4 Days Left to Save $400 on SANS Security East 2015, New Orleans

Network Security 2014

Las Vegas, NV | Sun, Oct 19 - Mon, Oct 27, 2014

SEC505: Securing Windows with the Critical Security Controls

The Securing Windows course (SEC505) is the defense-only mirror image of the penetration testing courses at SANS: we talk about how to block or mitigate those attacks. SEC505 also covers the Critical Security Controls which directly apply to Windows clients and servers. It includes topics like deploying a Microsoft PKI, IPSec policies, PowerShell scripting, Dynamic Access Control, BitLocker, AppLocker and more. The course aims to thwart the lateral movement of hackers inside our networks and to reduce the client-side exploits used for Advanced Persistent Threat (APT) malware.

How can we defend against pass-the-hash attacks, administrator account compromise, and the lateral movement of hackers inside our networks? How do we actually implement the Critical Security Controls on Windows in a large environment? How can we significantly reduce the client-side exploits which lead to APT malware infections? These are tough problems, but we tackle them in this course.

Understanding how penetration testers and hackers break into networks is not the same thing as knowing how to design defenses against them, especially when you work in a large, complex Active Directory environment. Knowing about tools like Metasploit, Cain, Netcat, and Poison Ivy is very useful, but there is no simple patch against their abuse. The goal of this course is to provide a defense or mitigation for the Windows attack techniques known today and the new ones that will be discovered tomorrow. This requires more than just reactive patch management; we need to proactively design security into our systems and networks. That is what this course is about.

Your adversaries want to elevate their privileges to win control over your servers and domain controllers, so a major theme of this course is controlling administrative powers through Group Policy hardening and PowerShell scripting.

Learning PowerShell is probably the single best new skill for Windows people to acquire, especially with the trend towards cloud computing. Because most of your competition lacks scripting skills, it is a great way to make your resume stand out. This course devotes an entire day to PowerShell, but you do not need any prior scripting experience, we will start with the basics.

SEC505 will also prepare you for the GIAC Certified Windows Security Administrator (GCWN) certification exam to help prove your security skills and Windows security expertise. The GCWN certification counts towards getting a Master's Degree in information security from the SANS Technology Institute (www.sans.edu) and satisfies the Department of Defense 8570 computing environment (CE) requirement too.

This is a fun course and a real eye-opener even for Windows administrators with years of experience. If you wish, you can get the PowerShell scripts now for the course from http://cyber-defense.sans.org/blog/ (go to the Downloads link). All of the tools are in the public domain.

Operating System and Applications Hardening day:

  • How your anti-virus scanners can fail you
  • AppLocker whitelisting
  • EMET, ASLR, SEHOP, DEP
  • Windows OS and Applications Hardening tools
  • The Group Policy Management Console (GPMC)
  • INF and XML Security templates
  • How to manage Group Policy
  • WMI filtering and GPO preferences
  • Custom ADM/ADMX templates
  • Hardening Adobe Reader
  • Hardening Java
  • Hardening Internet Explorer
  • Hardening Google Chrome
  • Hardening Microsoft Office
  • Virtual Desktop Infrastructure (pros and cons)

High-Value Targets & Restricting Admin Compromise day:

  • What makes something a high-value target?
  • Users in the local administrators group
  • Secretly limiting the power of administrative users
  • Limiting privileges, logon rights and permissions
  • Token abuse and pass-the-hash attack mitigations
  • Group Policy control of Windows security
  • User Account Control (UAC)
  • Delegating IT power more safely
  • Organizational units for role-based controls
  • Active Directory permissions for delegation
  • Active Directory auditing and logging
  • Painless (or Less Painful) Patch Management

PKI, BitLocker and Secure Boot day:

  • Why must I have a PKI?
  • Examples: Smart Cards, VPNs, Wireless, SSL, S/MIME, etc.
  • How to install the Windows PKI
  • Root vs. subordinate certification authorities
  • Should you be your own root CA?
  • Detecting malicious trusted CA changes
  • How to manage your PKI
  • Group policy deployment of certificates
  • How to revoke certificates
  • Automatic private key backup
  • Deploying smart cards
  • Best practices for private keys
  • BitLocker drive encryption
  • BitLocker for USB drives
  • UEFI Secure Boot
  • TPM chip options for BitLocker
  • BitLocker emergency recovery

