A shared bastion server is a system that allows multiple IT staff to manage systems simultaneously. This exposes the shared bastion server to a large attack surface, including IT staff coming in from untrusted systems. If a shared bastion server is infiltrated, an attacker could exploit the system, steal the credentials of any administrator who is currently logged in, and/or use the server to enter the network and access other privileged systems. A PAW mitigates this risk by eliminating the concentration of multiple administrator credentials on a single host and by providing hardening measures such as preventing external remote connections, preventing email and web browsing, and application whitelisting.
How is a Privileged Access Workstation (PAW) more secure than a shared bastion server?
Last modified January 4, 2017