Many attacks simply need authenticated access to succeed. An attacker can get that by using a computer or service account, and either of those may belong to one or more elevated groups.
To answer my customer's original threat modeling question, you must treat a computer account just like any other user account -- with one big caveat. Fortunately, so far I haven't seen attackers using computer accounts in the wild, even though multiple PtH attack tools readily use them. This is good. It's usually because, in general, computer accounts do not belong to highly privileged groups. PtH attackers concentrate on user and service accounts because they are more likely to belong to groups that will get them what they need. Until those attacks start getting harder to accomplish, you probably don't have to worry as much about computer accounts.
Defending computer accounts against PtH attacks
Now that we've talked about the risk, what can you do?
First, be aware that bad guys can use computer accounts to attack, even though user and service accounts are their first choices.
Second, if you have to change all passwords after a successful attack, you may also need to change your computer accounts. Personally, I'd want to see evidence that the bad guys used computer accounts first before I changed them, because changing them is an operational nightmare. You will absolutely have logon and password synchronization issues for each one that you change. It's not pretty.
Some customers ask me if shortening the default 30-day password change window helps. The answer: Yes and no. Enabling more frequent password changes does decrease risk. It means that if a bad guy succeeds in capturing your machine password hashes, they're useful for a shorter period of time. Experiment and implement with caution. Again, personally, I would go down this route only if I knew an attacker was using it or if I ran out of other troubleshooting options.
Third, don't forget that other built-in accounts, like krbtgt, have been successfully used in the past. Again, if I suspect they have been used, I'll change their passwords/hashes.
Make sure to frequently change service account passwords. Consider using a third-party tool or Windows' own built-in service account password-changing service. Huh, you say? Windows has the ability to change service account passwords? Since when? Since Windows Vista and Windows Server 2008. Microsoft offers two types of built-in service accounts: virtual service accounts and managed service accounts. In Windows 8 and Windows Server 2012, they added a third option called group managed service accounts.
The password-changing function can be used only in particular service account scenarios. But if enabled, Windows or Active Directory takes over the creation and changing of the very long and complex passwords. When using virtual or (group) managed service accounts, the passwords are changed every time the hosting computer account's password is changed (every 30 days by default). As discussed above, you can shorten this interval if you want.
When taking advantage of the new anti-PtH methods in Windows Server 2012 R2, make sure to apply them to any at-risk service or computer accounts.
I don't want everyone to start making massive changes to their computer accounts or worrying too much over malicious hackers using those accounts for mischief. But simply knowing that it's a possibility can help make you the smart person in the room when the topic comes up.
This story, "Where pass-the-hash attacks could be hiding," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.