- Microsoft technet guide: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations
Those laptops must run the latest Windows 10 OS with all the new security features and security best practices like:
- Apply a Hardening Security Baseline from Microsoft Security Compliance Manager (SCM)
- Enable Secure Boot with UEFI
- Impose Software Restrictions using AppLocker
- Enable Full Disk Encryption.
- Impose Restrictions on USB ports.
- Implement Network Isolation via host firewall
- Install and configure the Device Guard, Windows defender ATP or equivalent + Crowdstrike or equivalent
- Don’t allow Internet access from a browser.
- Install Minimal Software.
- Allow Minimal Administrative Accounts (gad-xxxx accounts in our case)
- Implement a Hardened OU for the PAWs into the GAD of MUCMSPDOM