Pass the Hash (PTH) is one of the most potent exploits in the hacker arsenal for gaining system administrator privilege and compromising an entire enterprise network. Why? Because PTH can be successful simply by compromising a single machine.
PTH works by extracting credential information from the computer’s memory. Any credential present on the computer is vulnerable to the attack. Once the attacker locates a credential with sufficiently high privilege on the network, he uses it to hop from system to system, installing root kits and backdoors, compromising additional accounts, and exporting sensitive business data such as trade secrets, pricing, etc.
In this way, the enterprise network environment is only as strong as its weakest link. Consider an unpatched system. Has a user ever logged on from that system to SharePoint or to the network file server? Then that system makes a juicy target. Even juicier is if a network administrator ever logged onto that system, for example, to install a previous patch or to set up the computer in the first place. Thereafter, by default, that administrator credential (password hash) is sitting on that unpatched system waiting for a hacker to come get it.
The good news is that it is possible to mitigate the risk of PTH. How? By hardening your environment.
First, require multifactor authentication (MFA) for all users, particularly system administrators (such as the various Active Directory administrator roles). Unfortunately, MFA is not a panacea, since for compatibility reasons MFA solutions can result in short-term credential information that is still exportable. However, static passwords are totally insecure in any context, and MFA does raise the bar, especially when deployed in tandem with the rest of these mitigations.
Second, for protecting network administrator account specifically, consider using one of the commercial privileged account management solutions. These solutions help mitigate PTH risk by randomizing the administrator account password each time it’s used. That way, a stolen hash is only useful for a short period of time. Don’t forget to enforce MFA for access to the privileged account management solution. Otherwise, it’s doing you no good.
Third, further lock down your administrative environment by disallowing network admin logons wherever possible. For example, domain administrators should only be logging into Domain Controllers (DCs), and only for administrative scenarios that require that level of access. Also, users should not have local administrator access to their computers.
Fourth, lock down your endpoints. For mobile devices, use JW Secure StrongNet to keep out rootkits, enforce disk encryption, and keep unknown devices off the network. For all computers, including servers and workstations, define their workloads and use Security Compliance Manager to create and deploy security baselines. Also, see Patch Management on Business-Critical Servers for our research on how to increase security and decrease server downtime.
Finally, conduct regular threat assessments of your network infrastructure and security posture. This should be done yearly since business needs and software configurations change over time.
Additional references: