I am sure most everyone has heard something about Pass-the-Hash. For those of you that don't know what I am referring too I'll share a simple overview.
The Pass-the-Hash (PtH) attack and other credential theft and reuse types of attack use an iterative two stage process. First, an attacker must obtains local administrative access on at least one computer.. Second, the attacker attempts to increase access to other computers on the network by: 1. Stealing one or more authentication credentials (user name and password or password hash belonging to other accounts) from the compromised computer. 2. Reusing the stolen credentials to access other computer systems and services. This sequence is often repeated multiple times during an actual attack to progressively increase the level of access that an attacker has to an environment. (Expert from Microsoft's Pass-the-Hash Mitigation Whitepaper v1 )
Microsoft has written some great white papers on mitigation strategies and concepts to help address this growing trend. As well, there are some new videos available that answer some common questions that people have around PtH mitigations. One common one is: Does using a smart card help against PtH? You'll have to view the video to get the answer 🙂
Check out http://www.microsoft.com/pth to watch the videos and make sure you take some time to read the white papers. PtH attacks are continuing to grow at an alarming rate, and understanding some critical countermeasures can help your organization's security posture. There is not one task to be accomplished to mitigate against a PtH attack, but instead we have to approach this with a defense-in-depth strategy. There are many things to consider as you build your layers of mitigation.
Here are a few things I often find myself asking my customers ...
- Do your users have local administrative privileges?
- Most PtH attacks start by the compromise of a workstation
- How many Domain Admins do you really need?
- Group Membership requirement versus tasks actually performed
- Could some of those Domain Admins have properly delegated rights instead?
- Your DA may need to reset a PW, but do they really need to use a DA account to accomplish this?
- Patching status?
- Testing, Deployment, Enforcement
- What does bad look like, if you don't know what good looks like?
- Baselines, from configuration to performance
- It's harder to see with your eyes closed