One of the most talked about presentations at Microsoft TechEd was Pass-The-Hash: How Attackers Spread and How to Stop Them by Mark Russinovich and Nathan Ide of Microsoft. This presentation demonstrated how simple it is to collect hashes from one machine and leverage them to compromise the entire infrastructure. The publication of attack techniques and lack of preventative tools have forced enterprises to rely on ineffective techniques to mitigate this risk. Fortunately, by removing administrative rights from all users and leveraging a Windows privilege management solution like PowerBroker for Windows, you can mitigate this risk throughout your organization.
The techniques highlighted in the presentation steal hash information from the current user logged in locally or via RDP. When those sessions contain privileges above a standard user, the malware or hacker has an advantage because they can elevate their privileges from system to system – from low-level user to high-value permissions such as help desk personnel or domain administrators. The key to protecting these systems when modern tools are not available for Windows 8.1 or Windows 2012 R2 is to never give elevated privileges to users in the first place. Therefore, if malware does infect a host, the hacker can only gain standard user access despite any lateral movement they are able to obtain.
So, how does PowerBroker for Windows help? The solution doesn’t elevate the permissions of the user, but rather changes the application’s security token using patent-pending technology:
Again, the user’s privileges never change and the modified application runs with the new security token, which can be customized to any level required for the application to correctly function:
As a result, the user never has a hash that malware or a hacker can leverage against another resource with elevated permissions. In addition, the privileges granted to the application could either be executed as a full administrator or customized to only allow the privileges or process required for the task to execute. In this case, the attack tools demonstrated in the Tech Ed briefing would only be able to capture the hashes of the standard user and have no access to the elevated privileges granted to the application.
The fact remains that, in most organizations, too many users have excessive privileges. Hacking techniques like Pass-The-Hash have been successfully used to maliciously compromise entire infrastructures. Simply removing privileges can cripple business productivity, since critical applications and tasks can no longer function correctly as a standard user. A tool or technique is needed to bridge that gap, and PowerBroker for Windows is that solution.
PowerBroker for Windows preserves the privileges granted to the user and only modifies the application’s runtime security token to meet the needs of the application (on a per application basis). With over 250 rules in PowerBroker’s sample rules library, you do not need to start from scratch to make this change a reality. Our best practices guide, professional services team, and years of experience in privileged account management can help make hacking techniques like this a moot point for your business.