IPSec, Windows Firewall, DNS, and Wireless day:

  • Isn't IPSec just for VPNs? No!
  • IPSec for TCP port permissions
  • How to create IPSec policies
  • Windows Firewall and IPSec integration
  • Group Policy for IPSec and firewall rules
  • NETSH and PowerShell rules scripting
  • DNSSEC response validation
  • DNS secure dynamic updates
  • DNS sinkholes for malware
  • Wireless attack vulnerabilities
  • Configuring RADIUS policies (NPS)
  • Wi-Fi Protected Access (WPA2)
  • Secure access to wireless networks
  • Secure access to Ethernet networks
  • Smart cards for wireless and Ethernet

Server Hardening & Dynamic Access Control day:

  • A recipe for hardening most servers
  • Dangerous protocols: SSL, RDP, IPv6, SMB
  • SMBv3 encryption and downgrade attacks
  • Pre-forensics and incident response preparation
  • Service accounts and recovery
  • Scheduling elevated tasks safely
  • Protocol stack hardening
  • Kerberos armoring and restricting NTLM
  • Server Core vs. Server Minimal/Full
  • DMZ cross-forest Active Directory trusts
  • Dynamic Access Control (DAC)
  • DAC for data loss prevention
  • DAC for complying with regulations
  • Automatic File Classification Infrastructure

PowerShell Scripting day:

  • Getting comfortable in your shell
  • PowerShell remoting
  • Running cmdlets and scripts
  • Writing your own functions
  • Writing your own scripts
  • Flow control within scripts
  • Managing the event logs
  • Managing Active Directory
  • Windows Management Instrumentation (WMI)
  • Accessing COM Objects
  • Security and execution policy

You Will Learn:

  • How to harden Windows clients and servers against attack.
  • How to reduce the rate of APT malware infections.
  • How to use PowerShell and Group Policy to manage security.
  • How to implement PKI, AppLocker, BitLocker and IPSec.
  • How to do pre-forensics to prepare for incident response.

Course Syllabus
Course Contents InstructorsSchedule
  SEC505.1: Windows Operating System and Applications Hardening Jason Fossen Mon Oct 20th, 2014
9:00 AM - 5:00 PM
Overview

The best analogy for modern network penetration is biological warfare. A vulnerable client is exploited through weak software and social engineering to install the hacker's malware. The malware opens an SSL command-and-control channel back to the attacker. This channel is used to control the initial "Typhoid Mary" computer to infect other vulnerable systems and to exfiltrate valuable data (or to destroy it). When you add stealth, self-updating features, worm-like mobility, and corporate/government sponsorship to the malware, you've got an Advanced Persistent Threat (APT) situation. You're in trouble.

We don't just want to detect hackers and malware; we want to try to prevent the case-zero compromise to begin with. Prevention comes first, and then detection and remediation come afterwards. An ounce of prevention is worth a pound of cure. Today's course is on prevention through Windows operating system and applications hardening. The aim is to try to deny hackers and malware that initial foothold inside the network, because once they're in, they're hard to clean out.

We start by choosing malware-resistant software and Windows operating systems, then we regularly update that software, limit what software users can run, and then configure that software so that its exploitable features are disabled or at least restricted to work-only purposes. Nothing is guaranteed, of course, but what if you could reduce your malware infection rate by more than half? What if your next penetration test wasn't just an exercise in embarrassment?

The trick is hardening Windows in a way that is cost-effective, scalable, and with minimal user impact. In this course we'll look at tools like EMET and Group Policy, security templates, WSUS, and SCWCMD.EXE to hopefully make it easier. In today's course and during the week, we'll see how to implement many of the Critical Security Controls.

