Using built-in Active Directory or third-party tools, assign limited elevated permissions and privileges to each admin that are necessary to perform all the tasks of their job. Using delegation tools, you'll find dozens (if not hundreds) of individual tasks and rights that can be assigned each admin. Instead of giving the admin all possible abilities, you give them a limited subset. That way, if an attacker compromises a particular admin's account, it is far less likely that the attacker can then dump the password hash authentication database.
Second, use noninteractive, remote management tools whenever possible. If PTH attackers aren't dumping password hash databases, they are trying to dump password hashes from interactive logons -- that is, some PTH tools allow attackers to get the hash of currently logged-on interactive users. Most remote management tools don't log on interactively. Instead of using RDP, Terminal Services, VNC, or some other type of GUI-based interactive logon tool, opt for a remote console or script instead.
For example, use Windows PowerShell console or Microsoft Management Console (MMC). MMC allows you to change the focus of the console tool to a remote computer instead of the local one. As long as you're not logged on interactively, there will not be password hashes in memory for the attacker to dump. Remote tools and scripts are normally easier and more efficient in the long run.
Lastly, if you have to use elevated domain accounts and interactive logons, minimize their access and exercise them in a secure manner. Here are some suggestions:
- Always use elevated accounts from supersecure jump boxes. These jump boxes should be highly secured and be used for domain admin tasks only. They cannot connect to the Internet, pick up email, or be used as anything but jump boxes for elevated tasks.
- Using network access control, limit the computers that can connect to the jump boxes, and limit the ports that can be bound into and out of the jump box.
- When logging on interactively to administrate a computer, always log off (and consider rebooting if possible) to make sure the interactive session is killed and the password hash does not remain in memory to be stolen.
- Consider using easily resetting VMs as your jump boxes, which can be reset to clear out memory after each session.
- Consider using a highly secure domain or forest from which to administrate other domains and forests, with a one-way share, to minimize an attacker's ability to compromise the domain admin accounts. This concept is known as an "empty forest root" domain. They use to be frequently recommended, but lost favor because of the increase in admin overhead. If you're worried about PTH attacks, this is one way to reduce risk.
One other bit of advice: I'm been a big believer in scattered honeypots to give early warning to new attackers roving around in our environments.
Many of my colleagues are using these suggestions to help their customers today, and their overall success is directly correlated with how capable clients are in implementing the suggestions.
When a successful PTH attack has taken hold in your company, you have a bigger problem to solve. If you can't keep the attackers from becoming administrators, it will always be game over. But security is not binary -- it's a continuum, and you now have a workable defensive strategy to mitigate the threat.
This story, "Defeat dreaded pass-the-hash attacks," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.