Are Secure Admin Workstations (SAW) better than Jump Boxes?
So Tom had asked an interesting question in the Azure Security group... should cloud admins use jump boxes or Secure Admin Workstations (SAW)? These days Microsoft does not consider jump boxes to be a best practice. Are they right or wrong in that opinion?
It's a loaded question really. Both camps have valid rationales that make sense. But in many ways, a SAW becomes a conduit to a jump box in its own right. Let's look at that for a moment.
At Microsoft, high value assets (HVA) are usually protected with SAW. SAW enables users to go to a web portal to check out a temporary password. The SAW isn’t granting rights to any actual asset; it merely provides a connection to a secure server, which itself connects to the HVA environment. Specifically, a SAW enables users to make a Microsoft Remote Desktop Protocol connection through a bank of Remote Desktop Gateway servers for each environment that contains HVAs. Doesn't that sort of sound like what you do with your jump box?
A key difference is usually the SAW is reimaged after each use. Its locked down with application whitelisting, and can be tied into the domain to provide further protection with Privileged Access Management (PAM). But with the introduction of Windows 10, it gets better.
Now a SAW can also take advantage of DeviceGuard. Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can run only trusted applications. If the application isn’t trusted, it can’t run—period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when.
But in the end, with SAW it usually ends up just being nothing but a terminal to a server with direct access to the HVA through a RDP session anyways. So its value may be suspect; a jump box acts as a bastion host to do pretty much the same thing. And with Azure Automation, its not difficult to automatically redeploy jump box through Infrastructure as Code (IaC) scripts.
So what is the right answer? Why can't it be both? Why not use a Windows 10 system enabled with DeviceGuard that is automatically provisioned on each use as a SAW, which is only permitted to access the jump box? In fact, this might end up being a slightly less expensive proposition than having dedicated isolated SAW hardware that can be more difficult to inventory and maintain. The jump box will have the access controls and tools on the target network where the HVA resides... why not use it that way with proper security controls? Combined with strong authentication, end-to-end IPSec tunnels and Server Isolation policies it gives you the right balance for security and flexibility for remote administration.
As Microsoft continues its journey into privileged access management and just-in-time administration this will change... but right now I don't think we need to throw out the jump boxes for SAW. Use them together and take advantage of the benefits of both.