CPE/CMU Credits: 6

Who Should Attend
  • Windows security engineers and system administrators
  • Those who need to reduce malware and APT infections
  • Anyone who wants to implement the Critical Security Controls
  • Those who must enforce security policies on Windows hosts

Topics

Going Beyond Just Anti-Virus Scanning

  • How your AV scanners can fail you
  • Application whitelisting
  • AppLocker
  • Script and executable signing
  • Controlling USB devices
  • DEP, ASLR, and SEHOP
  • Benevolent Microsoft rootkit: EMET
  • Restoring to a pristine OS image
  • Virtual Desktop Infrastructure (VDI)

OS Hardening with security templates

  • INF vs. XML security templates
  • How to edit and apply templates
  • Security configuration and analysis
  • SECEDIT.EXE
  • Security configuration wizard
  • Auditing with templates

Hardening with Group Policy

  • Group Policy Objects (GPOs)
  • Third-party GPO enhancements
  • Pushing out PowerShell scripts
  • GPO remote command execution
  • GPO troubleshooting tools
  • Custom ADM/ADMX templates

Enforcing Critical Controls for applications

  • Protected Mode Sandboxes
  • Metro AppContainer Sandboxes
  • Hardening Internet Explorer
  • Hardening Google Chrome
  • Hardening Adobe Reader
  • Hardening Java
  • Hardening Microsoft Office

 
  SEC505.2: High-Value Targets & Restricting Administrative Compromise Jason Fossen Tue Oct 21st, 2014
9:00 AM - 5:00 PM
Overview

Today's course continues the theme of resisting malware and APT adversaries, but with a special focus on securing the keys to the kingdom: Administrative Power. If a member of the Domain Admins group is compromised, the entire network is lost. How can we better prevent the compromise of administrative accounts and contain the harm when they do get compromised? What can we do about pass-the-hash and token abuse attacks? Remember, as a network administrator, you are a high-value target and your adversaries will try to take over your user account and to infect the computers you use at work (and at home).

Hackers also love it when "regular" users are members of the local Administrators group on their computers because it makes it easier to compromise those computers and to then move laterally to other machines. We will talk about what's so dangerous about the Administrators group, how to get users out of that group while still allowing them to get their work done, and, if we just can't get users out of Administrators, then how to make User Account Control (UAC) less annoying to them...and us.

We will also see how to delegate authority in Active Directory (AD). Every object in AD has a set of permissions and audit settings. We don't have to dump everyone in the IT department into the Domain Admins group, we can delegate to others the power to perform tasks like resetting passwords, joining computers to the domain, and managing the attributes used by Dynamic Access Control.

Finally, patch management is critically important for securing a Windows environment, but patch management can be expensive, hard and tedious. So we will also talk about how to make patching Microsoft and third-party software easier, especially on BYOD and mobile devices outside the local network.

CPE/CMU Credits: 6

Who Should Attend
  • Windows security engineers and system administrators
  • Those who need Dynamic Access Control (DAC)
  • Those who need to reduce malware and APT infections
  • Anyone who wants to implement the 20 Critical Security Controls
  • Those who must enforce security policies on Windows hosts
  • Those who want to constrain the harm from admin compromise
Topics

Compromise of Administrative Powers

  • Hackers and malware LOVE administrative users
  • Partially limiting pass-the-hash attacks and token abuse
  • How to get users out of the administrators group
  • Secretly limiting the power of administrative users
  • Limiting privileges, logon rights and permissions
  • User Account Control (making it less annoying)
  • Kerberos armoring and eliminating NTLM
  • Picture password on touch tablets
  • Windows Credential Manager vs. KeePass

Active Directory Permissions and Delegation

  • Active Directory permissions
  • Active Directory auditing
  • Delegating authority at the OU level
  • Domains are not security boundaries
  • Logging attribute content changes

Updating Vulnerable Software

  • Everything must be patched every week
  • Patching off-site tablets and laptops
  • Identifying rogue devices (BYOD Hell)
  • WSUS shortcomings
  • WSUS third-party enhancements
  • Windows App Store (Metro)
  • The future: continuous updates

 
  SEC505.3: Windows PKI, BitLocker, and Secure Boot Jason Fossen Wed Oct 22nd, 2014
9:00 AM - 5:00 PM
Overview

Public Key Infrastructure (PKI) is not an optional security service anymore. Windows Server includes a complete built-in PKI for managing certificates and making their use transparent to users. You can be your own private Certification Authority (CA) and generate as many certificates as you want at no extra charge. It's all centrally managed through Group Policy.

Digital certificates play an essential role in Windows security: IPSec, BitLocker, S/MIME, SSL/TLS, smart cards, script signing, etc. They all use digital certificates. Everything needed to roll out a smart card solution, for example, is included with Windows except for the cards and readers themselves, and generic cards are available in bulk for cheap. You might already have a smart card built into your motherboard as a TPM chip.

