Steps to secure Active directory pass the hash attack and clear text password


  • Hi,

    I have Microsoft Active directory implemented with windows OS 2012R2 person who don't have Any privilege rights on the server he is able to escalate himself as enterprise admin. I would like to know how to secure this. As per my understanding he is using pass the hash attack and PowerShell exploit.

    Nagesh C Samant

    Monday, November 28, 2016 4:53 AM

All replies

    • Administrators should have separate admin workstations for administration activities. Admin accounts should never be logged onto regular workstations where user activities such as email and web browsing are performed. This limits credential theft opportunities. Note that smartcards don’t prevent credential theft since accounts requiring smartcard authentication have an associated password hash that’s used behind the scenes for resource access. The smartcard only ensures that the user authenticating to the system has the smartcard in their possession. Once used to authenticate to a system, the smartcard two factor authentication (2fA) becomes one factor, using the account’s password hash (which is placed in memory). Furthermore, once an account is configured for smartcard authentication, a new password is generated by the system for the account (and never changed).
    • All local Administrator account passwords on workstations and servers should be long, complex, and random using a product like Microsoft LAPS.
    • Limit the groups/accounts that have rights to logon to Domain Controllers.
    • Limit groups/accounts with full Active Directory rights, especially service accounts.
    • Protect every copy of the Active Directory database (ntds.dit) and don’t place on systems at a lower trust level than Domain Controllers.
    • Configure Group Policy to prevent local Administrator accounts from authenticating over the network. The following sample GPO prevents local accounts from logging on over the network (including RDP) and also blocks Domain Admins & Enterprise Admins from logging on at all. The GPO includes the following settings:
      • Deny access to this computer from the network: local account, Enterprise Admins, Domain Admins
      • Deny log on through Remote Desktop Services: local account, Enterprise Admins, Domain Admins
      • Deny log on locally: Enterprise Admins, Domain Admins
    • Proposed as answer by Weily Ngui Monday, November 28, 2016 5:13 AM
    Monday, November 28, 2016 5:13 AM
  • Hi Nagesh,
    I would suggest you use restricted groups of group policy to define Members properties for security-sensitive (restricted) groups. When a Restricted Group policy is enforced, any current member of a restricted group that is not on the "Members" list is removed with the exception of administrator in the Administrators group. Any user on the "Members" list which is not currently a member of the restricted group is added.
    Please see:
    Description of Group Policy Restricted Groups
    Active Directory Group Policy Restricted Groups
    Best regards,

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Tuesday, November 29, 2016 4:35 AM
  • Have a look at
    Tuesday, November 29, 2016 2:24 PM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Friday, December 2, 2016 8:40 AM