Many of my smart coworkers and I are becoming even bigger proponents of getting rid of all superadmins or leaving, at most, only one. In Microsoft Active Directory (I'm a full-time Microsoft employee), you can use "delegation" to give admins just the rights they need without giving them superadmin privs, such as with domain admin or enterprise admin. No single domain or enterprise admin I've seen needed to do all the tasks those superaccounts allow. Instead, use delegation and hand out just the permissions and privileges necessary to tackle the tasks required for those individuals. If their hashes are stolen, the bad guy doesn't have a superadmin account.
A number of my clients are resorting to ultrafrequent password changes or one-time passwords. If attackers get the hash, their usable time period is of short duration. There are lots of vendor tools that will assist with both of these efforts. Also, minimize password reuse so that the theft of one password hash doesn't lead to other security domains falling.
Try to run the latest operating systems. They always have enabled defenses that earlier versions don't have. Vista, Windows 7, and Windows Server 2008 (and later versions), for example, use Kerberos with an AES hash instead of the traditional NT hash. While PTH attackers could ultimately use the AES hashes instead, they don't look for them right now, and none of the publicly available PTH tools work with them. Although this is sure to change in the future, remember security is not binary. Everything you do decreases the risk of PTH attacks.
Another important suggestion: Admins should always perform admin tasks from ultrasecure, trusted computers. You shouldn't undertake admin duties from boxes that are exposed to the Internet every day through Web browsing, picking up email, and visiting social networking sites. Instead, create "jump" boxes for use, whenever possible, when an admin task needs to be addressed. These jump boxes will be less likely (hopefully) to be compromised, thus protecting the superadmin hashes. When the admins are on the jump boxes, they should use noninteractive remote tools to administrate the other boxes. That way, the hashes aren't stored in the other computer's memory. If an admin has to log on interactively to another untrusted computer, make sure the computer is rebooted as the admin logs out.
Some companies go so far as to have "jump" domains for admin use only. They implement one-way, selective trusts to minimize what authentication information is passed between the trusted and untrusted domains.
Consider using IPsec or AuthIP to restrict logons between particular computers to prevent bad guys from using a stolen hash on all computers. Lastly, remember to run antimalware scanning tools that detect PTH tools. Finding one of those lying around your network marks the start of a busy workday.
I hope I've shared a few new ways that you can implement to decrease the risk of PTH attacks. Send me your suggestions if you have something that has worked for you.
This story, "Stop pass-the-hash attacks before they begin," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.