PAW

The PAW Survival Guide – An MMS Recap

By on ( Leave a comment )

I had the opportunity to present on The PAW Survival Guide: Deploying Secure Admin Workstations in Real Environments at MMS, and if you attended, here is a recap of the session we did.

MMS 2026 at MOA: The PAW Survival Guide: Deploying Secure…

This session was not about drawing perfect diagrams or selling a single “correct” architecture. It was about reality. About what actually breaks in real environments, why PAWs are still misunderstood, and how to deploy them in a way that administrators will actually use.

PAWs are one of those topics everyone agrees are important—until it’s time to deploy them.

Why PAWs Exist in the First Place

We started with a simple question: why do PAWs exist at all?

Most domain compromises still begin on a workstation. Not a domain controller. Not a server. A workstation. From there, credential theft enables lateral movement, privilege escalation, and eventually full control of the environment.

Admin workstations are high‑value targets because they sit at the intersection of power and exposure. EDR alone does not solve that problem. Once credentials are stolen, the game changes.

PAWs exist to isolate administrative credentials and sessions from everyday risk. They protect where you log on from—not just what you log on to.

Understanding What PAW Actually Protects

One of the most important clarifications we made early in the session is that PAWs are not about protecting devices. They are about protecting access paths.

PAWs protect:

  • Privileged credentials and tokens
  • High‑trust administrative sessions
  • Access paths to Tier 0 and Tier 1 assets
  • Management planes, both on‑premises and cloud

If an admin signs in from a compromised endpoint, the environment is already in trouble. PAW is the boundary that prevents that.

PAW Architectures: Theory Meets Reality

We walked through the classic, modern, and hybrid PAW architectures—not as marketing slides, but as lived experience.

The classic PAW is rigid and effective, but often operationally painful. The modern PAW, integrated with Entra ID and Conditional Access, offers better usability but introduces dependencies. And then there’s the hybrid PAW—the option most organizations actually land on.

In real environments, PAWs often become a minimal, hardened host running multiple isolated management VMs. It’s not pretty, but it works. And for roughly 90% of organizations, this is the pragmatic compromise between security and usability.

The key lesson here is that architecture choices are trade‑offs, not checkboxes.

Identity and Zero Trust: PAW as an Enforcement Point

PAW cannot stand alone.

We spent time connecting PAWs to identity and Zero Trust models. PAW becomes powerful when it is enforced through policy:

  • Separate admin identities
  • Conditional Access that only allows privileged roles from PAWs
  • Strong MFA and phishing‑resistant authentication
  • Just‑in‑time access instead of standing privilege

Privileged Identity Management helps—but it does not replace PAW. Without device isolation, credentials are still exposed.

PAW is where Zero Trust becomes real.

Lessons from the Field: What Actually Breaks

This was the most important part of the session.

PAWs fail for predictable reasons:

  • They are treated as a one‑time project
  • Admins bypass them due to friction
  • They are locked down so tightly that real work becomes impossible
  • Internet and email exceptions slowly creep back in
  • There is no lifecycle management

PAW is not the starting point of your security journey. It is an enforcement mechanism. Without executive sponsorship, clear workflows, and change management, PAWs will fail—quietly at first, and then catastrophically.

What Successful PAW Deployments Do Differently

Organizations that succeed with PAW do a few things consistently:

  • They start with Tier 0 and work downward
  • They treat PAW as a service, not a device
  • They define clear admin personas and workflows
  • They invest in usability, not just lockdown
  • They continuously improve instead of “finishing”

If PAW is painful, it will be bypassed. Every time.

Final Thoughts

If you take only one thing away from this session, let it be this:

Tiering is not about what you manage—it’s about what you can control.

PAW is mandatory for Tier 0. Strongly recommended for infrastructure and cloud admin roles. Usually unnecessary for standard users.

Deploy it deliberately. Operate it continuously. And design it for humans—not diagrams.

For more information about the session, you can find the official MMS listing here:
The PAW Survival Guide – MMS 2026
https://mms2026atmoa.sched.com/event/2HHHQ/the-paw-survival-guide-deploying-secure-admin-workstations-in-real-environments

Here is the link to my PAW tool, the current version is old, but the link will the same when we update it next week

DeploymentBunny/PAWDeploy

Until next time

/DeploymentBunny

Categories: PAW, Security

Tagged as: , , , ,

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.