Reducing the Effectiveness of Pass-the-Hash , a report compiled by the Network Components and Application Division of the NSA/CSS, is very recommendable for all Windows network administrators and designers.
The design guidelines given in chapter 3 give the foundations for secure operations of Windows networks. Strictly implemented they hamper the propagation of attacks through the network.
I am in no doubt, that the impact of the Sony Attack would have been far smaller, if this guidelines would have been implemented.
The more technical details about the Sony attack come to light, the more restless I become. Although the attacker delivered a high sophisticated piece of code, the impact of this attack would not have been such serious without the unintended help of the Sony users and IT groups.
Samuel Gibbs writes in theguardian ‘While security analysts have said that preventing sophisticated and well-funded cyber criminals from breaking into a company is very hard indeed, researchers have criticised Sony Pictures for its poor data security, which allegedly saw login details stored in unencrypted spreadsheets.’
That’s really bad! And particularly critical in the case of functional accounts or global admin accounts.
Another large weak spot, users who work with administrative privileges or accounts, was exploited for the initial attack.
The big question is: How could we make an attackers life more difficult?
Just a few suggestions:
Never use an account with administrative rights for daily work. This also applies for members of the IT groups. Administrators should work with standard user accounts, and switch to privileged accounts if required.
Never use the same accounts and passwords for administration of services like email or database server systems and workstations. Even if a workstation account is compromised the server will stay safe.
Never use the same functional accounts and passwords for workstations and servers. Functional accounts are often used for managing services of third-party vendors, e.g. the anti-malware systems. Unfortunately these accounts must often have administrative privileges. Different accounts and passwords for workstations and servers will prevent the spread of malware to servers if e.g. the workstation account is compromised.
Never use the same functional account for multiple services. Mind the isolation principle!
Service specific functional accounts should be defined locally, and only on systems where the services are hosted.
Use strong passwords with length > 20 chars only. This is in particular for functional accounts no problem because the passwords are not very often used.
Decide about implementing Two Factor Authorization.
That’s it for today, and for this year. I will take a Christmas break.
A merry Christmas to you all
and the best wishes for health, happiness
and prosperity in the New Year.