Our Blog

where we write about the things we love



Defence! How to protect your organisation’s network and data

Two key security principles for ensuring organisational security.

During the recent Microsoft TechEd conference held in Auckland 9th-12th September a vulnerability that has been around for a number of years known as Pass the Hash was raised by a number of speakers. Another point that was also raised was the fact that a large number of security breaches and data leaks are now attributable to employees as opposed to external hackers.

An example of Pass the Hash attack

Using the Pass the Hash attack as an example, one of your staff receives an email from what looks like a legitimate social network that claims to have a message from a member wishing to connect with them. The user clicks on the URL provided to access the message and in the blink of an eye a malicious browser add-on is installed whilst the user is directed to a fake version of the social network site.

The malicious add-on in question allows the attacker to control the user’s machine using the user’s credentials. The user is a local administrator on his machine providing the attacker with full local access. The attacker then uses a tool to extract the password hashes for other accounts that have recently logged into the machine, including a Domain Admin account.

The attacker now has a login that will allow full access to all of your workstations, servers and domain controllers.

This scenario may sound farfetched but it is in fact very much possible using basic phishing attacks and the Pass the Hash credential theft technique.

Many organisations may think that they do not hold sensitive data and therefore do not need robust security protections in place. To these organisations I would ask one question – do you hold customers’ names and email addresses?

This information alone is of value to hackers wishing to launch phishing attacks and to less principled marketing firms and spammers that are looking for a pre-screened directory of contact details for real people – your customers.

Potential parties who would like access to this type of customer information may not even need to compromise your networks and servers, they may simply proposition one of your employees or you may have a disgruntled employee who is leaving and decides to use their access to harm your organisation.

How can you protect your network and data from attacks of this nature?

Whilst there are specific mitigations for Pass the Hash contained in the Microsoft trustworthy computing document linked at the end of this post, there are two security principles that, if followed, will limit your exposure to not only Pass the Hash attacks but also to many other forms of attack, including attacks from within your organisation.

The first of these security principles is the principle of defence in depth.

Most organisations are very good at protecting their borders through the use of network firewall appliances but what if an attacker were able to get past the firewall through an open port or a phishing attack like that used in the previous scenario? From a compromised user’s workstation what other resources will the attacker have access to? Other workstations? Servers? Network traffic?

Defence in Depth uses a layered approach to security where your internal network is treated as insecure. In practical terms this could mean that different service layers are firewalled from each other. This can be achieved by using separate firewalled network zones for each service type, i.e. database services, authentication services and web services. Where possible traffic between these zones should also be encrypted in order to mitigate man in the middle attacks. As an added layer of defence local Windows firewalls along with server hardening policies that disable unused services and network ports should also be applied.

Through the implementation of Defence in Depth, in the event that a single system is compromised we are able to limit the ability of the attacker to access other network resources. This gives the network and security administrator further time and opportunity to become aware of the attack and to ultimately stop it.

The second security principle is the principle of least privileged. Least privilege means that all accounts within your organisation should only be provided the minimum rights and permissions required to perform the tasks required of that account.

As an example if a systems administrator needs to access a user’s workstation to assist with an issue, they do not require domain admin access to perform tasks on that workstation.

A more secure approach would be to provide your administrators with a workstation admin account that is a member of the local workstation administrators group only. This way if the account were ever compromised by a Pass the Hash or other credential attack, it would not have access to any other systems except for user workstations. This approach of least privilege should be applied to all Windows accounts, including application service accounts.

Least privilege is not limited to Windows machines but should also be applied when assigning role-based access within applications. By limiting users to the minimum access required for their role along with auditing of access, you can limit the potential for abuse by employees.

One key point that is often missed when administering user access is the removal of non-required access when users change roles within an organisation, resulting in users having access to data and systems that they no longer require. In many cases this can be caused by a lack of documentation as to what each role or security group provides. A mitigation for this is to ensure that easy to understand descriptions are added to roles and security groups where possible or detailed documentation is made available so that administrators can easily know what changes are required to add or remove access.

It is also very important that organisations have easy to follow and well known user on-boarding, off-boarding and role change processes in place from the HR department right through to the system administration staff making the changes. This aspect of user access control is especially relevant when using cloud based services as these are able to be accessed from any internet connection. The last thing that an organisation wants is for a staff member to move to a competitor organisation whilst still having access to cloud based sales and customer data.


Through the implementation of both defence in depth and least privilege security principles along with clear user access policies and processes, organisations can enable an overall more secure environment that limits exposure to specific attacks such as Pass the Hash whilst also providing additional protection against employee abuse of systems. You can also better prepare your organisation for mobile users and BYOD as your systems are secured both internally within your corporate LAN as well as on the Internet.

For further information regarding Pass the Hash and how to mitigate your exposure, download the Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf from Microsoft: http://www.microsoft.com/en-nz/download/details.aspx?id=36036

Posted by: Damian Morgan, Solution Architect | 30 September 2014

Tags: Security

Blog archive

Stay up to date with all insights from the Intergen blog