nerdexam
GIAC

GCIH · Question #645

An organization has enabled local account token filtering in the registry for workstations. What additional step do they need to take in order to defend against pass-the-hash attacks?

The correct answer is B. Disable the local administrator account. Even with local account token filtering enabled, the built-in local Administrator account (RID 500) is exempt from that policy and remains usable in pass-the-hash attacks, so it must be disabled.

Vulnerability Exploitation & Privilege Escalation

Question

An organization has enabled local account token filtering in the registry for workstations. What additional step do they need to take in order to defend against pass-the-hash attacks?

Options

  • ARemove active command prompts
  • BDisable the local administrator account
  • CDisable null sessions on the domain
  • DBlock outbound access to TCP port 139

How the community answered

(56 responses)
  • A
    4% (2)
  • B
    70% (39)
  • C
    9% (5)
  • D
    18% (10)

Why each option

Even with local account token filtering enabled, the built-in local Administrator account (RID 500) is exempt from that policy and remains usable in pass-the-hash attacks, so it must be disabled.

ARemove active command prompts

Removing active command prompts is a session-based action and does not prevent credential reuse via hashed credentials.

BDisable the local administrator accountCorrect

Windows UAC remote restrictions (LocalAccountTokenFilterPolicy) strip elevation from standard local accounts over the network, but the built-in Administrator account (RID 500) is explicitly excluded from this restriction. Disabling that account closes the remaining pass-the-hash vector because there is no privileged local account whose NTLM hash can be leveraged for lateral movement.

CDisable null sessions on the domain

Disabling null sessions restricts unauthenticated enumeration but does not prevent an attacker who already holds a valid NTLM hash from authenticating.

DBlock outbound access to TCP port 139

Blocking TCP 139 limits NetBIOS sessions but pass-the-hash can still occur over SMB on TCP 445, so this is insufficient.

Concept tested: Mitigating pass-the-hash via local Administrator account

Source: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls

Topics

#pass-the-hash#local administrator#token filtering#lateral movement defense

Community Discussion

No community discussion yet for this question.

Full GCIH Practice