Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Intercepting pass-the-hash attacks

Roger Grimes | April 21, 2010
Limiting who can access highly privileged accounts and where they do can help keep hackers from snatching precious hashes.

The idea here is to minimise the number of highly privileged admins and to prevent them from using their credentials to log in to regular workstationswhich are more likely to be compromised than better-protected domain controllers.

These recommendations are neither unrealistic nor impractical: I've worked with many companies that have adopted them and are working well operationally, with much less risk than before.

Other measures to thwart pass-the-hash attacks including requiring reboots on any computer where a highly privileged user has logged on. This prevents the hashes from being in memory, where a pass-the-hash attacker could easily obtain them.

Server and domain isolation is an excellent technique for minimising the spread of pass-the-hash attacks. Not only can it prevent attackers from gaining access to most of your computers and servers, it can cause all of the hacker's attempts to set off your other defense-in-depth programs, such as IDS and firewalls.

Additionally, it makes sense to use antimalware-scanning software to look for pass-the-hash tools. If you find any in your environment, you'll need to investigate immediately. All of this advice is meant to supplement the defenses you should have already implemented to prevent attackers from gaining privileged access to your systems.

These recommendations boil down to nothing more than putting the least-privileged security principle into practice. Doing so improves your security posture far more than just mitigating pass-the-hash attacks.


Previous Page  1  2  3 

Sign up for Computerworld eNewsletters.