How to Harden Active Directory Against Pass-the-Hash on Windows Server 2012 R2

How to Harden Active Directory Against Pass-the-Hash on Windows Server 2012 R2

Pass-the-Hash (PtH) is an attack technique in which an adversary captures an NTLM credential hash from one system and uses it to authenticate to other systems without knowing the actual password. Because NTLM hashes are reusable, a single compromised credential can lead to domain-wide compromise within minutes. Windows Server 2012 R2 introduced several controls that directly address PtH, including the Protected Users security group, restricted admin mode, and enhanced credential isolation. This guide covers every layer of PtH mitigation available on Windows Server 2012 R2.

Prerequisites

• Active Directory domain with Windows Server 2012 R2 domain controllers at minimum
• Domain Admin access
• A tiered administration model (Tier 0/1/2) is strongly recommended before implementing these controls, as some changes affect how administrators log on
• The Microsoft Pass-the-Hash guidance whitepaper reviewed by your security team

Step 1: Enforce NTLMv2 and Disable LM Authentication

LM and NTLM authentication produce easily crackable hashes. Enforce NTLMv2 at minimum across the domain via Group Policy:

Navigate to Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options:

# Set via registry (also set via GPO in production):
# LAN Manager authentication level = 5 (NTLMv2 only, refuse LM & NTLM)
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlLsa" `
    -Name "LmCompatibilityLevel" -Value 5 -Type DWord

# Minimum NTLM session security (require NTLMv2 and 128-bit encryption)
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlLsaMSV1_0" `
    -Name "NTLMMinClientSec" -Value 537395200 -Type DWord
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlLsaMSV1_0" `
    -Name "NTLMMinServerSec" -Value 537395200 -Type DWord

# Do not store LM hash values
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlLsa" `
    -Name "NoLMHash" -Value 1 -Type DWord

Step 2: Add Privileged Accounts to the Protected Users Group

The Protected Users security group (introduced in Windows Server 2012 R2) applies additional protections to member accounts, including:

• No NTLM authentication (Kerberos only)
• No DES or RC4 encryption in Kerberos
• No credential delegation (no unconstrained delegation)
• No long-lived TGT (maximum 4-hour tickets, non-renewable)
• No caching of credentials on devices

# Add privileged accounts to Protected Users
Add-ADGroupMember -Identity "Protected Users" -Members "DomainAdmin1","DomainAdmin2","EnterpriseAdmin1"

# Add a service account (WARNING: verify the account doesn't use NTLM or need delegation)
# Add-ADGroupMember -Identity "Protected Users" -Members "svc-backup"

# Verify group membership
Get-ADGroupMember -Identity "Protected Users" | Select-Object Name, SamAccountName

Warning: Do not add service accounts that use NTLM-based authentication or unconstrained Kerberos delegation to Protected Users. Test in a non-production environment first.

Step 3: Enable Restricted Admin Mode for RDP

Standard RDP connections send credentials to the remote server, where they are cached in LSASS memory—making them harvestable by credential theft tools. Restricted Admin Mode prevents credentials from being sent to the remote host:

# Enable Restricted Admin Mode on the TARGET server
Set-ItemProperty -Path "HKLM:SystemCurrentControlSetControlLsa" `
    -Name "DisableRestrictedAdmin" -Value 0 -Type DWord

# Verify
(Get-ItemProperty "HKLM:SystemCurrentControlSetControlLsa").DisableRestrictedAdmin

Connect using Restricted Admin Mode from the client:

mstsc /restrictedAdmin /v:TARGETSERVER01

Step 4: Disable NTLM in the Domain (Phased Approach)

For environments ready to eliminate NTLM entirely, configure NTLM auditing first, then block it after verifying all applications use Kerberos:

# Phase 1: Audit NTLM authentication in the domain
# GPO: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options
# "Network security: Restrict NTLM: Audit NTLM authentication in this domain" = Enable all

