“One of my favorite hobbies is hunting sysadmins” – Hacker of Hacking Team’s network
I only periodically log in to my Privileged Access Workstation to carry out administrative tasks. Although I have restrictive policies applied and Windows Firewall locked down, there’s no reason for that machine to be on the network while I’m not actively using it.
In an attempt to address this, I created two simple scheduled tasks:
1. Disable all NICs when workstation is locked
2. Enable all NICs when workstation is unlocked
Note that these depend on the correct audit logging being enabled on the machine in question, otherwise these tasks won’t trigger:
It also depends on how you use your PAW. If you regularly log out rather than shut down, you will need to add additional triggers to the tasks to handle the log off/log on events.
Import these tasks into Task Scheduler and use them at your own peril. You may run into issues if you don’t store any cached logons and simultaneously require a domain controller to be accessible at logon.