The Privileged Path

What Is a PAW

A practical introduction to Privileged Access Workstations — what they are, why they matter, and how they fit into a broader privileged access strategy.

Definition

A Privileged Access Workstation (PAW) is a dedicated, hardened device or environment used exclusively for administrative tasks. It is not used for email, web browsing, or any general-purpose computing.

The purpose of a PAW is isolation — ensuring that privileged sessions happen in a clean, controlled context that is separate from the threats present in everyday computing.

Why PAWs matter

The most common attack path to Tier 0 compromise starts at the endpoint. If an admin performs privileged actions from the same device they use to read email, browse the web, or open documents, a single compromise of that device can lead directly to full environment takeover.

PAWs break this attack path by introducing a boundary between user activity and admin activity.

PAW is not a single product

A PAW can be implemented in several ways:

  • Physical PAW — a dedicated hardware device, locked down and managed separately
  • Virtual PAW — a VM running on a managed hypervisor, isolated from the host OS
  • Windows 365 Cloud PC — a cloud-hosted desktop dedicated to admin tasks
  • Azure Virtual Desktop (AVD) — a session-based virtual desktop for privileged access

Each approach has trade-offs in cost, complexity, user experience, and security assurance. The right choice depends on the organisation’s environment, risk posture, and operational constraints.

Common misconceptions

  • “A PAW is just a locked-down laptop.” — A PAW is a concept, not a specific device. The key requirement is isolation.
  • “We use Conditional Access, so we don’t need PAWs.” — Conditional Access enforces policy at authentication time. It does not isolate the session from endpoint threats.
  • “PAWs are too expensive.” — Cloud-hosted PAW options (Windows 365, AVD) reduce hardware costs significantly.
  • “Only large enterprises need PAWs.” — Any organisation with Tier 0 admin access has the same risk. The scale differs; the threat does not.

Where PAWs fit in the framework

PAWs are a primary mechanism within the Isolation pillar of the Privileged Path Framework. They work alongside:

  • Conditional Access device filters
  • Network segmentation
  • Administrative tiering
  • Session-level controls

PAWs are important. But they are one part of a complete privileged access strategy — not the whole thing.