This post has been republished via RSS; it originally appeared at: Data Center Security articles.
First published on TECHNET on Oct 13, 2017At Ignite conference last month, Dean and I presented a session on PAW. Originally we were planning to just talk about the concept of PAW and how it is deployed in Microsoft. A week before the conference, we decide to share our early design based on the Windows 10 1709 release, so that we can gauge the interest from our customers about this solution, and make decision to as to whether we should build a backend service to support the solution.
The response was overwhelming, many customers came to visit us at the Expo during the conference, and signed up to evaluate the solution. It motivated us to speed up the development, so that we can offer a proof of concept. In the past few months, we have enrolled many customers to evaluate the solution, and gained valuable insight.
Meanwhile, I'm planning to write a series of blog posts that explain the details of the new PAW solution, from the host configuration to the template we are building. This blog is the first one in the series, aiming at providing an overview of the PAW solution.
Solution overview
Below is a high-level topology view of the deployment:
The PAW device is running the Windows 10 1709 release, which has a new feature "Guarded host". This feature supports the physical device performing remote health attestation against a Host Guardian Server (HGS) and running shielded VMs. If you would like to learn about the benefit of shielded VM, you can find more details here . The shielded VM was first introduced in Windows Server 2016 to protect virtual machines running sensitive workload, and is now made available in Windows client to run the PAW VMs.
The design of the PAW host is locked down to run the minimum set of binaries while moving all functionality into the virtual machines running on that host. Compared to the current PAW solutions that use separate physical machines running different workloads, this design is less costly and has better usability.
- the desktop VM will handle user daily productivity workload, such as email, internet access;
- the PAW VM will be dedicated for secure workload, which can be locked down, such as network access; application whitelisting etc.
One key backend service to support the PAW device is the HGS server. If you want to deploy the Host Guardian Server on-premises, you can follow this deployment document to set up the HGS server. For evaluation, you can create a single node HGS server, with self-signed certificates.
(Note: update 2018/04, the PAW TAP program has been closed for now. I have publish guidelines on how to deploy PAW on-prem guide, see links below)
I also created user voice links, if you'd like to see this offered by Microsoft, please vote here:
HGS as service
Azure PAW
Our goal is to build a simple solution for customers to deploy PAW, which offers a good user experience and does not require dedicated resources for ongoing operational management. We are inviting you to join us on this development journey.
I have purposefully stayed at a very high level in this first blog about the PAW solution. Deep dive blogs will follow. Feel free to share your questions in the comment section, so I can make sure to address in the upcoming posts.
Update
I have published a number of blog posts on the PAW solution, below is a reference list: