You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/devices/concept-azure-managed-workstation.md
+23-10Lines changed: 23 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ services: active-directory
6
6
ms.service: active-directory
7
7
ms.subservice: devices
8
8
ms.topic: conceptual
9
-
ms.date: 05/28/2019
9
+
ms.date: 11/18/2019
10
10
11
11
ms.author: joflore
12
12
author: MicrosoftGuyJFlo
@@ -17,12 +17,11 @@ ms.reviewer: frasim
17
17
18
18
ms.collection: M365-identity-device-management
19
19
---
20
-
21
20
# Understand secure, Azure-managed workstations
22
21
23
22
Secured, isolated workstations are critically important for the security of sensitive roles like administrators, developers, and critical service operators. If client workstation security is compromised, many security controls and assurances can fail or be ineffective.
24
23
25
-
This document explains what you need for building a secure workstation, often known as a privileged access workstation (PAW). The article also contains detailed instructions to set up initial security controls. This guidance describes how cloud-based technology can manage the service. It relies on security capabilities that were introduced in Windows 10RS5, Microsoft Defender Advanced Threat Protection (ATP), Azure Active Directory, and Intune.
24
+
This document explains what you need for building a secure workstation, often known as a privileged access workstation (PAW). The article also contains detailed instructions to set up initial security controls. This guidance describes how cloud-based technology can manage the service. It relies on security capabilities that were introduced in Windows 10RS5, Microsoft Defender Advanced Threat Protection (ATP), Azure Active Directory, and Microsoft Intune.
26
25
27
26
> [!NOTE]
28
27
> This article explains the concept of a secure workstation and its importance. If you are already familiar with the concept and would like to skip to deployment, visit [Deploy a Secure Workstation](howto-azure-managed-workstation.md).
@@ -52,6 +51,7 @@ This document describes a solution that can help protect your computing devices
52
51
* Windows 10 (current version) for device health attestation and user experience
53
52
* Defender ATP for cloud-managed endpoint protection, detection, and response
54
53
* Azure AD PIM for managing authorization and just-in-time (JIT) privileged access to resources
54
+
* Log Analytics, and Sentinel for monitoring and alerting
55
55
56
56
## Who benefits from a secure workstation?
57
57
@@ -63,7 +63,7 @@ All users and operators benefit when using a secure workstation. An attacker who
63
63
* Highly sensitive workstation, such as a SWIFT payment terminal
64
64
* Workstation handling trade secrets
65
65
66
-
To reduce risk, you should implement elevated security controls for privileged workstations that make use of these accounts. For more information, see the [Azure Active Directory feature deployment guide](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-deployment-checklist-p2), [Office 365 roadmap](https://aka.ms/o365secroadmap), and [Securing Privileged Access roadmap](https://aka.ms/sparoadmap)).
66
+
To reduce risk, you should implement elevated security controls for privileged workstations that make use of these accounts. For more information, see the [Azure Active Directory feature deployment guide](../fundamentals/active-directory-deployment-checklist-p2.md), [Office 365 roadmap](https://aka.ms/o365secroadmap), and [Securing Privileged Access roadmap](https://aka.ms/sparoadmap)).
67
67
68
68
## Why use dedicated workstations?
69
69
@@ -78,16 +78,29 @@ Containment strategies tighten security by increasing the number and type of con
78
78
79
79
## Supply chain management
80
80
81
-
Essential to a secured workstation is a supply chain solution where you use a trusted workstation called the 'root of trust'. For this solution, the root of trust uses [Microsoft Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) technology. To secure a workstation, Autopilot lets you leverage Microsoft OEM-optimized Windows 10 devices. These devices come in a known good state from the manufacturer. Instead of reimaging a potentially insecure device, Autopilot can transform a Windows device into a “business-ready” state. It applies settings and policies, installs apps, and even changes the edition of Windows 10. For example, Autopilot might change a device's Windows installation from Windows 10 Pro to Windows 10 Enterprise so that it can use advanced features.
