Documentation - V-243476

Title

All accounts, privileged and unprivileged, that require smart cards must have the underlying NT hash rotated at least every 60 days.

Description

<VulnDiscussion>When a smart card is required for a domain account, a long password, unknown to the user, is generated. This password and associated NT hash are not changed as are accounts with passwords controlled by the maximum password age. Disabling and reenabling the "Smart card is required for interactive logon" (SCRIL) replaces the NT hash of the account with a newly randomized hash. Otherwise, the existing NT hash could be reused for Pass-the-Hash in the future. Windows Server 2016 incl...

Fix Text (Documentation Requirement)

Windows Server 2016 with domain functional levels of Windows Server 2016: Open "Active Directory Administrative Center". Right-click on the domain name and select "Properties". Select "Enable rolling of expiring NTLM secrets during sign on, for users who are required to use Microsoft Passport or smart card for interactive sign on". Active Directory domains not at a Windows Server 2016 domain functional level: Rotate the NT hash for smart card-enforced accounts every 60 days. This can be accomplished with the use of scripts. DOD PKI-PKE has provided a script under PKI and PKE Tools at https://cyber.mil/pki-pke/tools-configuration-files/. Refer to the User Guide for additional information. NSA has also provided a PowerShell script with Pass-the-Hash guidance at https://github.com/nsa...