In researching pass-the-hash attacks, we discovered that when Microsoft implemented "Restricted Admin" mode they inadvertantly enabled pass-the-hash attacks via RDP 8.1. This attack tool is now included in Kali Linux and probably other tools.
This attack shows the weakness in the design of the system. The hash exists to make the system usable. It is a design feature. Since MS can't remove the password from their software, they have a number of fixes, patches and configuration options that try to secure it.
Isn't it better to get rid of, or at least minimize, the lifetime of the password? WiKID does this with our native AD 2FA solution. The hash is only good for the life of the passcode.
If an attacker is trying to pass-the-hash while the admin is logged in, the admin will actually see the request for the RDP session! If they wait, the hash will no longer be valid.
In the past it seems as if the market was saying that pass-the-hash was a big problem, but smart cards were not worth the effort and expense. Now you can have essentially the same functionality using your smartphone and WiKID for $24 per admin per year.
from Preventing pass-the-hash via RDP with two-factor authentication