Limiting who can access highly privileged accounts and where they do can help keep hackers from snatching precious hashes.
Pass-the-hash attacks are among the most difficult assaults to thwart. In these attacks, an intruder -- or an employee performing unauthorized activities -- gains administrative (or root) access to a computer where a user logs on. With that highly elevated access, the intruder can obtain the user's password hash from the machine's memory and log on to other computers as the spoofed user.
Once an outsider obtains elevated access, defending against the pass-the-hash attacks is very difficult. There are even free hacking tools available
to aid the process. Even worse, pass-the-hash attacks work against very long passwords, smart cards, and many other logon tokens. There aren't a lot of defenses one can deploy to prevent them, which is why security admins fear them. However, defenses do exist. Not just a Windows problem
Some people mistakenly believe that only Windows is vulnerable to pass-the-hash attacks. (I'll note that Microsoft is my full-time employer.) However, most of today's popular operating systems perform subject authentication (for example, user, computer, service/daemon) using password hashes. Those hashes sit in the computer's memory on those operating systems as readily as on Windows and can be obtained just as easily, if not more so, if public tools are on hand.