Pass-the-hash (PtH) attacks are among the most feared cyber attacks in the computer world. Many of my largest customers (Fortune 500, government, and so on) have told me it's their No. 1 worry above all other attack types.
With PtH and other credential theft attacks, a hacker gains admin control over a computer, steals authentication credentials from disk or memory, and uses those credentials to initiate new connections and logons. Most operating systems are vulnerable to PtH attacks, although Microsoft Windows has certainly been the primary target thanks to its pervasiveness in the corporate environment and the availability of PtH tools.
Attackers using PtH attacks completely compromise just about every network they hit. Pretty much every APT (advanced persistent threat) attack team uses them. Every penetration test team uses them. And the tools to accomplish PtH attacks have only gotten better. That's why the anti-PtH measures built into Windows 8.1 are such a big deal.
Hands off the hash
Before Windows 8.1, the only real mitigations against PtH attacks were:
- Don't let hackers get admin control of your box
- Don't log on with elevated accounts, especially on computers not directly under your control
- Restrict the ability of local accounts to be used over the network
- Restrict what computers can connect to (using firewalls, IPSec, and so on)
- Force a reboot after logging on with an elevated account
Unfortunately, most of these recommendations were difficult for most enterprises to implement without a lot of new policies, procedures, and elbow grease. On the software side, it's very difficult for any OS, including Windows, to stop PtH attacks while maintaining the SSO (single-sign-on) functionality customers absolutely require. Asking users to re-enter their logons every time they want to connect to new application, service, or drive share is the quickest way to make your OS obsolete.
To the pleasant surprise of a lot of people, Windows 8.1 includes comprehensive pass-the-hash mitigations. While it doesn't completely eliminate the threat, it comes pretty darn close. Here's a summary of the PtH mitigations available in Windows 8.1:
- Strengthened LSASS to prevent hash dumps
- Many processes that used to store credentials in memory no longer do so
- Better methods to restrict local accounts from going over the network
- Programs no longer leave credentials in memory after a user logs out
- Allow RDP (Remote Desktop Protocol) connections to be used without putting the user's credentials on the remotely controlled computer
- Addition of a new Protected Users group, whose members' credentials cannot be used in remote PtH attacks
- Several other OS changes that make PtH attacks far more difficult to achieve (see the Technet summary)