Pass-The-Hash: Protect Your Windows Computers! (Part 2)

by [Published on 27 Nov. 2013 / Last Updated on 27 Nov. 2013]

In this article we'll cover some of the GPO settings you can use to protect your computers from PTH attacks.

If you would like to be notified of when Derek Melber releases the next part in this article series please sign up to our WindowSecurity.com Real-Time Article Update newsletter.

If you would like to read the first part in this article series please go to Pass-The-Hash: Protect Your Windows Computers! (Part 1).

Introduction

In my first installment of this article, I pointed out the overall cause and effects of PTH, as well as going over some of the most important aspects of PTH with regard to protecting yourself. In this article, I plan on running with the concepts of how to protect yourself and put those into action. There are many ways to push out the settings that I mentioned in the first article, but I feel that the use of Group Policy is the best way to deploy settings so that all of your Windows computers are protected quickly, easily, and with very little configuration requirements. I will again reiterate… there is no 100% solution for protecting yourself against PTH. If a computer is on a network and the user does not behave correctly, PTH can take advantage of that computer. So, we need to look at the possible ways of protecting your computer from this potential attack.

Remove Local Admin Privileges

The most important thing you can do to protect against PTH is to remove local administrative privileges. The reason that this is so powerful is the fact that PTH is only valid if it can establish local admin privileges to the computer. Without this level of privilege, PTH becomes neutral. You must remember that PTH is a very patient attack. Malicious software will sit and wait for local admin credentials to be used and try to obtain them at that time.

In order to remove local admin privileges for your users of each computer, you need to remove the user (and potentially group that the user belongs to) which is located in the local Administrators group. This is a built in group and there are three types of objects that you will need to verify and remove:

  • Local user accounts from the local SAM of that computer
  • Domain user accounts from the domain the computer has membership in or one that it trusts
  • Domain group accounts from the domain the computer has membership in or one that it trusts

In most cases you will just need to remove the domain user, as this is typically the way that most organizations grant local admin privileges to the users of the computer. There is a Group Policy Object (GPO) setting that can easily remove the user from having membership in the local Administrators group. The setting is dynamic in that it does not care what the user name is, as it only focuses on the user that is logging in. So, in essence, every user that you configure the GPO to effect will have local admin privileges removed from any computer they log on to, which is what you need.

This setting can be found under the User Configuration\Preferences\Control Panel Settings\Local Users and Groups section. If you right click on the Local Users and Groups node, you can select New – Local Group option to create a policy to control this setting. This can be seen in Figure 1.

Image
Figure 1: Local User policy to manage membership in Administrators group.

You should configure the following portions of the policy:

  • Group Name: Administrators
  • Remove the Current User: Click the radio button

This is all you need to do within the GPO setting. Just ensure that you link this GPO to the correct OU which contains the users which should not have local admin privileges to their desktop, or any computer they log on to for that matter.

Reset the Local Administrator Password

In a similar control to that of removing local admin privileges for users, you need to ensure that the local Administrator user on each computer has a strong, long, and complex password. This password should also be reset often, to keep security up to speed for this account on each computer. There are many malicious applications that have password crackers and dictionary attacks built into them, so this is a key configuration to reduce the effects of PTH.

To make this setting through a GPO, you will configure Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups. Here you will right click and select New – Local User, which will create a new policy for you. Within the new policy you should configure the following sections, which can also be seen in Figure 2:

  • User name: Administrator
  • Password: <input long, strong, complex password>
  • Confirm Password: <Duplicate password from Password input>
  • User must change password at next logon: Deselect this check box

Image
Figure 2: Local User policy to reset the local Administrator password.

Like with any GPO, you must now link this to an OU which contains the computers where you want to reset the password. Ideally, you want to have passwords for the local Administrator account to be different, so PTH is less successful hopping from one computer to another. To do this using a GPO and this setting, configure multiple GPOs with this setting configured within it and link each GPO to a different OU. Each different OU will contain different computer accounts so that the password is not the same for the local Administrator account on every computer.

Configure User Rights

Now that we have the local admin privileges covered, let’s move on to another area of each computer which grants elevated privileges. The User Rights on each computer defines what a user can do to that computer. There are about over 40 User Rights on a single computer that range from changing the system clock to backing up files. There are certainly some User Rights that have more power than others, but the goal here is to ensure that all User Right configurations are correct.

User Rights can be configured using a GPO, so we want to follow suit with the previous two GPO settings by linking a GPO to an existing OU that contains computer accounts. You can use the last GPO and the setting contained within it, or you can create a new GPO for User Rights. I would suggest the same GPO to keep these key security settings grouped together.

User Rights are configured in a GPO under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment. When you get to this node you will see the full listing of User Rights. You will need to configure each User Right with the appropriate group which should have the associated privilege. The User Rights list can be seen in Figure 3.

Image
Figure 3: User Rights listing within a GPO.

Note:
User Rights in this configuration is a “delete and replace” technology. So, the list of groups you list here will be the only groups listed for that User Right on the target computer after GPO applies. Be sure to include every group (and local user if necessary) for each User Right. It is not a good idea to place domain user accounts on User Rights, as it is nearly impossible to manage over 40 User Rights on thousands of endpoints if the user needs to be removed for any reason.

Summary

PTH is a nasty, powerful, and common attack that we all need to protect against. If we don’t take measures to protect our computers, there is a very high percentage of certainty that we will be attacked and the attack will be successful. It is very difficult to recognize if you have been attacked by PTH, so thwarting the attack before it can be successful is key. Since there is no silver bullet to protect yourself, you need to take every precaution to do so. In this article we covered some of the GPO settings you can use to protect your computers from PTH attacks, and in the next installment we will finalize the GPO settings list. When completed, you will have a complete solution to help protect your environment from the PTH attack.

If you would like to be notified of when Derek Melber releases the next part in this article series please sign up to our WindowSecurity.com Real-Time Article Update newsletter.

If you would like to read the first part in this article series please go to Pass-The-Hash: Protect Your Windows Computers! (Part 1).

Featured Links