• United States




Windows 8.1 stops pass-the-hash attacks

Oct 01, 20135 mins
Data and Information SecuritySecurity

Microsoft has armor-plated Windows 8.1 against the most feared attack on the planet. Here are the nitty-gritty details you need to know

Pass-the-hash (PtH) attacks are among the most feared cyber attacks in the computer world. Many of my largest customers (Fortune 500, government, and so on) have told me it’s their No. 1 worry above all other attack types.

With PtH and other credential theft attacks, a hacker gains admin control over a computer, steals authentication credentials from disk or memory, and uses those credentials to initiate new connections and logons. Most operating systems are vulnerable to PtH attacks, although Microsoft Windows has certainly been the primary target thanks to its pervasiveness in the corporate environment and the availability of PtH tools.

[ InfoWorld presents the Bossies 2013, the best open source software for security, data centers, clouds, and more. | Keep up with key security issues with InfoWorld’s Security Central newsletter. ]

Attackers using PtH attacks completely compromise just about every network they hit. Pretty much every APT (advanced persistent threat) attack team uses them. Every penetration test team uses them. And the tools to accomplish PtH attacks have only gotten better. That’s why the anti-PtH measures built into Windows 8.1 are such a big deal.

Hands off the hash Before Windows 8.1, the only real mitigations against PtH attacks were:

  • Don’t let hackers get admin control of your box
  • Don’t log on with elevated accounts, especially on computers not directly under your control
  • Restrict the ability of local accounts to be used over the network
  • Restrict what computers can connect to (using firewalls, IPSec, and so on)
  • Force a reboot after logging on with an elevated account

Unfortunately, most of these recommendations were difficult for most enterprises to implement without a lot of new policies, procedures, and elbow grease. On the software side, it’s very difficult for any OS, including Windows, to stop PtH attacks while maintaining the SSO (single-sign-on) functionality customers absolutely require. Asking users to re-enter their logons every time they want to connect to new application, service, or drive share is the quickest way to make your OS obsolete.

To the pleasant surprise of a lot of people, Windows 8.1 includes comprehensive pass-the-hash mitigations. While it doesn’t completely eliminate the threat, it comes pretty darn close. Here’s a summary of the PtH mitigations available in Windows 8.1:

  • Strengthened LSASS to prevent hash dumps
  • Many processes that used to store credentials in memory no longer do so
  • Better methods to restrict local accounts from going over the network
  • Programs no longer leave credentials in memory after a user logs out
  • Allow RDP (Remote Desktop Protocol) connections to be used without putting the user’s credentials on the remotely controlled computer
  • Addition of a new Protected Users group, whose members’ credentials cannot be used in remote PtH attacks
  • Several other OS changes that make PtH attacks far more difficult to achieve (see the Technet summary)

For those who want to drill down and determine how these new anti-PtH measures have been implemented here’s some more detail:

Protecting LSASS LSASS.exe is the main process used by Windows to verify authentication — the same process most hacking tools attack to grab authentication credentials out of memory and on the disk. Most hacking tools work by intercepting LSASS and injecting their code into the process.

In Windows 8.1, this is no longer possible (or much more difficult, at the very least). LSASS can be made a protected process, which makes it a lot harder to be manipulated by rogue software. Plus, it no longer stores LM hashes or plaintext equivalents in memory (already, Windows doesn’t store those types of credentials on disk by default). Because protection of LSASS may break some legitimate legacy software, this is not enabled by default on anything but Windows 8.1 RT. I recommend that all admins worried about PtH attacks enable this feature after thorough testing.

New security identifiers There are two new built-in security identifiers, called “Local account” and “Local account and member of the Administrators group.” You can place all your local sensitive accounts in these groups, then use them to apply permissions, privileges, and policies. For instance, previous PtH mitigations recommended giving local admin accounts a privilege called Deny Network Logons, which would prevent them from being used to access Active Directory network resources. This is still a great mitigation, but it previously required that each individual account be marked with the denial privilege and that admins keep up with individual adds, moves, and changes. Now you can apply the privilege to the new SIDs and be done with it.

Fixing RDP One of my biggest pet peeves regarding RDP is that it ends up putting the admin’s logon credentials on the remote box being accessed. I used to recommend that admins use just about any other remote admin method (such as MMC or PowerShell) instead of RDP. In Windows 8.1, with the new restrictadmin feature enabled, RDP it doesn’t put stealable credentials on the remote computer being managed. This is a big win — enterprises around the world, celebrate!

Protected Users group Members of the new Protected Users group are significantly harder to exploit in PtH attacks. Members can use only Kerberos, and their credentials cannot be delegated. Yes, Kerberos tickets can be used in credential theft attacks, but attackers aren’t nearly as familiar with Kerberos, and the lack of delegation makes PtH attacks far more difficult.

Many of these features are configurable, and they’re protected by UEFI and SecureBoot; you can also turn them on and off.

The only caveat I can think of is that all of these new mitigations are currently available only in Windows 8.1 and in Windows Server 2012 R2. I have little doubt customers will want these mitigations back-ported to previous versions, but I have no idea what Microsoft’s plans are — or even if it is reasonably possible to accomplish without causing too many operational problems.

This story, “Windows 8.1 stops pass-the-hash attacks,” was originally published at Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at For the latest business technology news, follow on Twitter.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author