There have been many Microsoft Windows vulnerabilities and exploits over the years. There has been worms, viruses, spyware, password crackers, and many other malicious exploits that have riddled many Windows networks crippled. I don’t think there is anything that can rival the hottest exploit on Windows as Pass-The-Hash (PTH). PTH is an exploit that has no known fix. There is not a hotfix, service pack, security setting, Group Policy setting, or anything that can be done to eliminate the PTH exploit. So, the concern is how is this exploit possible, what environments are more susceptible, and how can an administrator reduce the risk of this malicious attack?
Requirements of PTH
PTH has one simple initial requirement. No, it has nothing to do with the level of the operating system. Every operating system, including Windows Vista, Server 2008, 2008 R2, 7, 8, and even 2012 are vulnerable. No, it has nothing to do with the level of service pack or specific patch you have applied. Patch Tuesday provides no help with this exploit.
The requirement for PTH to be successful is to obtain local Administrative access to a Windows computer. Yes, that is all! Well, from my perspective, that should be difficult! I have been preaching the protection of servers and desktops for years. I have been preaching that users should not be local admins for years.
Of course, the PTH exploit goes beyond the concept of least privilege. PTH goes into an area where we all don’t want to dabble. However, we must look at the PTH exploit with intensive concern due to the issues that it exposes.
PTH is such a lethal exploit that every company that runs Windows must consider. So, who is more exposed with this attack? You might be shocked at the answer!
Who is Most Exposed?
It might surprise you who is most exposed with regard to the PTH attack. It is really not the organizations that have weak user password policies. It is not the organizations that have older operating systems, such as Windows NT and Windows 2000. It is not even companies that have not done a good job at patching their Windows computers with security and service pack updates.
Actually, the organizations that are at most risk are those that practice good “administrative” practices. Yes, it has to do with procedure more than configuration! Sure, configuration is important, but the overall procedures that administrators follow can expose an organization more than anything else.
So, with this in mind, how can an organization protect itself from this malicious attack?
First Line of Defense!
No matter what you do with the PTH attack, don’t logon as an administrator unless you absolutely must! This means that you should not logon to a domain controller, server, or even a workstation as a local or domain administrator.
The reason for this is that the software that PTH uses is waiting for you to perform this task. In essence, the PTH first gains local administrative access (in some way) from your computer, then the software is placed on that computer to wait… yes wait for you to logon as an administrator.
Once the PTH software realizes that you have logged on as an administrator, it will attempt to hop from computer to computer using the credentials (hash) that you used to logon to every other computer. If you have used a Domain Admin or Enterprise Admin credential, it is game over!
Don’t Configure Local Administrator Passwords to be the Same
It is often an easy and comfortable configuration for workstations and servers. The comfort in having all of the local Administrator account passwords being the same is very easy. No matter what computer you touch, the local Administrator account is always the same. However, this is an ideal situation for the PTH attack.
Because of the way that PTH hops from computer to computer on the network, it is a dangerous configuration in trying to protect against the attack. Also don’t forget that PTH is only valid once local Administrator is obtained on a computer… so when local Administrator is compromised on one computer, in an environment where all local Administrator passwords are the same, every computer is compromised!
There are solutions that help with this situation. There are applications that can be purchased, or even designed, to randomize the local Administrator password on each computer. The application will document the password so that it can be leveraged in an event where it is necessary.
Also remember that for Windows Vista and greater, the local Administrator account is disabled by default. This was Microsoft’s attempt to help reduce the exposure of the local Administrator from attack.
Don’t Use Administrator Account
Once you are on the network, try to limit the use of any administrator account, especially Administrator. Ideally the task that is being performed should limit the use of the privileges based on the task. So, if you are simply browsing the Internet you should be a standard user. If you are performing an action within Active Directory, such as modifying a group membership, you should only have the privilege (this is possible through AD delegation). If you are performing a task that requires Domain Admins privileges, then that is what you should be logged in as.
Limit User Rights Privileges
User rights are configurations that control “who” can control “what” for a computer. User rights are per computer, so each computer can have a different set of these settings. The good thing is that user rights are configured via Group Policy, so it is easy to configure multiple computers in the same way using AD and Group Policy.
The reason that user rights need to be limited is that PTH will hop from one computer to another, leveraging the privileges that are available on each computer. With some user rights being extremely powerful and granting too much control, they can give the attacker a foothold on a computer or workstation that they might not have otherwise.
PTH is a very powerful attack. Due to the fact that there is not one silver bullet fix, configuration, patch, setting, etc that can protect against it, PTH is lethal for a corporate network. Actually, no matter what you do to a computer to protect against PTH, there is no combination of settings that will protect the computer fully. A few of the top controls for protecting against PTH are described in this article. The key is to limit the use of any administrator account, as well as protecting the local Administrator on any computer. Also, a user that is configured to have local administrative privileges needs to be protected. If the attacker is limited or negated from achieving local administrative access to the computer, PTH is completely negated. In the next installment of this article, we will go into Group Policy and the actual settings to show you where and how you can lock down computers to help negate PTH attacks. The goal is to reduce the overall attack surface and negate the attacker as much as possible form gaining footholds into the environment and not allowing domain admin access.