These days when I'm consulting with big businesses, governments, and other organizations, two main topics come up over and over: pass-the-hash attacks and hacktivism. One government client put it thusly: "Our department considers pass-the-hash attacks our No. 1 threat, above all other computer threats." A lot of things are broken in the security world, so to pick out one and call it the greatest threat is saying something, especially since the customer has what most readers would consider nearly unlimited funds, a multitude of competing vendor partners, senior management support, and a horde of experts with whom to discuss the problem.
Defending against pass-the-hash atttacks
The reason pass-the-hash attacks are so feared is that once the password hashes have been obtained, the attackers can move around the compromised environment with ease. Hashes can be used to access any protected resource within the same forest. Worse, if a domain admin has logged on to a computer, a local attacker with Administrator credentials can harvest the domain admin authentication hashes right out of memory.
I think it is the latter attack, the ability for an attacker to elevate themselves to domain administrator -- just because a domain admin had logged on to a box -- that scares defenders the most. Essentially, the trustworthiness of your domain admin credentials are now an exponential factor of every computer they have ever been used on.
How to fix it? The best way is to not have any domain admins. Even if attackers compromise elevated accounts, their access is less than elevated domain admin. And if they add themselves to the domain admins group, an alert will be generated quickly because your monitoring software will know that should be an empty group. Here are other actions you can take:
- Never log on to a normal end-user workstation as a domain administrator. Limit your domain administrator logons to domain controllers or special file servers. By never logging onto regular workstations, you significantly reduce risk.
- If you have to log on using domain admin (or other elevated credentials), always do so from a trusted computer. These are known as "jump" boxes. These jump boxes can be unique per user, virtual machined, and flashed cleaned after every use. The idea is to always log on to boxes that you know are clean.
- Do as many administration tasks and fixes as possible using remote console tools, which are less likely to leave password credentials in memory on the remote computers. Most pass-the-hash attacks take interactive log-ons (unfortunately Remote Desktop and Terminal Services are interactive log-ons), so the less of them you do, the better.
- If you have to interactively log on to a computer, after you are through, reboot the computer (if possible). Rebooting removes the credential temporarily stored in memory.
- Frequently update elevated account passwords. I have many clients who change passwords after every use, often with the help of third-party software. That way, if an attacker grabs the credentials out of memory, so what? They aren't any good anymore.
The No. 1 way to prevent pass-the-hash attacks is to keep the bad guy from getting domain admin or local admin in the first place. After doing your best to achieve that, see how far you can get using the other recommendations above.