Our admins manage from their regular laptop, that feels unsafe.
A Privileged Access Workstation (PAW) is a hardened device used only for admin tasks: no mail, no browsing, no Office. Stops a phishing mail from instantly compromising domain admin rights.
Try this first
- 1Build a clean Windows 11 image with BitLocker, Defender for Endpoint and a tight baseline. No Office, no Slack, no browser plugins.
- 2Join to a separate security tier: tier-0 PAW for DC/AD admin only, tier-1 for server admin, tier-2 for workstation admin.
- 3Network zone: PAW only reaches AD, admin VLANs, vendor portals. No mail, no general internet (or via a specific proxy).
- 4Admin accounts are usable only from the PAW. On the normal laptop the account is unusable for admin tasks (deny logon to this computer GPO).
- 5Make it workable: a second laptop has a cost, a stolen domain admin costs more. For SMB one PAW shared by two admins with good logging is sometimes enough.
When to bring us in
For SMBs without budget for a second device, a Hyper-V VM with the same restrictions on the main machine is a stopgap. Not ideal (host compromise = VM compromise) but better than nothing.
See also
- One DC or two DCs for an SMB office?Two is almost always the right answer; one DC is a single point of failure for logon, DNS and GPOs.
- Should I split FSMO roles across two DCs?For a small domain all on one DC is fine; with two DCs splitting is tidier but not required.
- How do I know my AD replication is healthy?Replication errors creep in silently; they only surface when logins or GPOs misbehave.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.