GCIH · Question #645
An organization has enabled local account token filtering in the registry for workstations. What additional step do they need to take in order to defend against pass-the-hash attacks?
The correct answer is B. Disable the local administrator account. Even with local account token filtering enabled, the built-in local Administrator account (RID 500) is exempt from that policy and remains usable in pass-the-hash attacks, so it must be disabled.
Question
An organization has enabled local account token filtering in the registry for workstations. What additional step do they need to take in order to defend against pass-the-hash attacks?
Options
- ARemove active command prompts
- BDisable the local administrator account
- CDisable null sessions on the domain
- DBlock outbound access to TCP port 139
How the community answered
(56 responses)- A4% (2)
- B70% (39)
- C9% (5)
- D18% (10)
Why each option
Even with local account token filtering enabled, the built-in local Administrator account (RID 500) is exempt from that policy and remains usable in pass-the-hash attacks, so it must be disabled.
Removing active command prompts is a session-based action and does not prevent credential reuse via hashed credentials.
Windows UAC remote restrictions (LocalAccountTokenFilterPolicy) strip elevation from standard local accounts over the network, but the built-in Administrator account (RID 500) is explicitly excluded from this restriction. Disabling that account closes the remaining pass-the-hash vector because there is no privileged local account whose NTLM hash can be leveraged for lateral movement.
Disabling null sessions restricts unauthenticated enumeration but does not prevent an attacker who already holds a valid NTLM hash from authenticating.
Blocking TCP 139 limits NetBIOS sessions but pass-the-hash can still occur over SMB on TCP 445, so this is insufficient.
Concept tested: Mitigating pass-the-hash via local Administrator account
Source: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls
Topics
Community Discussion
No community discussion yet for this question.