Network-segmentation-cheat-sheet icon indicating copy to clipboard operation
Network-segmentation-cheat-sheet copied to clipboard

Published 20 hours ago verified publisher icon sergiomarotco

Level 4 with one computer (Privileged Access Workstation)

Open C0FFEEC0FFEE opened this issue 3 years ago • 7 comments

Level four can be achieved with only one physical computer on your desktop. One can use virtual machines and call it a Privileged Access Workstation: https://techcommunity.microsoft.com/t5/data-center-security/privileged-access-workstation-paw/ba-p/372274

It hurts a little less than two physical computers. ;)

C0FFEEC0FFEE avatar Jan 23 '22 14:01 C0FFEEC0FFEE

@C0FFEEC0FFEE interesting. I need time to analyze.

sergiomarotco avatar Jan 24 '22 16:01 sergiomarotco

@C0FFEEC0FFEE Do you have experience using this technology if so?

sergiomarotco avatar Jan 24 '22 16:01 sergiomarotco

Yes

C0FFEEC0FFEE avatar Jan 24 '22 21:01 C0FFEEC0FFEE

https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms

sergiomarotco avatar Jan 26 '22 16:01 sergiomarotco

@C0FFEEC0FFEE what if an attacker takes over the Guarded host after PAW was started, what prevents him from using the PAW virtual machine?

sergiomarotco avatar Feb 01 '22 04:02 sergiomarotco

I did not have time to read the article you linked. In my case I put the untrusted workload (e-mail, browsing the web, office work) into a VM running on the PAW with a vNIC bridged onto the physical NIC. The PAW itself has an always-on VPN connection into the data centre. In this case the only attack vector would be to break out of the hypervisor, which is the tradeoff to using two physical devices. The OS on the PAW is hardened und watched closely by EDR.

C0FFEEC0FFEE avatar Feb 01 '22 06:02 C0FFEEC0FFEE

That would not pass Australia IRAP, you would need 2 physically separate hosts if you were to have separation

parlortrickss avatar Oct 27 '22 22:10 parlortrickss