Thursday, January 10, 2013

Practical applications from “New Guidance to Mitigate Determined Adversaries’ Favorite Attack: Pass-the-Hash”

 

The scenarios described in the “New Guidance to Mitigate Determined Adversaries’ Favorite Attack: Pass-the-Hash” white paper could result in great, even catastrophic, impact on a compromised organization.  Countless organizations, large and small, are vulnerable, when their policies and practices are stacked up against the recommendations in the paper.  Here are several practical points (not silver bullets or solutions) that come to my mind as I was digesting the recommendations:

  1. Use “trusted” workstations to administer
  2. Administrators should have at least 2 accounts:
    • a standard unprivileged user account for regular work and login to their less secure, untrusted PC/workstation.  Writing Emails, browsing internet, writing documentation, research, etc.
    • an administrative account to login to trusted infrastructure from trusted workstation(s) to perform administrative tasks.
    • DO NOT MIX the usage of these two.
  3. Use AD group policy and internet proxy configuration to deny/disable communication via internet, email, IM, etc. and respective apps for the administrative domain and local administrator user groups and accounts.
  4. Disable NTLM protocol and use Kerberos, if possible.

In general, stay reasonably paranoid regarding your data and infrastructure .  “They ARE out to get you.”

Microsoft recommends these items among “Security Development Lifecycle” reading materials:

· Secure design, including the following topics:

· Attack surface reduction

· Defense in depth

· Principle of least privilege

· Threat modeling

· Secure coding, including the following topics:

· Cross-site scripting

· SQL injection

· Managed code security (transparency, code access security, assembly strong naming, etc.)