As promised, this is the official response from Microsoft when I asked them how to protect against the DCOM/NTLM reflection abuse:
“The team has responded that with the current model there are no hardening recommendations we can offer. They are taking this report as something to pursue for next-version hardening but I don’t have an estimate on which version this would be released in. This isn’t something we could address with a security update or CVE and as such I’ll be closing this case. “
“Changes to the DCOM subsystem are not something we would do via a security update since there is significant risk involved – this would be something which was addressed in a future version of Windows. An important part is the SeImpersonate privilege is designed to allow a service to impersonate other users on the system. Changing this model could have very negative impact on how services work. ”
Yes, you got it. There is no reasonable way to protect from this attack if you have SeImpersonate or SeAssignPrimaryToken privileges.
Same old, same old: Protect sensitive accounts and applications which run under the service accounts