As more and more of our servers are pushed up to cloud hosting providers, and as more of our devices become mobile, then certificate authentication and encryption will become more necessary. Even our BYOD tablets and phones will eventually need certificates.

We also have to encrypt our laptops and portable drives to stay in compliance, but why spend a fortune on third-party products when BitLocker is built into Windows already? BitLocker is manageable through Group Policy and from the command line. BitLocker has automatic encryption key archival features for recovery, requires little or no user training, and can be used to encrypt portable USB drives.

If you have a TPM chip in your motherboard, it can help BitLocker to detect rootkits, but a TPM is not required for BitLocker. Even better, with UEFI firmware you could also use UEFI Secure Boot to help detect bootkits and other malware too.

CPE/CMU Credits: 6

Who Should Attend
  • Anyone who needs a whole drive encryption solution
  • Anyone who needs to encrypt data on portable drives
  • Anyone deploying a Windows smart card solution
  • Anyone who needs digital certificates on Windows hosts
  • Anyone widely deploying SSL or S/MIME certificates
  • Anyone deploying or managing a PKI with Windows

Topics

Why Have a PKI?

  • Strong authentication and encryption
  • Passwords are dead
  • Smart cards, IPSec, wireless, SSL, S/MIME, etc.
  • Mobile and BYOD computers
  • Code and document signing

How to Install the Windows PKI

  • Root vs. subordinate certification authorities
  • Should you be your own root CA?
  • Custom certificate templates
  • Controlling certificate enrollment

How to Manage Your PKI

  • Group policy deployment of certificates
  • Group policy PKI settings
  • How to revoke certificates
  • Automatic private key backup
  • Credential roaming of keys
  • Delegation of authority

Deploying Smart Cards

  • Everything you need is built-in
  • TPM virtual smart cards
  • Smart card enrollment station
  • Group policy deployment
  • Smart cards on a limited budget

BitLocker Drive Encryption and Secure Boot

  • UEFI Secure Boot
  • TPM boot integrity checking
  • Cold boot and 1394 port attacks
  • USB device encryption
  • Mounting encrypted VHD files
  • BitLocker emergency recovery
  • BitLocker network unlock of the PIN

 
  SEC505.4: IPSec, Windows Firewall, DNS, and Wireless Jason Fossen Thu Oct 23rd, 2014
9:00 AM - 5:00 PM
Overview

IPSec is not just for VPNs. IPSec can authenticate users in Active Directory to implement share permissions for TCP and UDP ports based on the user's global group memberships. IPSec can also encrypt packet payloads to keep data secure. Imagine configuring the Windows Firewall on your servers and tablets to only permit access to RPC or SMB ports if 1) the client has a local IP address, 2) the client is authenticated by IPSec to be a member of the domain, and 3) the packets are all encrypted with AES. This is not only possible, but is actually relatively easy to deploy with Group Policy. We will see exactly how to do this in seminar.

For defense in depth, we can't rely on just our perimeter firewalls anymore. Many of our devices are mobile, so they aren't protected by our perimeter firewalls anyway. You don't need to purchase third-party host-based firewalls anymore like we did for Windows XP. The new Windows Firewall is a vast improvement and can be managed through Group Policy. For BYOD computers, the firewall and IPSec settings can also be scripted.

DNSSEC digitally signs DNS records to prevent spoofing and man-in-the-middle attacks. Fortunately, it is much easier to manage DNSSEC in Server 2012 and later. We will also see how to require DNS secure dynamic updates, set permissions on DNS records in Active Directory, use the DNS sinkhole technique to frustrate malware, and use IPSec with DNS queries too.

There is much more to wireless security than getting rid of WEP. Windows Server includes a built-in RADIUS service that can be used to regulate access to your wireless access points, managed Ethernet switches, and VPN gateways. Everything you need for a WPA2 wireless network solution, including certificate-based PEAP authentication, is built into Windows for free. This week we will see how to set it all up, step-by-step, including the PKI.

CPE/CMU Credits: 6

Who Should Attend
  • Anyone who needs to secure network traffic in Windows LANs
  • Anyone who wants to use IPSec for more than just VPNs
  • Anyone who needs to use DNSSEC and secure DNS updates
  • Anyone who needs to secure an 802.11 wireless network
  • Anyone who needs RADIUS for VPNs, Ethernet and 802.11

Topics

Why IPSec?

