Defeat dreaded pass-the-hash attacks

Successful PTH (pass the hash) attacks are becoming increasingly common in the corporate world in recent months, a trend I’ve witnessed first-hand in the IT security trenches. PTH goes hand-in-hand with the types of infamous APT (advanced persistent threat) attacks that have staggered companies such as RSA, Sony, Dupont, and others, so organizations need to be prepared do defend against them. There’s just one surefire way to prevent them: Secure all your systems perfectly.

Pulling off that feat is far easier said than done. Ask any IT admin at a company that has undergone penetration testing by an outside hacker team. It’s hard to stave off a determined aggressor. When I was a professional penetration tester for nine years, I was not stopped once from gaining privileged access in a forest. In every case but one, it took less than an hour. There is always an unpatched machine or easy-to-find opening to pull off a privilege-escalation attack. It’s almost child’s play once you know what you are doing.

[ Security Adviser Roger A. Grimes explains why you should not count on Kerberos to thwart PTH attacks. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

That’s no reason to up and surrender to would-be attackers, though. Pulling off perfect security is extremely difficult to achieve. However, based on the work that my peers and I have been doing in the field of late as PTH attacks have risen, I can confidently recommend some critical steps for organizations to take to protect themselves.

As a refresher, PTH attacks are a subset of attacks otherwise known as authentication token theft and reuse. Although PTH attacks can be used against any popular OS (Windows, Mac OS X, Linux, BSD, and so on), they are most often associated with Windows authentication because of the readily available, public attack tools for the Microsoft platform. Like any token-theft attack, they work on the very basic and simple principle that once a bad guy knows your ultimate authentication “secret,” he or she can reuse it to open new authentication sessions. In the most common scenarios, attackers steal the victim’s LM or NT Windows password hashes from a Windows authentication database or from a server’s memory, then reuse them to create new authentication sessions.

Once the attacker has your hashes, it can be difficult to prevent him or her from wreaking havoc. After all, once an attacker gets at your hashes, he or she must already have superprivilege access. They are already king on the computers or in the compromised domains/forests. What can’t they do? It’s like worrying about how car thieves will treat the brakes.

Traditionally, defending against a PTH attack has been reactionary, entailing figuring out how the attackers got in your network, fixing the holes, kicking out the attackers, changing all passwords, and working hard to prevent it from occurring again. Ideally, all those holes should have been closed off in the first place. But again, that’s the toughest thing about minimizing the risk of PTH attacks. In order to prevent them, you must essentially do everything. It’s hard to pull off perfectly — but there are many ways to minimize the risks.

The first step is to get rid of as many elevated logon accounts as you can. PTH only works if the attackers can gain local Administrator or domain Administrator permissions and privileges. Most companies have far more elevated logon accounts than they need. Microsoft (my full-time employer) recommends two domain admins per domain. Most companies I survey have dozens to more than 100.

Rarely should someone log on as domain admin. Almost no single person in a company needs the ability to do everything to a domain, such as manage users, modify all computers, modify all Active Directory attributes, change or reset everyone’s password, and so on, unless you’re a small team in a small company. In most cases, delegation is the way to go instead.

Using built-in Active Directory or third-party tools, assign limited elevated permissions and privileges to each admin that are necessary to perform all the tasks of their job. Using delegation tools, you’ll find dozens (if not hundreds) of individual tasks and rights that can be assigned each admin. Instead of giving the admin all possible abilities, you give them a limited subset. That way, if an attacker compromises a particular admin’s account, it is far less likely that the attacker can then dump the password hash authentication database.

Second, use noninteractive, remote management tools whenever possible. If PTH attackers aren’t dumping password hash databases, they are trying to dump password hashes from interactive logons — that is, some PTH tools allow attackers to get the hash of currently logged-on interactive users. Most remote management tools don’t log on interactively. Instead of using RDP, Terminal Services, VNC, or some other type of GUI-based interactive logon tool, opt for a remote console or script instead.

For example, use Windows PowerShell console or Microsoft Management Console (MMC). MMC allows you to change the focus of the console tool to a remote computer instead of the local one. As long as you’re not logged on interactively, there will not be password hashes in memory for the attacker to dump. Remote tools and scripts are normally easier and more efficient in the long run.

Lastly, if you have to use elevated domain accounts and interactive logons, minimize their access and exercise them in a secure manner. Here are some suggestions:

• Always use elevated accounts from supersecure jump boxes. These jump boxes should be highly secured and be used for domain admin tasks only. They cannot connect to the Internet, pick up email, or be used as anything but jump boxes for elevated tasks.
• Using network access control, limit the computers that can connect to the jump boxes, and limit the ports that can be bound into and out of the jump box.
• When logging on interactively to administrate a computer, always log off (and consider rebooting if possible) to make sure the interactive session is killed and the password hash does not remain in memory to be stolen.
• Consider using easily resetting VMs as your jump boxes, which can be reset to clear out memory after each session.
• Consider using a highly secure domain or forest from which to administrate other domains and forests, with a one-way share, to minimize an attacker’s ability to compromise the domain admin accounts. This concept is known as an “empty forest root” domain. They use to be frequently recommended, but lost favor because of the increase in admin overhead. If you’re worried about PTH attacks, this is one way to reduce risk.

One other bit of advice: I’m been a big believer in scattered honeypots to give early warning to new attackers roving around in our environments.

Many of my colleagues are using these suggestions to help their customers today, and their overall success is directly correlated with how capable clients are in implementing the suggestions.

When a successful PTH attack has taken hold in your company, you have a bigger problem to solve. If you can’t keep the attackers from becoming administrators, it will always be game over. But security is not binary — it’s a continuum, and you now have a workable defensive strategy to mitigate the threat.

This story, “Defeat dreaded pass-the-hash attacks,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’s Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.