How to change NT hash for privileged and unprivileged accounts that require smart cards for an Active Directory Domain.

Overview

This article guides professionals on how to change NT hash for privileged and unprivileged accounts that require smart cards for an Active Directory Domain.

Implementing this control should be considered at a minimum as medium importance.

PS. G5 Cyber Security can scan your entire network for security vulnerabilities, guide you to resolve them, and more. Please contact us here to get started.

 

How to implement this security control

If needed, it’s possible to change the underlying NT hash for privileged and unprivileged accounts that require smart cards. This can be done by doing the following:

 

In Windows Server 2016 with domain functional levels of Windows Server 2016:

  1. Open "Active Directory Administrative Center".
  2. Right-click on the domain name and select "Properties".
  3. Select "Enable rolling of expiring NTLM secrets during sign-on, for users who are required to use Microsoft Passport or smart card for interactive sign on".
  4. Active Directory domains not at a Windows Server 2016 domain functional level:
  5. Rotate the NT hash for smart card-enforced accounts.

 

Note: This can be accomplished with the use of scripts.  

DoD PKI-PKE has provided a script under PKI and PKE Tools at http://iase.disa.mil/pki-pke/Pages/tools.aspx.  See the User Guide for additional information.

NSA has also provided a PowerShell script with Pass-the-Hash guidance at https://github.com/iadgov/Pass-the-Hash-Guidance.  Running the "Invoke-SmartcardHashRefresh" cmdlet in the "PtHTools" module will trigger a change of the underlying NT hash.  See the site for additional information.

Manually rolling the NT hash requires disabling and re-enabling the "Smart Card required for interactive logon" option for each smart card-enforced account, which is not practical for large groups of users.

 

How to verify this security control is implemented

In Windows Server 2016 with a domain functional level of Windows Server 2016:

  1. Open "Active Directory Administrative Center".
  2. Right-click on the domain name and select "Properties".
  3. If the "Domain functional level:" is not "Windows Server 2016", another method must be used to reset the NT hashes. See below for other options.
  4. If the "Domain functional level:" is "Windows Server 2016" and "Enable rolling of expiring NTLM secrets during sign-on, for users who are required to use Microsoft Passport or smart card for interactive sign-on" is not checked, this is a finding.
  5. Active Directory domains with a domain functional level below Windows Server 2016:
  6. Verify the organization rotates the NT hash for smart card-enforced accounts every 60 days. This can be accomplished with the use of scripts.

 

Why you should implement this security control

When a smart card is required for a domain account, a long password, unknown to the user, is generated. This password and associated NT hash are not changed as are accounts with passwords controlled by the maximum password age.

Disabling and re-enabling the "Smart card is required for interactive logon" (SCRIL) replaces the NT hash of the account with a newly randomized hash. Otherwise, the existing NT hash could be reused for Pass-the-Hash in the future.

Windows Server 2016 includes a built-in feature for SCRIL hash rolling that will automatically reset NT hashes in accordance with the existing maximum password age policy.  This requires the domain functional level to be Windows Server 2016.

In Active Directory with a domain functional level below Windows Server 2016, scripts can be used to reset the NT hashes of all domain accounts. Associated documentation should be reviewed for potential issues.

 

References

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.