Mitigating “Pass the Hash” Attacks via Least Privilege

Recently I was reading a white paper from Microsoft on an increasingly prevalent security attack called “
Pass the Hash
” (PtH), and in reviewing the top recommended mitigations for this type of security attack, the mitigations all had to do restricting and protecting high privilege domain accounts as well as restricting and protecting local accounts with administrative privileges. In other words, the best course of action to mitigate the risk of this attack was to implement the concept “least privilege” for Windows systems. In this blog post I am going to talk about the concept of least privilege and what are some of the challenges in the Windows environment, and briefly discuss how DirectAuthorize for Windows can address these challenges.

DirectAuthorize for Windows

According to Roger Grimes over at InfoWorld “successful PTH (pass the hash) attacks are becoming increasingly common in the corporate world in recent months.” These attacks are now going “hand-in-hand” with Advanced Persistent Threats” (APT) that caused many high profile breaches at companies such as RSA, Sony, etc. Per Microsoft the PtH attack itself

“uses a technique in which an attacker captures account logon credentials on one computer and then uses those captured credentials to authenticate to other computers over the network. A PtH attack is very similar in concept to a password theft attack, but it relies on stealing and reusing password hash values rather than the actual plaintext password.”

PtH attacks are staged via an attacker first obtaining the local administrative account on a computer. From there the attacker obtains password hashes as well other credentials on the hacked into computer. Using this information, the attacker moves “laterally” to gain access to domain controllers and other servers storing sensitive data. As noted by Roger at InfoWorld:

“Once the attacker has your hashes, it can be difficult to prevent him or her from wreaking havoc. After all, once an attacker gets at your hashes, he or she must already have superprivilege access. They are already king on the computers or in the compromised domains/forests. What can’t they do? It’s like worrying about how car thieves will treat the brakes.”

While PtH attacks can happen on most platforms, it appears that they are most prevalent on the Windows platform given the plethora of attack tools floating out there on the Windows platform.

So how to mitigate the risks of a PTH attack? Again per Roger at InfoWorld

“The first step is to get rid of as many elevated logon accounts as you can. PTH only works if the attackers can gain local Administrator or domain Administrator permissions and privileges. Most companies have far more elevated logon accounts than they need. Microsoft (my full-time employer) recommends two domain admins per domain. Most companies I survey have dozens to more than 100.

Rarely should someone log on as domain admin. Almost no single person in a company needs the ability to do everything to a domain, such as manage users, modify all computers, modify all Active Directory attributes, change or reset everyone’s password, and so on, unless you’re a small team in a small company. In most cases, delegation is the way to go instead.”

Microsoft in the previously quoted PtH whitepaper gives similar advice by documenting their top risk mitigation steps including:

  • Restrict and protect high privileged domain accounts
  • Restrict and protect local accounts with administrative privileges
  • Remove standard users from the local administrators group
  • Limit the number and use of privileged domain accounts

So to summarize the risk mitigation steps are really about implementing the concept of “least privilege.” As Gartner notes in its 2012 report entitled “Hype Cycle for Identity and Access Management Technologies” organizations should:

“Adopt a “least privilege” model for granting privileges, including superuser privileges. It is not good practice for administrators to use a privileged account for mundane activities… there is a need for the organization to have more granular control over and visibility into the way that these [administrator] privileges are granted and used.”

This advice dovetails with guidance found in regulatory and compliance requirements including SOX, FISMA, NERC and PCI DSS, e.g. from NERC section CIP 007-3 R5

“The Responsible Entity shall ensure that individual and shared system accounts and authorized access permissions are consistent with the concept of “need to know” with respect to work functions performed.”

Addressing the “least privilege” challenge on Windows was exactly why we built and released DirectAuthorize for Windows. Here’s some of the Windows “least privilege” challenges and how DirectAuthorize addresses them:

  • Too many users with local admin rights in your environment? With Centrify’s DirectAuthorize for Windows lets you control what applications or commands users can run with privilege access without being members of the local administrator groups.
  • Do privilege users have access to systems they should not have access to? With Centrify’s DirectAuthorize for Windows you can granularly scope which systems users have privilege access on.
  • Tired of managing local administrator groups on Windows systems? With Centrify’s DirectAuthorize for Windows you can, in Active Directory, administer user privileges without the need to manage local groups on local systems.
  • Need to allow users to remotely manage systems or allow them the ability to remotely execute an application without the need to have them logon to those systems? With Centrify’s DirectAuthorize for Windows you can provide users with only network access rights without the need to grant them direct logon rights to systems.

  • Centrify DirectAuthorize for Windows lets users elevate privilege using a one-click Centrify Tray Application

    Centrify DirectAuthorize for Windows lets users elevate privilege using a one-click Centrify Tray Application to create a new desktop for an assigned administrative role or use ‘Run as Role’ for privilege elevation for a single application

  • Need to Audit Windows Privileged Users? With Centrify’s DirectAudit for Windows, an add-on to DirectAuthorize, you can audit user level access to Windows systems and replay privileged session just like a DVR.
  • Need to report on which users have access to which systems? With Centrify’s DirectAuthorize for Windows, you can create reports on the fly that show you which systems users can access as well as show you what privileges those users have on those systems.

Check out a 5 minute video of DirectAuthorize here. In my next blog post I will drill down in more detail on how DirectAuthorize works, and in subsequent blog posts will also compare it to what you get natively with Windows itself.