81
+
Essential to a secured workstation is a supply chain solution where you use a trusted workstation called the 'root of trust'. Technology that must be considered in the selection of the root of trust hardware should include the following technologies included in modern laptops:
*[Drivers and Firmware Distributed through Windows Update](https://docs.microsoft.com/windows-hardware/drivers/dashboard/understanding-windows-update-automatic-and-optional-rules-for-driver-distribution)
87
+
*[Virtualization and HVCI Enabled](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-vbs)
88
+
*[Drivers and Apps HVCI-Ready](https://docs.microsoft.com/windows-hardware/test/hlk/testref/driver-compatibility-with-device-guard)
For this solution, root of trust will be deployed using [Microsoft Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) technology with hardware that meets the modern technical requirements. To secure a workstation, Autopilot lets you leverage Microsoft OEM-optimized Windows 10 devices. These devices come in a known good state from the manufacturer. Instead of reimaging a potentially insecure device, Autopilot can transform a Windows device into a “business-ready” state. It applies settings and policies, installs apps, and even changes the edition of Windows 10. For example, Autopilot might change a device's Windows installation from Windows 10 Pro to Windows 10 Enterprise so that it can use advanced features.
This guidance references several security profiles and roles that can help you create more secure solutions for users, developers, and IT personnel. These profiles balance usability and risks for common users that can benefit from an enhanced or secure workstation. The settings configurations provided here are based on industry accepted standards. This guidance shows how to harden Windows 10 and reduce the risks associated with device or user compromise. It does so by using policy and technology to help manage security features and risks.
100
+
This guidance references several security profiles and roles that can help you create more secure solutions for users, developers, and IT personnel. These profiles balance usability and risks for common users that can benefit from an enhanced or secure workstation. The settings configurations provided here are based on industry accepted standards. This guidance shows how to harden Windows 10 and reduce the risks associated with device or user compromise. To take advantage of the modern hardware technology and root of trust device, we will use [Device Health Attestation](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Using-Device-Health-Attestation-Settings-as-Part-of/ba-p/282643), which is enabled starting at the **High Security** profile. This capability is present to ensure the attackers cannot be persistent during the early boot of a device. It does so by using policy and technology to help manage security features and risks.
***Low Security** – A managed, standard workstation provides a good starting point for most home and small business use. These devices are registered in Azure AD and managed with Intune. This profile permits users to run any applications and browse any website. An anti-malware solution like [Microsoft Defender](https://www.microsoft.com/windows/comprehensive-security) should be enabled.
103
+
***Basic Security** – A managed, standard workstation provides a good starting point for most home and small business use. These devices are registered in Azure AD and managed with Intune. This profile permits users to run any applications and browse any website. An anti-malware solution like [Microsoft Defender](https://www.microsoft.com/windows/comprehensive-security) should be enabled.
91
104
92
105
***Enhanced Security** – This entry-level, protected solution is good for home users, small business users, and general developers.
93
106
@@ -99,16 +112,16 @@ This guidance references several security profiles and roles that can help you c
99
112
100
113
***Specialized** – Attackers target developers and IT administrators because they can alter systems of interest to the attackers. The specialized workstation expands on the policies of the high security workstation by managing local applications and limiting websites. It also restricts high-risk productivity capabilities such as ActiveX, Java, browser plugins, and other Windows controls. You deploy this profile with the DeviceConfiguration_NCSC - Windows10 (1803) SecurityBaseline script.
101
114
102
-
***Secured** – An attacker who compromises an administrative account can cause significant business damage by data theft, data alteration, or service disruption. In this hardened state, the workstation enables all the security controls and policies that restrict direct control of local application management. A secured workstation has no productivity tools so the device more difficult to compromise. It blocks the most common vector for phishing attacks: email and social media. The secured workstation can be deployed with the Secure Workstation - Windows10 (1809) SecurityBaseline script.
115
+
***Secured** – An attacker who compromises an administrative account can cause significant business damage by data theft, data alteration, or service disruption. In this hardened state, the workstation enables all the security controls and policies that restrict direct control of local application management. A secured workstation has no productivity tools so the device more difficult to compromise. It blocks the most common vector for phishing attacks: email and social media. The secured workstation can be deployed with the Secure Workstation - Windows10 (1809) SecurityBaseline script.
A secure workstation provides an administrator with a hardened workstation that has clear application control and application guard. The workstation uses credential guard, device guard, and exploit guard to protect the host from malicious behavior. All local disks are also encrypted with BitLocker.
107
120
108
121
***Isolated** – This custom, offline scenario represents the extreme end of the spectrum. No installation scripts are provided for this case. You might need to manage a business-critical function that requires an unsupported or unpatched legacy operating system. For example, a high value production line or a life-support system. Because security is critical and cloud services are unavailable, you can manage and update these computers manually or with an isolated Active Directory forest architecture such as the Enhanced Security Admin Environment (ESAE). In these circumstances, consider removing all access except basic Intune and ATP health checks.
0 commit comments