So you have over a thousand servers in your fleet, how do you make sure your passwords are secure for each of them? An even scarier thought is, what if a malicious actor doesn't even need your password to move horizontally within your environment? A malicious actor may have access to one of your low-value assets and without knowing your passwords, authenticate to higher-value assets - Game over.

Basically, passing the password hash (PtH) from one computer to authenticate to another, acquiring even more, perhaps elevated password hashes authenticating again; is an effective and potentially devastating attack on your network. Yes now is the time to assume the worst; leave your resignation on the CTO's office on the way out.

The good news is there's lots of really efficient and cost-effective ways to safeguard your network from credential theft and reuse. Thankfully some smart boffins have already written reams about this topic, which can be distilled within these three papers:

• Microsoft: Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft - Part 1 & 2
• The NSA: Reducing the Effectiveness of Pass-the-Hash

The Microsoft papers provide detailed bouncing-ball mitigation strategies such as:

1. Restricting and Protecting Highly Privileged Domain Accounts
2. Restricting and Protecting Local User Accounts with Admin Privileges
3. Restricting Inbound Network Traffic using the Windows Firewall

These Are followed up in the version 2 document with newer-platform specific strategies such as:

1. Restricting Logon to Well-Known Security Identifiers (SIDs)
2. Enforcing Removal of Credentials after Logoff
3. Removing LAN Manager Hashes and Plaintext Credentials from LSASS
4. Restricting Admin Mode for Remote Desktop Connections
5. Restricting User Authentication via the 'Protected' Security group
6. Utilizing Authentication Policies and Silos
7. Protecting the LSASS Process From Being Tampered With
8. Disabling the Auto-Restart Sign-On Routine

Now the more interesting of these papers is the National Security Agency's, which speaks about real-world ways of achieving these outcomes, namely by using some super-useful PowerShell scripts which can assist in the mitigation of Pass-The-Hash woes.

These mitigation strategies mainly consist of:

1. Creating unique local account passwords
2. Denying local accounts from network logons
3. Restricting lateral movement...with firewall rules

One of these more useful mitigations which can be achieved through the use of these scripts, is to help you manage the roll-out of unique passwords every 90 days without you having to use a Neuralizer on your entire service-desk staff after they helped change your entire fleet of passwords.

Go nab these PowerShell scripts from the Information Assurance Directorate's Git Repo.

-J