One of the most popular types of credential theft and reuse attack seen by Microsoft to date is known as the Pass-the-Hash (PtH) attack. As the tools and techniques for credential theft and reuse attacks like the Pass-the-Hash (PtH) attack improve, malicious users are finding it easier to achieve their goals through these attacks. A PtH attack is very similar in concept to a password theft attack, but it relies on stealing and reusing password hash values rather than the actual plaintext password.
The following procedure shows how to restrict an application from running using Software Restriction Policies. More details about Software Restriction Policies and the available options can be found here.
This example shows how to restrict the windows notepad application from executing:
- Start the local group policy editor by typing gpedit.msc in the Start search text box
- Go to Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies node
- Expand the Software Restriction Policies node and select Additional Rules
- On the right hand side pane, right click and select New Path Rule…
- Click the Browse button to search for Notepad.exe, select it and set the Security level to Disallowed
- Click OK
In most organizations the majority number of employees runs the same applications and it is quite normal to find a list of approved applications. Apart, from disallowing standard users (non administrator privileges) to install any unapproved applications some IT policies dictate that some applications although required to be present on the computer for administration purposes, standard users are not allowed to execute them. For example, you may want to block admin scripts and specific DLLs from running. You can achieve this with help of Group Policies – Software Restriction Policies.