Protecting against pass the hash attacks
For some odd reason (okay I was listening to the pauldotcom podcast), I was inspired to look into protecting against pass the hash and compile a quick list of things.
I already implement some group policies to disable the use of LM and NTLMv1 hashes and reduce the hashes stored locally:
Computer config\windows\security\local policies\security options\ -Interactive logon: Number of previous logons to cache: 1 logon -Network Security: Do not store LAN manager hash value on next password change: enabled -Network Security: LAN manager authentication level: Send NTLMv2 response only: Refuse LM & NTLM
There’s a lot of written on this topic already, but it’s very complex and requires defense in depth. So here’s a quick list of related stuff.
Here’s two writeups that look good:
Local administrative access (via popping an exploit for instance) = access to hashes
Network traffic access (MITM, via ARP spoofing for instance) = access to hashes.
- Whole disk encryption: auditing whether the system disk is encrypted.
- Other defenses against stopping exploits from popping. If the exploit pops during a local administrative session, then any hashes in use (that are available to lsass.exe) are accessible to any administrator (anyone with the se_??? right).
- patching (there are always exploitable bugs)
- IPS/IDS (perimeter and host)
- EMET sandboxing
- restricting powerful accounts (including local administrator accounts) [this means have two sets of administrative accounts (or more). For instance, never log on to a workstation with a domain administrator account; but have (deployed) an additional set of accounts for workstation administrators.]
- Use of OTP for powerful accounts [I need to verify this will always regenerate the hash]
- Powerful function sandboxing. [seriously, use a IPKVM straight to the boxen, VM or a dedicated box for your domain admin functions]
- NAC [stops bad people from accessing LANs]
- 802.1x & NAP [stops bad people from accessing LANs]
- ARP spoofing protections [stops bad people from MITM]
User rights “considered elevated access” by MSFT:
- Create token object (SeCreateTokenPrivilege)
- Act as part of the operating system (SeTcbPrivilege)
- Take ownership (SeTakeOwnershipPrivilege)
- Back up files and directories (SeBackupPrivilege)
- Restore files and directories (SeRestorePrivilege)
- Debug programs (SeDebugPrivilege)
- Impersonate client after authentication (SeImpersonate)
- Modify object label (SeRelabelPrivilege)
- Load and unload device drivers (SeLoadDriverPrivilege)
A lot of the above will eventually be covered within the scope of the Securing your network project.