From 5a3b62e892a3aeb90f9f490447f5aa961758d4df Mon Sep 17 00:00:00 2001 From: Grant Date: Sun, 29 Nov 2020 11:07:54 +0000 Subject: [PATCH 1/2] Created readme.md Created readme.md with text from original technet gallery, so scripts have context. --- .../Reademe.md | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 Privileged Access Workstation (PAW) Content/Reademe.md diff --git a/Privileged Access Workstation (PAW) Content/Reademe.md b/Privileged Access Workstation (PAW) Content/Reademe.md new file mode 100644 index 0000000..1fa61b6 --- /dev/null +++ b/Privileged Access Workstation (PAW) Content/Reademe.md @@ -0,0 +1,30 @@ +*Original text from Technet Gallery.* + +------------ + + +We have finally published a corrected pawfirewall.wfw! Thanks for your patience as we worked through that - we needed to test for a very specific issue (not the domain trust one), but at this point we're confident it has been resolved. + +**Most recent update** - 02/05/2018 - Added updated pawfirewall.wfw (entitled pawfirewallupdate.wfw to distinguish from the previous version) +**Previous update** - 03/23/2017 - Removed pawfirewall.wfw while we resolve an issue with domain trusts + +These scripts and files are used in the Privileged Access Workstation (PAW) instructions published at http://aka.ms/cyberpaw. +This .zip file includes the following files: + +- ADEnvironment.ps1 - function library for the Active Directory preparation scripts +- Create-PAWGroups.ps1 - script to create the appropriate security groups in Active Directory using Groups.csv as a master list +- Create-PAWOUs.ps1 - script to create the appropriate organizational units in Active Directory +- Groups.csv - master list of required groups +pawfirewallupdate.wfw - Windows Firewall configuration file with all appropriate rules and exclusions for PAWs (updated 01/18/2018) + +> NOTE: This sample WFW provides allows only the most minimal set of network connectivity (enough to log onto the PAW itself). You will need to modify the ruleset to allow outbound network access from the PAW to network resources (e.g. Remote Desktop, Remote PowerShell, Microsoft Management Console, etc.).NOTE: This sample WFW provides allows only the most minimal set of network connectivity (enough to log onto the PAW itself). You will need to modify the ruleset to allow outbound network access from the PAW to network resources (e.g. Remote Desktop, Remote PowerShell, Microsoft Management Console, etc.). + +- proxy.pac - Internet Explorer/Microsoft Edge proxy configuration file +- ProxyBypassList.txt - text file of allowed properties for use in populating proxy bypass list in Internet Explorer/Edge (updated 01/31/2017) + +> NOTE: Bypass URLs are automatically assigned to the Local Intranet Zone. If you deploy Bypass URLs, consider increasing the security level of the Local Intranet Zone from the default of Medium-Low to either Medium or Medium-HighNOTE: Bypass URLs are automatically assigned to the Local Intranet Zone. If you deploy Bypass URLs, consider increasing the security level of the Local Intranet Zone from the default of Medium-Low to either Medium or Medium-High + +- Set-PAWOUDelegation.ps1 - script to delegate permissions within Active Directory to the groups created by Create-PAWGroups.ps1 +- UserProxySettings.adm - Group Policy template to allow for centralized control and deployment of proxy bypass list + +PAWs provide a dedicated operating system for sensitive tasks that is protected from Internet attacks and threat vectors. Separating these sensitive tasks and accounts from the daily use workstations and devices provides very strong protection from phishing attacks, application and OS vulnerabilities, various impersonation attacks, and credential theft attacks such as keystroke logging, Pass-the-Hash, and Pass-The-Ticket. From f5420cd50a3ffd14528c17c108ab3a77fe925d08 Mon Sep 17 00:00:00 2001 From: Grant Date: Sun, 29 Nov 2020 11:11:38 +0000 Subject: [PATCH 2/2] Rename Reademe.md to Readme.md typo --- .../{Reademe.md => Readme.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Privileged Access Workstation (PAW) Content/{Reademe.md => Readme.md} (100%) diff --git a/Privileged Access Workstation (PAW) Content/Reademe.md b/Privileged Access Workstation (PAW) Content/Readme.md similarity index 100% rename from Privileged Access Workstation (PAW) Content/Reademe.md rename to Privileged Access Workstation (PAW) Content/Readme.md