We're implementing a new security strategy where all IT staff will have a dedicated laptop solely for administrative tasks. This aims to separate their routine access for emails and web browsing from tasks like managing Intune and Entra. I want to know if the following architecture makes sense and if it would be more secure compared to our current setup where admin and standard access are on the same device:
- The Privileged Access Workstation (PAW) is joined to Entra and managed through Intune.
- There's a virtual machine (VM) on the laptop using Hyper-V, connected to on-prem Active Directory and able to access on-prem resources through Entra Private Access, with the client installed on the VM, not the laptop.
- The PAW is logged in with a cloud-only admin account that has limited admin access.
- The VM uses an on-prem administrator account.
- The PAW (non-admin) manages all cloud resources while the VM handles on-prem resources like Windows and Linux servers.
Is this setup going to enhance our security?
5 Answers
Having the PAW for on-prem resources makes sense, especially since you can restrict its internet access. But I’ve found using a PAW for SaaS platforms can be tricky since those accounts need web access. If your regular devices are secured properly, that should be the priority instead! Would love to hear more about this setup while we're planning our own PAW infrastructure too.
We've gone with hardened images using Hyper-V, and it’s been beneficial to rely on passwordless login for admin accounts. They can only access those secure environments, which adds another layer of protection.
Having two laptops sounds complicated! A lot of places I know prefer using Virtual Desktop Infrastructures (VDIs), which require multi-factor authentication too. Maybe that’s a simpler approach?
It’s not very common to see two laptops for IT. Most setups go for virtual Privileged Access Workstations. Seems like a better way to manage risks without doubling the devices.
I’m in the same boat as you and also looking for clarity on PAW architecture. It seems complex, and I'd appreciate any tips others might have.
I totally agree! VDIs can be much more efficient and offer better control.