Working with different clients I’ve seen a lot of ignorance and neglect when it comes to PtH. Here are the control mechanisms that should be implemented to protect cached credentials and avoid Pass-the-Hash attacks:
1. Apply UAC restrictions to local accounts on network logons
This can be configured with group policy settings and it controls whether local accounts can be used for remote administration via network logon. As an alternative you can configure “Deny access to this computer from the network” group policy setting.
2. Disable WDigest Authentication
When WDigest authentication is enabled, Lsass.exe retains a copy of the user’s plain-text password in memory. Previous to Windows Server 2012 R2 this setting is enabled. To disable WDigest authentication you can use group policy or you can manually configure the following registry: