Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Intercepting pass-the-hash attacks

Roger Grimes | April 21, 2010
Limiting who can access highly privileged accounts and where they do can help keep hackers from snatching precious hashes.

Although a password used to be considered secure when it was at least eight characters long, today's best public authorities such as NIST suggest 12-character minimums for regular computers. Password-cracking speeds advance every year, though, so even a 12-character password is sure to be too short in the near future.

Intercepting the pass
Most researchers, myself included, have determined that pass-the-hash attacks aren't a problem so much as a symptom of the higher risk: the fact that an attacker is able to secure highly privileged access to the hashes in the first place. After all, once attackers have admin or root access, what can't they do? In an Active Directory network, an attacker has to be an administrator on a domain controller in order to get most of the users' hashes, which means, in most cases, the attacker has effectively become a domain administrator. Pass-the-hash attacks are just one of your problems.

Adam Arndt, my good friend and colleague, has refused to fall into the indefensible trap. Along with dozens of other researchers concerned about same problem, he has spent months studying it. I don't know anyone who has thought about it harder and fought to offer deployable defences.

Adam's biggest recommendation is to prevent or minimise domain admins from logging on to nondomain controllers and from performing non-Active Directory management tasks. He makes the case that domain admins should only be logged on to perform tasks that are limited to domain admins. Even then, he opines, those tasks should be performed only on domain controllers. In Active Directory, 95 percent of the tasks normally assigned to domain admins (such as user and computer account management, group policy updates, and so on) can be delegated using the Active Directory Delegation Control wizard to specialised, role-specific groups that are not members of the domain admins group.

For example, by default, domain admins are made members of the local Administrators group on each domain-joined computer, which in turn gives them full control over all resources. Instead, remove the domain admins from the local Administrators group (with appropriate testing, of course) and replace it with a role-specific group that needs full control to manage particular computers. For instance, do your domain admins really require full control over your most important databases and all the sensitive data therein?

Instead, document all tasks the various domain admins perform on a regular basis. Then create role-specific groups and delegate those role-based tasks to the appropriate groups. (Microsoft provides some guidance on these tasks.) Next, remove all the "unneeded" domain admins, relate the remaining domain admins, and make them highly secure. Some companies have successfully employed special toolsCyberArk, Cloakwareto simplify the tasks of managing and controlling the remaining highly privileged admins.


Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.