  • IPSec is NOT just for VPNs!
  • More secure than SSL
  • User/computer authentication
  • Transparent to users
  • No user training required
  • NIC hardware acceleration
  • Compatible with NAT

Creating IPSec Policies

  • Require vs. prefer encryption
  • Share permissions on TCP ports
  • IDS/IPS compatibility options
  • IPSec-based encrypted VLANs
  • Group Policy management
  • Scripting for BYOD stand-alones

Windows Firewall

  • Group Policy management
  • Metro app and service awareness
  • Roaming and VPN compatibility
  • Deep IPSec integration
  • NETSH and PowerShell scripting

Securing Wireless Networks

  • Wi-Fi Protected Access (WPA2)
  • Pre-shared key weaknesses
  • DoS attack vulnerabilities
  • Rogue access point detection
  • BYOD and network bridging
  • Wireless best practices

RADIUS for Wireless and Ethernet

  • Certificate authentication and PKI
  • How to use smart cards
  • EAP vs. PEAP
  • PEAP-MS-CHAPv2
  • 802.1X for Ethernet switches
  • Account lockout DoS attacks
  • Group Policy configuration of clients
 
  SEC505.5: Server Hardening & Dynamic Access Control Jason Fossen Fri Oct 24th, 2014
9:00 AM - 5:00 PM
Overview

What are the best practices for hardening servers, especially servers exposed to the Internet? How can we remotely manage our servers in a secure way, especially our virtualized servers hosted by third-party cloud providers? If I have Internet-exposed servers, how can I more safely make them Active Directory domain members? If I have service accounts or scheduled jobs running as Domain Admin, what are the risks and what can I do about it? Today's course is all about server hardening.

Are you using SSL/TLS, NTLM, Remote Desktop Protocol (RDP) or the File and Print Sharing protocol (SMB/CIFS)? These protocols and their listening ports are hacker favorites, but we often can't live without them, so we will see how to make these and other protocols more resilient against attacks.

Windows Server 2012 introduced a major new security enhancement called Dynamic Access Control (DAC). If you have millions of files spread across multiple servers, how can you manage access to and auditing of these ever-changing files? How can we avoid relying on NTFS permissions and NTFS auditing alone?

DAC allows you to mark files as "Top Secret", "PII", or as any other classification tag you invent, then apply restrictions and auditing based on these hidden file tags. But it's not done with AD group memberships and NTFS alone. DAC is not an NTFS management system, there's much more to it. With your own custom user and computer attributes defined in Active Directory, you can implement a Data Loss Prevention (DLP) solution based on "claims" associated with your users and their various devices. You can also perform auditing this way to help comply with regulations in your industry.

Dynamic Access Control works best with Server 2012 and Windows 8, but Windows 8 is not required. Even Windows XP clients can benefit. DAC can also be extended to other platforms such as SharePoint, Rights Management Services (RMS) and Exchange, it's not just for file servers. DAC is not a single tool or service, it's a new access control system with ties into the kernel -- fun stuff!

CPE/CMU Credits: 6

Who Should Attend
  • Windows administrators and security auditors
  • Anyone responsible for the security of servers
  • Those who use RDP, SMB, SSL or NTLM
  • Anyone implementing Data Loss Prevention (DLP)
  • Regulatory compliance officers who audit file servers

Topics

Dangerous Server Protocols

  • Eliminate SSL, only use TLS
  • Requiring strong ciphers and keys
  • RDP man in the middle attacks
  • SMBv3 native encryption
  • SMB downgrade attacks
  • NTLM, NTLMv2 and Kerberos
  • Kerberos armoring
  • Hardening the protocol stack
  • What about IPv6?

Server Hardening

  • Server Manager and PowerShell
  • Server Core/Minimal/Full
  • Security templates and Group Policy
  • Preparing for incidents: pre-forensics
  • Service account security
  • Scheduling tasks remotely and safely

Internet-Exposed Member Servers

  • Not every server can be a stand-alone
  • Active Directory for the DMZ or the cloud
  • Cross-forest trusts and Selective Authentication
  • Read-only domain controllers (RODC)
  • Firewall design for DMZ or cloud member servers

Dynamic Access Control (DAC)

  • Claims-based access control and auditing
  • DAC does not require Windows 8
  • DAC conditional expressions
  • DAC and complying with regulations
  • Automatic file classification infrastructure
  • User and device identity restrictions
  • Auditing without managing SACLs
  • Central access policy deployment

 
  SEC505.6: Windows PowerShell Scripting Jason Fossen Sat Oct 25th, 2014
9:00 AM - 5:00 PM
Overview

In the Windows world, everything is (thankfully) moving towards PowerShell.

