Enable Remote Desktop with NLA and firewall rule from PAW only to allow Webcam, MIC and speakers to be passed to the Virtual Machine.ģ. Enable Virtual TPM so Bitlocker can be usedĢ. It also allows for the PAW requirement to be met.ġ. This allows for a Tier 1 hypervisor to be used for security separation. One idea that we have used to mitigate the carrying around two laptops is create a restricted PAW managed by Intune (more details can be provided if needed) is an expansion on your idea "Login the workstation with the elevated account, open a VDI session to browse web, read email, etc" We deploy a local VDI running on Hyper-V. This mitigates a keylogger threat as well as the ability to scope administration consoles to specific computers.įrom a security prospective the below statement is an issue as a PAW/SAW Should be a physical device. VDIs are not a great PAW/SAW as the idea is that the trust starts at the endpoint. This post is over a year old but I thought I would add some context around PAW/SAW devices. Login the workstation with the non-elevated account, open a VDI session to used tools like Active Directory Users and Computers.Login the workstation with the elevated account, open a VDI session to browse web, read email, etc.Have two workstations per user gets cumbersome so we thought about using a VDI session for one of these roles ![]() This would strictly be used to administer the network, no web browsing or email
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |