Currently, there’s a lot of talk about “pass-the-hash” (PtH) attacks.
PtH attacks are based on exploiting vulnerabilities in the Windows Lan Manager (LM) and Windows NT Lan Manager (NTLM) authentication systems. Therefore, any Windows system is vulnerable to PtH attacks, which are very difficult to defend against because it only takes one misconfigured computer, or a computer missing a single security patch in a Windows domain, for an attacker to find a way in.
Unfortunately there are countless exploits in Windows, and applications running on Windows, that an attacker can use to elevate their privileges and carry out the hash harvesting which facilitates the attack.
Equally unfortunate is the fact that there is no single PtH patch, software, hardware or magic wand that will protect a network against the attacks and vulnerabilities. To use a metaphor, you need the multiple defences of a moat: high, thick walls; lookouts; spies and good soldiers.
In technology terms, we call this defence in depth, or multiple layers of security. Using firewalls, intrusion prevention systems, 802.1x and smartcard or two-factor authentication, IPsec, anti-virus software, full-disk encryption, reducing the number of people with elevated privileges and pro-active security patching can be used to deter, detect and eliminate intruders and help to protect the corporate network from these attacks.
However, it is impossible to fully protect a network from this or any other type of attack. Therefore, if organisations want 100 per cent protection, the best thing to do is disconnect from the internet and not allow employees to take their laptops out of the office!
There are a number of basic things that can be done to better protect a network and there also are software solutions that can help. In addition, Microsoft has published a number of documents about pass-the-hash that are worthwhile reading, including: Pass-the-Hash and Other Credential Theft and New Strategies and Features to Help Organizations Better Protect Against Pass-the-Hash Attacks.
A few of the most basic things you can do to protect your network are:
- Never include your normal work account in a privileged group. If you need to do something that requires elevated domain privileges, log off and then log on to your administrative account. This keeps your work and privileged duties segregated so if you are subjected to phishing or some other compromise, it’s more likely to happen on your non-privileged work account.
- Use a different, more secure machine for privileged domain operations. Make sure it is running the latest OS with all appropriate patches, apply stricter and stronger security policies to it and connect it to your network via an ethernet cable, as opposed to using WiFi.
- Always use a password of 15 characters or greater for your privileged accounts. The LMHash is weaker compared to other hashes, therefore, by using a 15-character or longer password, you prevent the storing of the LMHash. It is also good practice to have a longer password for a privileged
account. Change it frequently and make sure you’ve implemented the Windows “NoLMHash” Group Policy. For more information, visit: http://support.microsoft.com/kb/299656 - Email is another method frequently used by attackers. It is therefore essential to ensure your administrative accounts do not have Exchange or email access and you can further strengthen the account.
- Ensure that your local guest and administrator accounts are disabled.
- Finally, use a software solution that helps protect sensitive administrative credentials, including those for Windows. It is important to choose a solution that automates, controls and secures the entire process of granting administrators the credentials necessary to perform their duties and has the capability to disable privileged accounts when they are not in use by an authorized individual.
Like most things related to security, there’s a trade-off between convenience and peace of mind. The Microsoft website has a multitude of information on protecting yourself from pass-the-hash attacks.
Jackson Shaw is senior director of product management for identity and access management at Dell Software