Windows, Windows Server safer from pass-the-hash attacks. Score one for security admins -- if they follow other best practices, too Last Patch Tuesday, Microsoft released security updates that brought some of the pass-the-hash (PtH) mitigations introduced in Windows Server 2012 R2 and Windows 8.1 to Windows Server 2008 R2 and Windows 7. This is great news for computer admins fighting the good fight against credential thieves.Before we cover those mitigations — and other techniques to frustrate hackers — let’s review how credential theft normally occurs:Bad guy gains admin access to one network computerBad guy obtains the passwords (or Kerberos tickets) or password hashes to all the accounts on the local computer, including the local AdministratorBad guy uses local Administrator credentials to move to other computers sharing the same logon name and password, or simply uses the local user’s credentials, if they belong to a privileged domain group (such as Domain Admins or Enterprise Admins)Bad guy obtains password hashes from domain controllerBad guy owns network and takes data at willThis scenario is repeated thousands of times each day and has occurred multiple times in most companies. Though many companies consider credential theft attacks their No. 1 problem, I slightly disagree; I think preventing the initial compromise and preventing the bad guy from obtaining elevated credentials needs to be the top priority. But that’s two sides of the same problem.A few years ago, there wasn’t a lot of information on how to prevent PtH attacks, and Windows lacked specific mitigations. Microsoft rose to the occasion and has released three white papers (I’m an author or contributor on all three) that should be must-reads by any Windows or Active Directory administrator: Best Practices for Securing Active DirectoryMitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques (version 2.0)Mitigating Pass-the-Hash (Pth) Attacks and Other Credential Theft Techniques (version 1.0)Both version 1.0 of the PtH white paper and “Best Practices for Securing Active Directory” came out before Microsoft had pushed out the new Windows PtH mitigations. Still, they contain useful information you won’t find anywhere else, including recommendations you should definitely follow. In particular, the Active Directory white paper contain the “secrets” to maintaining a very low-risk Active Directory environment. Learn it and you’ll be an AD security expert, too.In Windows 2012 R2 and Windows 8.1 releases, Microsoft released a slew of new features specifically created to stop or minimize PtH attacks, which version 2 of the PtH whitepaper covers in good detail. Here’s a recap of the new Windows PtH mitigations: Strengthened LSASS to prevent hash dumpsMany processes that once stored credentials in memory no longer do soBetter methods to restrict local accounts from going over the networkPrograms are prevented from leaving credentials in memory after a user logs outAllows Remote Desktop Protocol (RDP) connections without putting the user’s credentials on the remotely controlled computerA new Protected Users group, with member’s credentials that can’t be used in remote PtH attacksSeveral other OS changes that make PtH attacks far more difficult to achieveMost of these protections are now available in all of Microsoft’s supported operating systems. If your company is worried about PtH attacks, you should implement these mitigations. Yes, hackers and malware writers are already working overtime to defeat these defenses, but enabling them can only help you and reduce risk.But you can take many other measures involving traditional policies, procedures, and controls that don’t require the new features. If done correctly, they can provide event better protection than the mitigations listed above:Prevent the bad guy from gaining local admin/domain access in the first place. This involves perfect patching, educating end-users against social engineering, and making sure end-users aren’t logged in with elevated accounts.Reduce the number of privileged domain accounts to zero or as near to zero as you can get. We call this the “zero admin” model. Don’t allow permanent members of any elevated group. Instead use delegation, credential vaulting, or a PIM product.Audit, alert, and respond anytime membership in an elevated group changes unexpectedly.Require all elevated accounts to use two-factor authentication.Require all admins to use highly secure (no Internet access, strict whitelisting control, and great patching), dedicated (per user) “jump boxes” to administrate other servers.Don’t allow elevated domain accounts to log on to end-user workstations. Instead, they should be logged on using delegation or as a local Administrator.Deny the ability for elevated local accounts to log on to other computers over the network (use group policy or local policy).Make sure all elevated local accounts, like administrator, use unique passwords, so they can’t as readily launch attacks against other nearby computers.Lastly, use remote management tools and methods to logon to remote computers that do not place the credentials in the remote computer’s memory. Built-in and common Windows methods include:RDP/RestrictedAdminRemote Desktop GatewayMMC consoles (even when connecting to remote computers)Net Use computer commandsPowerShell WinRM (without CredSSP used)PSExec (without supplied credentials)Methods Utilizing Integrated Windows Authentication (IWA)Any of these methods are preferred over methods that place logon credentials in memory or on disk. To refresh your memeory, here are the remote management methods you should avoid:Logon at local consoleRunAsRDP without /restrictedadmin switch usedPowerShell with CredSSP usedPSExec with explicit credentials suppliedScheduled TaskTools Running As a ServiceIIS Basic AuthenticationAll of them leave logon credentials in memory or on disk. Whenever possible, don’t use them.If you follow all these recommendations, you’ll significantly reduce risk and vex the most confident hackers, who are accustomed to finding more agreeable conditions. Until we get better at identifying and preventing computer and network compromises, we’ll have to live with the fact that they’re getting in. These recommendations will frustrate and slow them down.You have your marching orders. Go forth and protect! Related content analysis The 5 types of cyber attack you're most likely to face Don't be distracted by the exploit of the week. Invest your time and money defending against the threats you're apt to confront By Roger Grimes Aug 21, 2017 7 mins Phishing Malware Social Engineering analysis 'Jump boxes' and SAWs improve security, if you set them up right Organizations consistently and reliably using one or both of these approaches have far less risk than those that do not. By Roger Grimes Jul 26, 2017 13 mins Authentication Access Control Data and Information Security analysis Attention, 'red team' hackers: Stay on target You hire elite hackers to break your defenses and expose vulnerabilities -- not to be distracted by the pursuit of obscure flaws By Roger Grimes Dec 08, 2015 4 mins Hacking Data and Information Security Network Security analysis 4 do's and don'ts for safer holiday computing It's the season for scams, hacks, and malware attacks. But contrary to what you've heard, you can avoid being a victim pretty easily By Roger Grimes Dec 01, 2015 4 mins Phishing Malware Patch Management Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe