Privileged Access Workstation (PAW) Content

These scripts and files are used in the Privileged Access Workstation (PAW) instructions published at http://aka.ms/cyberpaw.

 
 
 
 
 
5 Star
(3)
3,335 times
Add to favorites
Security
2/5/2018
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Firewall configuration scripts and policies
    2 Posts | Last post March 21, 2018
    • Please refer to https://github.com/SteveUnderScoreN/WindowsFirewall for the scripts and policies that will create group policies containing the firewall rules required for the PAW.
    • Corrected 2 baseline scripts to target correct backup GPO and target GPO name.
  • PAW Trust Relationship Error At Log ON
    5 Posts | Last post March 14, 2018
    • After joining the machine to the domain under the T0-Machines OU, I force the GP the machine restarts and the Trust between the DC and computer breaks. Disabling the firewall fixes the issue but I would like to know if anyone else is having this issue and if they were able to identify the firewall rule breaking the trust. 
    • I can confirm the issue.
      
      After joining domain and syncing GPO with firewall trust is broken and cannot rejoin domain.
    • I'm going to upload a Powershell script to the gallery that will create the policy for you. You can add IP addresses for DC's and the like and it will create circa 150 rules that will resolve your issue and give you a huge head start in having a very hardened firewall that will manage most domains without issue. I'll be working on it in the following week.
    • Thanks Steve, ill be looking out for it.
    • Apologies for the delay, I’ve updated the scripts to allow the use of server names, IP ranges, IP addresses and subnets which will make life much easier for us all. Please feedback any findings. https://github.com/SteveUnderScoreN/WindowsFirewall
      
      
  • Set-ACL: Access is denied (configCN)
    3 Posts | Last post February 08, 2018
    • Just downloaded this a few days ago and executing in test environment on Server 2012 R2 DC.
      
      Getting "Access is denied" errors for configCN and schemaCN. Added account to Schema Admins and that error disappeared. Also part of Enterprise Admins. Even changed ExecutionPolicy to Unrestricted temporarily.
      
      Any reason why this is failing?
    • Looks like a full restart allowed the script to execute without errors.
    • Worked for us too Aaron ;)
  • Ragarding the updated firewall config...
    1 Posts | Last post February 07, 2018
    • John, I am reviewing the firewall config and find for a PAW deployment, this config would never pass the Clean Source Principal because it does not enforce authentication via IPSec.  I find that a Tier 0 PAW  should really only allow inbound connections from one thing, Tier 0 servers (Domain Controllers and other management server such as WSUS).  The inbound and outbound connections are not so important as long as your Tier 0 servers adhere to the Clean Source Principal as well.  If you want a basis for how to configure this, please see my github at https://github.com/unassassinable/PAW/tree/master/xx%20-%20Windows%20Firewall%20with%20Advanced%20Security%20and%20IPSec%20Domain%20Isolation.  
      
      If you do decide to use this firewall config, note that you are allowing inbound traffic from any device over the policies outlined in the config.  You are also allowing the PAW to communicate outbound over a handful of ports, but to any device (on domain profile).  All of which is unauthenticated.
  • pawfirewall.wfw
    3 Posts | Last post February 02, 2018
    • Does anyone have a copy of the old pawfirewall.wfw they can provide to me, I have my own version that I've been using for a few years that I can compare it against. I'm also considering creating a PowerShell script that can be used to update 'outbound to DCs' rules with IP addresses that are provided to the script (and other remote IP scoped rules too).
    • My firewall rules block inbound and outbound without applying local rules, will the new pawfirewall.wfw do the same? I also use advanced audit 'Audit Filtering Platform Connection' success and failure, which creates event IDs 5156 and 5157 in the security log, to help create rules. Using this along with the 'NetworkProfile' event log, to see when the transition from public to domain authenticated occurs, gives you all you need to know to create a very hardened firewall.
    • I got kinda tired of waiting so I built it myself.  I have my full PAW project documented including the Windows Firewall with Advanced Security that utilizes IPSec to enforce Domain Isolation and block all inbound connections to PAWs except from Tier 0 servers.   It's very easily configurable.  You can gain access to the full set of configurations via my GitHub at:
      
