The NT hash, on the other hand, is a good cryptographic hash and has proven resistant to cracking when lengthy and/or complex passwords are used. Unix, Linux, and BSD systems have similar password hash issues, where the early hashes are no longer considered secure, and the new hashes, including SHA-512 and Bcrypt, are recommended in order to protect against cracking.
Although a password used to be considered secure when it was at least eight characters long, today's best public authorities such as NIST suggest 12-character minimums for regular computers. Password-cracking speeds advance every year, though, so even a 12-character password is sure to be too short in the near future.
Intercepting the pass
Most researchers, myself included, have determined that pass-the-hash attacks aren't a problem so much as a symptom of the higher risk: the fact that an attacker is able to secured highly privileged access to the hashes in the first place. After all, once attackers have admin or root access, what can't they do? In an Active Directory network, an attacker has to be an administrator on a domain controller in order to get most of the users' hashes, which means, in most cases, the attacker has effectively become a domain administrator. Pass-the-hash attacks are just one of your problems.
Adam Arndt, my good friend and colleague, has refused to fall into the indefensible trap. Along with dozens of other researchers concerned about same problem, he has spent months studying it. I don't know anyone who has thought about it harder and fought to offer deployable defenses.
Adam's biggestrecommendation is to prevent or minimize domain admins from logging on to nondomain controllers and from performing non-Active Directory management tasks. He makes the case that domain admins should only be logged on to perform tasks that are limited to domain admins. Even then, he opines, those tasks should be performed only on domain controllers. In Active Directory, 95 percent of the tasks normally assigned to domain admins (such as user and computer account management, group policy updates, and so on) can be delegated using the Active Directory Delegation Control wizard to specialized, role-specific groups that are not members of the domain admins group.
For example, by default, domain admins are made members of the local Administrators group on each domain-joined computer, which in turn gives them full control over all resources. Instead, remove the domain admins from the local Administrators group (with appropriate testing, of course) and replace it with a role-specific group that needs full control to manage particular computers. For instance, do your domain admins really require full control over your most important databases and all the sensitive data therein?