Instead, document all tasks the various domain admins perform on a regular basis. Then create role-specific groups and delegate those role-based tasks to the appropriate groups. (Microsoft provides some guidance on these tasks.) Next, remove all the "unneeded" domain admins, relate the remaining domain admins, and make them highly secure. Some companies have successfully employed special tools -- CyberArk, Cloakware -- to simplify the tasks of managing and controlling the remaining highly privileged admins.
The idea here is to minimize the number of highly privileged admins and to prevent them from using their credentials to log in to regular workstations -- which are more likely to be compromised than better-protected domain controllers.
These recommendations are neither unrealistic nor impractical: I've worked with many companies that have adopted them and are working well operationally, with much less risk than before.
Other measures to thwart pass-the-hash attacks including requiring reboots on any computer where a highly privileged user has logged on. This prevents the hashes from being in memory, where a pass-the-hash attacker could easily obtain them.
Server and domain isolation is an excellent technique for minimizing the spread of pass-the-hash attacks. Not only can it prevent attackers from gaining access to most of your computers and servers, it can cause all of the hacker's attempts to set off your other defense-in-depth programs, such as IDS and firewalls.
Additionally, it makes sense to use antimalware-scanning software to look for pass-the-hash tools. If you find any in your environment, you'll need to investigate immediately. All of this advice is meant to supplement the defenses you should have already implemented to prevent attackers from gaining privileged access to your systems.
These recommendations boil down to nothing more than putting the least-privileged security principle into practice. Doing so improve your security posture far more than just mitigating pass-the-hash attacks.
This story, "Intercepting pass-the-hash attacks," was originally published at InfoWorld.com. Follow the latest developments in security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com.