      https://github.com/unassassinable/PAW
      
      Navigate to the Firewall section and you will see I have provided 2 exported firewall settings and a full description of how to use them.  Please heed the warnings :).
  • Come on
    3 Posts | Last post February 02, 2018
    • Please post the files, even though theres minor errors....
    • Do you have the old copy you could provide to me, I'll fix the minor errors and repost?
    • I got kinda tired of waiting so I built it myself.  I have my full PAW project documented including the Windows Firewall with Advanced Security that utilizes IPSec to enforce Domain Isolation and block all inbound connections to PAWs except from Tier 0 servers.   It's very easily configurable.  You can gain access to the full set of configurations via my GitHub at:
      
      https://github.com/unassassinable/PAW
      
      Navigate to the Firewall section and you will see I have provided 2 exported firewall settings and a full description of how to use them.  Please heed the warnings :).
  • pawfirewall.wfw
    3 Posts | Last post February 02, 2018
    • Any updates on the pawfirewall.wfw?
    • A thousand apologies everyone - I won't bore everyone with the details, but will say that we (the contributors, including myself) were all redirected to other tasks over the last six-plus months.  [Two words: ransomware recoveries.]  We're revisiting this right now and I really hope to be able to post a new version very soon!  THANK YOU EVERYONE for your patience.
    • I got kinda tired of waiting so I built it myself.  I have my full PAW project documented including the Windows Firewall with Advanced Security that utilizes IPSec to enforce Domain Isolation and block all inbound connections to PAWs except from Tier 0 servers.   It's very easily configurable.  You can gain access to the full set of configurations via my GitHub at:
      
      https://github.com/unassassinable/PAW
      
      Navigate to the Firewall section and you will see I have provided 2 exported firewall settings and a full description of how to use them.  Please heed the warnings :).
  • Ready to get started
    2 Posts | Last post February 02, 2018
    • I am also waiting on the pawfirewall.wfw file to be resubmitted. We would like to get the ball running ASAP. 
    • I got kinda tired of waiting so I built it myself.  I have my full PAW project documented including the Windows Firewall with Advanced Security that utilizes IPSec to enforce Domain Isolation and block all inbound connections to PAWs except from Tier 0 servers.   It's very easily configurable.  You can gain access to the full set of configurations via my GitHub at:
      
      https://github.com/unassassinable/PAW
      
      Navigate to the Firewall section and you will see I have provided 2 exported firewall settings and a full description of how to use them.  Please heed the warnings :).
  • pawfirewall.wfw
    2 Posts | Last post February 02, 2018
    • Would just like to add myself to the list of people waiting for the pawfirewall.wfw to be re-released.  Even with errors, it'd be nice to have as a starting point.
    • I got kinda tired of waiting so I built it myself.  I have my full PAW project documented including the Windows Firewall with Advanced Security that utilizes IPSec to enforce Domain Isolation and block all inbound connections to PAWs except from Tier 0 servers.   It's very easily configurable.  You can gain access to the full set of configurations via my GitHub at:
      
      https://github.com/unassassinable/PAW
      
      Navigate to the Firewall section and you will see I have provided 2 exported firewall settings and a full description of how to use them.  Please heed the warnings :).
  • pawfirewall.wfw
    2 Posts | Last post February 02, 2018
    • @JohnRodrigues, any updates on the FW template?
      
      
      regards
      Mattias
      
    • I got kinda tired of waiting so I built it myself.  I have my full PAW project documented including the Windows Firewall with Advanced Security that utilizes IPSec to enforce Domain Isolation and block all inbound connections to PAWs except from Tier 0 servers.   It's very easily configurable.  You can gain access to the full set of configurations via my GitHub at:
      
      https://github.com/unassassinable/PAW
      
      Navigate to the Firewall section and you will see I have provided 2 exported firewall settings and a full description of how to use them.  Please heed the warnings :).
1 - 10 of 22 Items