as well.
Understand that even SAWs are not 100 percent secure. If persons with malicious intent gain physical access to the device, they could eventually break through its security layers and control it.
Realize that it’s more secure to enforce the use of SAWs to access HVAs than to allow exceptions. Microsoft uses a global enforcement mechanism, so that after a team agrees to use enforcement, everyone accessing the HVA must be using a SAW. Some teams find this difficult to do, so they don’t use enforcement and potentially expose their HVAs to a greater risk of unwanted access. Think of it this way: identity management is exception management.
Recognize that this is a relatively high-cost solution. In this scenario, IT buys two machines per employee—the SAW and the standard machine—rather than one.
Identify the minimum hardware requirements for a device that will be used as a SAW, primarily because of the chipset needed. Windows 10 will support these new hardware requirements.
What’s coming with Windows 10?
Interestingly, some of the security that SAWs provide by having dedicated hardware for the task will be built right into Windows 10 on the software side using Device Guard.
Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can run only trusted applications. If the application isn’t trusted, it can’t run—period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when.
For more information, see the Device Guard overview on MSDN (a link is provided in the For more information section).
That said, for the highest-value assets, an organization may still want the level of isolation and restricted access that SAWs can provide. No single technique or even operating system is a perfectly secure solution, but combining the advantages of several techniques offers improved security overall.
How Microsoft IT is securing high-value corporate assets
For more information
Device Guard overview
Device Guard overview Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft (Published July 2014)
For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Order Centre at (800) 933-4750. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information via the World Wide Web, go to:
© 2015 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.