# Phase 2: Audit incoming NTLM traffic on servers
# "Network security: Restrict NTLM: Audit incoming NTLM traffic" = Enable auditing for all accounts

# Check audit results in Event Viewer:
Get-WinEvent -LogName "Microsoft-Windows-NTLM/Operational" -MaxEvents 100 |
    Where-Object { $_.Id -eq 8004 } |
    Select-Object TimeCreated, Message

# Phase 3 (after audit confirms no dependencies): Deny NTLM
# "Network security: Restrict NTLM: NTLM authentication in this domain" = Deny all

Step 5: Implement Tiered Administration Model

The PtH mitigation most recommended by Microsoft is a Tier 0 / Tier 1 / Tier 2 administration model that prevents admin credentials from being exposed on lower-trust systems:

# Create separate admin accounts per tier
New-ADUser -Name "AdminT0-JohnDoe" -SamAccountName "adm-t0-jdoe" `
    -Description "Tier 0 - Domain Controller administration" `
    -PasswordNeverExpires $false -ChangePasswordAtLogon $false

New-ADUser -Name "AdminT1-JohnDoe" -SamAccountName "adm-t1-jdoe" `
    -Description "Tier 1 - Server administration" `
    -PasswordNeverExpires $false -ChangePasswordAtLogon $false

New-ADUser -Name "AdminT2-JohnDoe" -SamAccountName "adm-t2-jdoe" `
    -Description "Tier 2 - Workstation administration" `
    -PasswordNeverExpires $false -ChangePasswordAtLogon $false

Create Privileged Access Workstations (PAWs) for Tier 0 and Tier 1 administration and enforce logon restrictions via GPO so that Tier 0 accounts can only log onto domain controllers and PAWs:

# GPO: Deny log on locally to Tier 0 accounts on Tier 1/2 systems
# Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment
# "Deny log on locally" → add Tier 0 admin groups on all non-DC computers

Step 6: Protect the LSASS Process

Credential dumping tools like Mimikatz access LSASS memory to extract credential hashes. Enable LSASS protection features available on Windows Server 2012 R2:

# Enable WDigest credential caching prevention
# (WDigest stores cleartext credentials in memory - disable this)
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersWDigest" `
    -Name "UseLogonCredential" -Value 0 -Type DWord

# Verify
(Get-ItemProperty "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersWDigest").UseLogonCredential

Disable credential caching on servers (prevents domain credentials from being cached locally):

# Set cached logons to 0 on servers (use 1 only if the server may be offline from DC)
Set-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" `
    -Name "CachedLogonsCount" -Value "0" -Type String

Step 7: Monitor for PtH Indicators

Configure alerting on event IDs that indicate PtH or credential harvesting:

# Monitor for NTLM logons from unusual sources (Event ID 4624, Logon Type 3, Auth Package NTLM)
Get-WinEvent -LogName Security -FilterXPath `
    "*[System[EventID=4624] and EventData[Data[@Name='AuthenticationPackageName']='NTLM'] and EventData[Data[@Name='LogonType']='3']]" `
    -MaxEvents 100 | Select-Object TimeCreated, Message

# Monitor for pass-the-hash indicators (Event ID 4625 with sub status 0xC000006A)
Get-WinEvent -LogName Security -FilterXPath `
    "*[System[EventID=4625]]" -MaxEvents 50 | Select-Object TimeCreated, Message

Summary

Pass-the-Hash mitigation on Windows Server 2012 R2 requires a layered approach: enforce NTLMv2, add privileged accounts to the Protected Users group, enable Restricted Admin Mode for RDP, disable WDigest credential caching, implement credential caching controls, and build toward a tiered administration model. No single control eliminates PtH entirely—the combination of these controls significantly raises the cost and complexity of lateral movement, forcing attackers to use more detectable techniques and giving your detection capabilities more opportunity to identify the attack before domain compromise occurs.