Skip to content Skip to site navigation

Privileged Access Workstation (PAW)

Increased security for high risk systems

In September 2022, rates will change for several of the technology services provided by University IT. To view the majority of our planned rate changes for services that are broadly available to our community, please visit this page. For more information, please visit the rates section of our website.

The Privileged Access Workstation (PAW) service will be retired in August 2022 and users will transition to Cardinal Protect built systems. Any new Ring 1 PAW requests will be built as a Cardinal Protect system. Visit the FAQ page to learn more about the retirement and transition to the Cardinal Protect Service.

A Privileged Access Workstation (PAW) is a dedicated computing environment for sensitive tasks that is protected from Internet attacks and other threat vectors.

A PAW separates these sensitive tasks and accounts from non-administrative computer use, such as email and web browsing.


A PAW has the following characteristics:

  • Dedicated hardened systems that provide high security assurance for sensitive accounts and tasks
  • Built on trusted hardware with clean source media, instrumented and monitored for full visibility
  • Includes expedited and automated patching of security updates to ensure system security

A PAW provides increased security for IT administrators working with High Risk servers and applications. This includes, but is not limited to, Active Directory and administrative access to databases, web servers, and application servers bearing High Risk Data. It is part of the Minimum Security Standards for High Risk systems.

Designed for

Stanford University IT Staff, SLAC IT Staff


A Stanford-managed server running a supported operating system.

Data security

May be used with Low, Moderate, and High Risk Data, as defined by the Information Security Office.


Departments are responsible for the cost of PAW hardware (a laptop computer). There is no additional cost associated with the use of the service.

Get started

To get started, request a PAW. You will be contacted to arrange a hardware hand-off and configuration of the necessary credentials for its use. Your department will need to provide the computer that will become the PAW. Hardware prerequisites are as follows:

  • Any in-warranty Mac or Dell computer. Dell must contain a TPM 2.0 security chip.

Get help

Submit a Help request

Learn more

For IT professionals

Last modified January 4, 2022