What Is a PAW
Understanding Privileged Access Workstations — the concept, the purpose, and the implementation options available today.
The concept
A Privileged Access Workstation (PAW) is a hardened, dedicated environment used exclusively for performing administrative tasks. The defining characteristic is isolation — a PAW separates privileged activity from everyday computing.
This is not about having a “more secure laptop.” It is about ensuring that the environment in which you perform Tier 0 administration is fundamentally separated from the environment in which you read email, browse the web, and open documents.
Why isolation matters
Endpoint compromise is the most common initial access vector. If an administrator performs privileged tasks from the same device used for general work, a single phishing email, malicious download, or browser exploit can lead directly to Tier 0 compromise.
No amount of MFA, Conditional Access, or PIM changes this. Those controls verify identity. They do not isolate the session.
Implementation options
PAWs can be implemented in several ways, each with different trade-offs:
| Approach | Isolation Level | Cost | Complexity | User Experience |
|---|---|---|---|---|
| Physical PAW | Highest | High | High | Separate device |
| Virtual PAW | High | Medium | Medium | VM on managed host |
| Windows 365 | High | Medium | Low | Cloud PC |
| Azure Virtual Desktop | High | Variable | Medium | Session-based |
The best option depends on your environment, budget, and operational constraints. There is no single correct answer.
What a PAW is not
- A PAW is not a standard corporate device with extra policies
- A PAW is not a jump server (though jump servers may complement PAWs)
- A PAW is not optional for organisations with Tier 0 administrative access
- A PAW is not a replacement for other controls — it works alongside PIM, Conditional Access, and monitoring
Getting started
If you are new to PAWs, start with:
- Identify who performs Tier 0 administration in your environment
- Understand how those admins currently access admin portals and tools
- Assess the gap between current state and isolated administration
- Choose an implementation approach that fits your constraints
- Deploy, enforce, and validate
The PAW section of this site covers each implementation option in detail.