In order for a company to defend itself against an insider attack, it must first give up the notion that attacks only come from the outside. The most damaging attacks often come from within, yet access controls and policies on the internal LAN often lag far behind border controls and Internet use policy.
Beyond recognizing the immediate threat, perhaps the most single useful defense against the attack scenario is to eliminate LM hashes from both the domain and the local SAM files. With LM hashes present on the local workstation and shared local Administrator passwords, an attack such as this can be carried out very quickly. Without the LM hashes, the attack would take much longer and the gray hat penetration testers would have to take more risks to achieve their goals, increasing the chances that someone will notice.
In addition to eliminating LM hashes, the following will be effective in defending against the insider attack:
• Disable or centrally manage USB devices
• Configure CMOS to only boot from the hard drive
• Password protect CMOS setup and disable/password protect the boot menu
• Limit descriptive information in user accounts, computer names, andncomputer descriptions
• Develop a formulaic system of generating local Administrator passwords so each one is unique yet can be arrived at without a master list
• Regularly search all systems on the network for blank local Administrator passwords
• Any addition to the Domain Admins or other highly privileged group should generate a notice to other admins, this may require third-party software or customized scripts