The pawfirewall.wfw has been temporarily removed while we resolve an issue with domain access.  It will be readded to the download as soon as it's fixed.  Thanks for your patience and understanding!
Most recent update - 02/12/2017 - Added Firewall Configuration spreadsheet; updated pawfirewall.wfw rule for UnicastResponseToMulticast to Disabled, per updated hardening guidance
Previous update - 01/31/2017 - Added new SharePoint Online URL to ProxyBypassList.txt
These scripts and files are used in the Privileged Access Workstation (PAW) instructions published at
This .zip file includes the following files:
NOTE: This sample WFW provides allows only the most minimal set of network connectivity (enough to log onto the PAW itself).  You will need to modify the ruleset to allow outbound network access from the PAW to network resources (e.g. Remote Desktop, Remote PowerShell, Microsoft Management Console, etc.).
NOTE: Bypass URLs are automatically assigned to the Local Intranet Zone.  If you deploy Bypass URLs, consider increasing the security level of the Local Intranet Zone from the default of Medium-Low to either Medium or Medium-High
PAWs provide a dedicated operating system for sensitive tasks that is protected from Internet attacks and threat vectors. Separating these sensitive tasks and accounts from the daily use workstations and devices provides very strong protection from phishing attacks, application and OS vulnerabilities, various impersonation attacks, and credential theft attacks such as keystroke logging, Pass-the-Hash, and Pass-The-Ticket