Hardened admin workstations used to protect privileged accounts - provide a locked-down, dedicated OS that is strictly used for administrative IT tasks and nothing else. All productivity tasks like email and web browsing are performed on a separate system. In this talk I will discuss my lessons learned while deploying PAWs in a real-world corporate environment. I’ll explain the inherent flaws in traditional approaches, such as jump servers, and show examples of other techniques I've used to limit exposure to credential theft and lateral movement. Fellow blue teamers will discover these controls are feasible to implement, even in small environments.