The Privileged Access Workstation (PAW) service relies on proper configuration of the firewalls protecting your servers and applications. To be protected by a PAW, configure your firewalls to only allow management access to systems from your group's assigned range of PAW IP numbers. By restricting the source address to that of the PAW VPN you know that only PAWs are accessing the servers.
For PAWs using the IDG5540 PAW VPN, configure your firewalls to only allow management access from your group's assigned range of IP numbers.
For PAWs using the newer SU-SecOps-VPN, configure your firewalls to allow access from the entire range of PAW IP addresses (126.96.36.199/23). Then use the SUNAC/UserID field in the firewall request to restrict access to your servers based on membership in a workgroup you control.
See the table below for a list of common administration ports that should be restricted. For web applications, you can restrict access to management interfaces either through the web server software or via a web application firewall.
Common Management Firewall Rules
|File and Printer Sharing (NetBIOS, SMB), Remote Event Log Management, other Windows management||137-138u, 139t, 445t|
|Windows Remote Management||5986t|
|DCOM-In (used for Hyper-V Management, Performance Logs and Alerts, etc)||135t|
|Remote Desktop Protocol - User Mode||3389t/u|