Hackers have been launching credential-stealing “pass-the-hash” PtH attacks for at least 15 years, and not just against Windows systems. Today, these devastating attacks can be successfully mounted against any operating system or authentication protocol. In these attacks, an intruder – or employee – steals the logon credentials from a compromised computer and acquires the user’s password hash from the computer’s memory or file system. With this authentication token, the attacker can gain the authentication data to acquire superuser access to other computers on the network. A PtH attack can have a significant impact on an Active Directory environment, and once the attacker has obtained elevated access, it becomes very difficult to defend against the attack.
Compounding matters is the fact that there is no single PtH “patch,” software, hardware or magic wand that will protect against PtH attacks and vulnerabilities. As in medieval times, you need multiple defenses – a moat; high, thick walls; lookouts; spies; and good soldiers. Today, we call this defense in depth, or multiple layers of security. It means reducing the number of people with elevated privileges, and using firewalls, intrusion prevention systems, smartcard or two-factor authentication, anti-virus software, full-disk encryption, and pro-active security patching to deter, detect and eliminate intruders.
You can’t protect 100 percent from this or any other type of attack, but, there are a number of ways you can mitigate them, and there also are software solutions that can help. A few of the most basic steps include:
- Never include your normal work account in a privileged group. If you need to do something that requires elevated domain privileges, log off and then log on to your administrative account.
- Use a different, more secure machine for privileged domain operations. Lock it down, make sure it’s running the latest OS with all appropriate patches, apply stricter and stronger security policies to it, and connect it to your network via an ethernet cable, versus WiFi.
- Always use a password of 15 characters or greater for your privileged accounts. Change it frequently, and make sure you’ve implemented the Windows "NoLMHash" Group Policy. For more information, visit: http://support.microsoft.com/kb/299656
- To eliminate email as an attack vector, make sure your administrative accounts don’t have Exchange or e-mail access. This further strengthens the need for number two, above – use a different machine for privileged operations.
- Make sure your local Guest and Administrator accounts are disabled.
Finally, use a software solution that helps protect sensitive administrative credentials. Choose one that automates, controls and secures the entire process of granting administrators the credentials necessary to perform their duties, and has the capability to disable privileged accounts when they are not in use by an authorized individual.
By using these five steps and familiarizing yourself with the multitude of PtH protection information found on Microsoft's website – including Pass-the-Hash and Other Credential Theft– you can help minimize the risk to your organization