Privileged Access Workstation (PAW) Content

These scripts and files are used in the Privileged Access Workstation (PAW) instructions published at http://aka.ms/cyberpaw.

 
 
 
 
 
5 Star
(3)
3,834 times
Add to favorites
Security
2/6/2018
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • PAW Trust Relationship Error At Log ON
    7 Posts | Last post August 04, 2018
    • After joining the machine to the domain under the T0-Machines OU, I force the GP the machine restarts and the Trust between the DC and computer breaks. Disabling the firewall fixes the issue but I would like to know if anyone else is having this issue and if they were able to identify the firewall rule breaking the trust. 
    • I can confirm the issue.
      
      After joining domain and syncing GPO with firewall trust is broken and cannot rejoin domain.
    • I'm going to upload a Powershell script to the gallery that will create the policy for you. You can add IP addresses for DC's and the like and it will create circa 150 rules that will resolve your issue and give you a huge head start in having a very hardened firewall that will manage most domains without issue. I'll be working on it in the following week.
    • Thanks Steve, ill be looking out for it.
    • Apologies for the delay, I’ve updated the scripts to allow the use of server names, IP ranges, IP addresses and subnets which will make life much easier for us all. Please feedback any findings. https://github.com/SteveUnderScoreN/WindowsFirewall
      
      
    • Well the issue remains even with the latest package. I can repro in completely clean environment / w10 client, w2016 server. Trust breaks because of firewall rules.
      
      How is MS testing it? Or how could they claim they are using it at all:)
    • Try my script from https://github.com/SteveUnderScoreN/WindowsFirewall 
      I'm also developing some GUI tools to help you manage the firewall policies and the recommended restrictions as you move forward with this.
  • Firewall configuration scripts and policies
    1 Posts | Last post July 23, 2018
    • https://github.com/SteveUnderScoreN/WindowsFirewall has been updated. You can now update the domain resources section if IP addresses are added/changed, run the script against existing policies and it will update the rules for you. Coming soon is an analysis tool that will go through the security event log and assist in the creation of new rules based on blocked connections.
  • One more question.
    1 Posts | Last post July 17, 2018
    • Why does the workstation and Tier Servers OUs get created at the top level instead of in the Tier 1 OU?
      
  • Where do these scripts get applied?
    1 Posts | Last post July 17, 2018
    • All of the information regarding this setup is very vague and a lot of assumptions are made during the ESAE article. 
      
      Do these scripts get applied on all the production forests or do they get applied in the Admin forest? Or both?
      
      if both, is the purpose to have matching containers for the shadow principle?
      
      Why would I need a Tier 1 and Tier 2 OU in the Admin forest?
  • Firewall configuration scripts and policies
    2 Posts | Last post March 21, 2018
    • Please refer to https://github.com/SteveUnderScoreN/WindowsFirewall for the scripts and policies that will create group policies containing the firewall rules required for the PAW.
    • Corrected 2 baseline scripts to target correct backup GPO and target GPO name.
  • Set-ACL: Access is denied (configCN)
    3 Posts | Last post February 08, 2018
    • Just downloaded this a few days ago and executing in test environment on Server 2012 R2 DC.
      
      Getting "Access is denied" errors for configCN and schemaCN. Added account to Schema Admins and that error disappeared. Also part of Enterprise Admins. Even changed ExecutionPolicy to Unrestricted temporarily.
      
      Any reason why this is failing?
    • Looks like a full restart allowed the script to execute without errors.
    • Worked for us too Aaron ;)
  • Ragarding the updated firewall config...
    1 Posts | Last post February 08, 2018
    • John, I am reviewing the firewall config and find for a PAW deployment, this config would never pass the Clean Source Principal because it does not enforce authentication via IPSec.  I find that a Tier 0 PAW  should really only allow inbound connections from one thing, Tier 0 servers (Domain Controllers and other management server such as WSUS).  The inbound and outbound connections are not so important as long as your Tier 0 servers adhere to the Clean Source Principal as well.  If you want a basis for how to configure this, please see my github at https://github.com/unassassinable/PAW/tree/master/xx%20-%20Windows%20Firewall%20with%20Advanced%20Security%20and%20IPSec%20Domain%20Isolation.  
      
      If you do decide to use this firewall config, note that you are allowing inbound traffic from any device over the policies outlined in the config.  You are also allowing the PAW to communicate outbound over a handful of ports, but to any device (on domain profile).  All of which is unauthenticated.
  • pawfirewall.wfw
    3 Posts | Last post February 02, 2018
    • Does anyone have a copy of the old pawfirewall.wfw they can provide to me, I have my own version that I've been using for a few years that I can compare it against. I'm also considering creating a PowerShell script that can be used to update 'outbound to DCs' rules with IP addresses that are provided to the script (and other remote IP scoped rules too).
    • My firewall rules block inbound and outbound without applying local rules, will the new pawfirewall.wfw do the same? I also use advanced audit 'Audit Filtering Platform Connection' success and failure, which creates event IDs 5156 and 5157 in the security log, to help create rules. Using this along with the 'NetworkProfile' event log, to see when the transition from public to domain authenticated occurs, gives you all you need to know to create a very hardened firewall.
    • I got kinda tired of waiting so I built it myself.  I have my full PAW project documented including the Windows Firewall with Advanced Security that utilizes IPSec to enforce Domain Isolation and block all inbound connections to PAWs except from Tier 0 servers.   It's very easily configurable.  You can gain access to the full set of configurations via my GitHub at:
      
      https://github.com/unassassinable/PAW
      
      Navigate to the Firewall section and you will see I have provided 2 exported firewall settings and a full description of how to use them.  Please heed the warnings :).
  • Come on
    3 Posts | Last post February 02, 2018
    • Please post the files, even though theres minor errors....
    • Do you have the old copy you could provide to me, I'll fix the minor errors and repost?
    • I got kinda tired of waiting so I built it myself.  I have my full PAW project documented including the Windows Firewall with Advanced Security that utilizes IPSec to enforce Domain Isolation and block all inbound connections to PAWs except from Tier 0 servers.   It's very easily configurable.  You can gain access to the full set of configurations via my GitHub at:
      
      https://github.com/unassassinable/PAW
      
      Navigate to the Firewall section and you will see I have provided 2 exported firewall settings and a full description of how to use them.  Please heed the warnings :).
  • pawfirewall.wfw
    3 Posts | Last post February 02, 2018
    • Any updates on the pawfirewall.wfw?
    • A thousand apologies everyone - I won't bore everyone with the details, but will say that we (the contributors, including myself) were all redirected to other tasks over the last six-plus months.  [Two words: ransomware recoveries.]  We're revisiting this right now and I really hope to be able to post a new version very soon!  THANK YOU EVERYONE for your patience.
    • I got kinda tired of waiting so I built it myself.  I have my full PAW project documented including the Windows Firewall with Advanced Security that utilizes IPSec to enforce Domain Isolation and block all inbound connections to PAWs except from Tier 0 servers.   It's very easily configurable.  You can gain access to the full set of configurations via my GitHub at:
      
      https://github.com/unassassinable/PAW
      
      Navigate to the Firewall section and you will see I have provided 2 exported firewall settings and a full description of how to use them.  Please heed the warnings :).
1 - 10 of 25 Items