Working with different clients I’ve seen a lot of ignorance and neglect when it comes to PtH. Here are the control mechanisms that should be implemented to protect cached credentials and avoid Pass-the-Hash attacks:
1. Apply UAC restrictions to local accounts on network logons
This can be configured with group policy settings and it controls whether local accounts can be used for remote administration via network logon. As an alternative you can configure “Deny access to this computer from the network” group policy setting.
2. Disable WDigest Authentication
When WDigest authentication is enabled, Lsass.exe retains a copy of the user’s plain-text password in memory. Previous to Windows Server 2012 R2 this setting is enabled. To disable WDigest authentication you can use group policy or you can manually configure the following registry:
3. Require Security Signature
This setting can be found in the following registry path:
If it is enabled (set to 1) the computers will block pass-the-hash attacks. This only works for Workgroup computers and does not apply for domain computers.
4. Restricted Admin mode
This functionality disallows passing credentials to the host machine when you connect via RDP. Although this functionality helps with credential caching it introduces a new problem with pass-the-hash (explained HERE). So i don’t recommend using restricted admin mode.
5. Protected Users group
Members of the Protected Users group cannot authenticate by using NTLM, Digest Authentication, or CredSSP. This way credentials will no longer be cached, so it will help protect against pass-the-hash. To use this feature the primary domain controller needs to be run on windows 2012 R2 domain functional level and devices should need to run minimum of windows 2012 R2 or windows 8.1.
6. Credential Guard
Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets.
7. Log off from servers
Force admins to logoff correctly and not just close RDP sessions on X button. Credentials stay in memory until you logoff. You can do this via GPO settings for RDP service.
8. Least-privilege security principle
Users should have different accounts for different purposes. Limit use of privileged account to only necessary operations, and don’t use Domain Admin account for simple tasks.
9. Use Enterprise Antivirus Software
Free Antivirus software usually offer only antivirus protection and no IPS capabilities. Enterprise software usually have features that protect a computer against network attacks including pass-the-hash. These attacks will be detected and blocked.
10. Regular password changes
This will limit the window of opportunity for attacker, it does not protect against pass-the-hash.