I have been recently researching Pass the Hash mitigation techniques and I have found that there are the usual comments about not logging on to workstations with Admin accounts, ensuring your local admin accounts don’t have the same password, ensuring a sensitive machine isn’t being managed by a less secure, or less sensitive machine. But the one tip that jumped out as a quick win with (typically) no impact was the ‘debug programs’ setting on the machine policy.
As this is set to “Administrators” by default, which means the attacker needs to get admin rights on any machine (local admin, or via privilege escalation) to allow them to dump password hashes from memory. Disabling this for all users helps to prevent hash dumping tools from achieving their goal.
To find this in Group Policy navigate to:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
If debugging is needed, consider creating a debugging group containing accounts without admin rights, allow the user to use the ‘run-as’ feature, and delete the user once the task has been completed.
If the user needs full time debugging rights, treat their machine as a hostile entity, set up some strong firewall and IDS rules (make sure they are logically located behind these devices first 🙂 ), ensure that credential caching is down to the lowest usable amount (this would depend on if it’s a laptop or workstation) and only ever administer that device with ‘burner-admins’ – these are temporary admin accounts that are used for a single task then deleted, this may sound like a pain, but the alternative is more painful.