No, this isn't about sharing a hallucinogen-laced bong for a smoke. The "hash" we're referring to here is the one that Wikipedia aptly but unhelpfully defines as "a derivation of data, notably used in cryptographic hash functions".
|
Daniel 385 Posts ISC Handler Mar 18th 2015 |
Thread locked Subscribe |
Mar 18th 2015 7 years ago |
You can prevent your server admin and domain admin accounts from interactively logging into your workstations. This can be done for free with Group Policy and will prevent a workstation from storing administrative hashes which in turn prevents a workstation compromise from being an easy domain compromise.
For your IT helpdesk accounts (ie: local admins), you can prevent these from logging into your servers so the local admin (helpdesk) accounts can only access workstations. Furthermore, you can prevent PtH from workstation to workstation by not allowing your workstations to connect to each other over port 139/445 for file and printer sharing. Network logins, such as mapped drives, aren't interactive and don't store the hash upon login so you can set your workstations to only 139/445 traffic from your servers. This will allow you to still access your workstations from your servers for administrative purposes using the local admin account. In short, restrict your admin accounts to only login to the machines they need to login to. Domain admin accounts should only be able to login to domain controllers (and maybe a couple of other highly sensitive servers such as your CA). Any application servers should have their own unique admin accounts that can only login to that specific app server so that a compromise of one app server doesn't result in the compromise of all app servers. Finally, all local workstation admin accounts should only be allowed to login to workstations and not any servers. You can still login to the workstation from the servers as the local admin account. This is the only way I've found to keep sensitive hashes from being stored on the wrong systems and it seems to work well for us. Notable Group Policy Settings: Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / User Rights Assignment: - Deny log on as a batch job - Deny log on as a service - Deny log on locally - Deny log on through Terminal Services Computer Configuration / Policies / Windows Settings / Security Settings / Restricted Groups: - BUILTIN\Administrators I believe Server 2012 and beyond will have authentication silos which should also address this. The silo will basically be a group of machines designated as being at the same security level. There is still an issue of passing the hash among machines in the same silo, but at least we can prevent easy escalation from one silo to another (eg: from workstations to app servers or infrastructure servers). |
Justin 9 Posts |
Quote |
Mar 20th 2015 7 years ago |
I posted a bit on PTH attacked and detecting them with Sagan some time back. If you are interested in this sort of this and detecting it via log analysis, check out:
https://quadrantsec.com/about/blog/detecting_pass_the_hash_attacks_with_sagan_in_real_time/ |
Justin 9 Posts |
Quote |
Mar 22nd 2015 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!