PowerShell is Microsoft's object-oriented command shell and scripting language. Virtually everything can be managed from the command line and scripts now and automation is very important for implementing the Critical Security Controls. Server 2012-R2, for example, has over 3000 PowerShell tools for nearly everything, including Active Directory, IIS, Exchange, SharePoint, System Center, AppLocker, Hyper-V, firewall rules, event logs, remote command execution, and much more.

PowerShell is built into Windows 7, Server 2008, and later. You can download the latest version from http://www.microsoft.com/powershell/.

PowerShell takes the best features of UNIX shells, like ksh and bash, and then blows them out of the water. What's the big deal? PowerShell rides on top of the .NET Framework, hence, COM objects and the entire .NET class library are available at the command prompt. When you execute commands, the output is not text, the output is a stream of objects with properties and methods, just like in C#. You can even build and run graphical programs written entirely in PowerShell.

What about managing older systems and software? PowerShell can access scriptable COM objects just like VBScript and JavaScript too. So while VBScript gives you COM, PowerShell gives you both .NET and COM. VBScript is dead, the future is PowerShell.

And PowerShell is easier to learn when you are first getting started too. This course assumes you have no prior scripting experience, and you don't need it either. We will walk through all the essentials of PowerShell together. And if you're already familiar with Perl or C#, then the PowerShell syntax will not be foreign to you. Most importantly, be prepared to have fun - PowerShell is just plain cooooooool...

CPE/CMU Credits: 6

Who Should Attend
  • Administrators who don't want to be obsolete in five years
  • Windows administrators that want to use scripting
  • Linux admins who want to feel more at home on Windows
  • Anyone who needs to write scripts for Windows

Topics

Overview and Security

  • What is PowerShell?
  • Why should I learn it?
  • Why is everything in Windows getting PowerShell-ized?
  • Signing scripts and execution policy

Getting Around Inside PowerShell

  • Built-in help system
  • Built-in graphical editor
  • Aliases for CMD and bash users
  • Running cmdlets, functions, and scripts Piping objects instead of text Using properties and methods of objects

Example Commands

  • PowerShell remoting
  • Active Directory scripting
  • Searching event logs
  • Parsing nmap XML output

Write Your Own Scripts

  • Writing your own functions
  • Flow control: if-then, do-while, foreach, switch Accessing COM objects like in VBScript How to pipe data in/out of scripts

Windows Management Instrumentation (WMI)

  • What is WMI and why is it so powerful?
  • WMI queries and remote command execution
  • Searching remote event logs faster
  • Inventory installed software
  • Sample scripts to walk through together
 
Additional Information
 
  Testimonial

"You will know and be confident on how to enable Windows PKI after taking this course. I had no practical experience, but plenty of theory. Jason broke down the pros and cons of the whole process. Excellent!!" - Othello Swanston, DTRA-DoD

 
  Laptop Required

Please note that without a virtual machine or laptop running Windows Server, you will only be able to watch the instructor demonstrate the exercises, you won't be able to follow along on your own computer, and that is half the fun!

A video can be found here to help with your laptop setup.

Should I use a Virtual Machine?

Yes, in fact, using a virtual machine is preferred. Windows 8.1 and Windows 10 (Pro and Enterprise) include Client Hyper-V. You can also obtain VMware Player or Oracle VirtualBox for free. On a Mac there is also VMware Fusion and Parallels.

The host computer can have any operating system.

Where can I get the free evaluation version of Windows Server 2012 R2?

You can download a free trial version of Windows Server 2012 R2 from Microsoft as an ISO image file (an ISO file is an exported copy of a CD/DVD disk).

Just do an Internet search on "site:microsoft.com windows server trial eval" to find the download link to the ISO file on Microsoft's web site.

Bring the ISO file with you on your hard drive when you attend the course.

How should my virtual machine be configured?

Other than simply creating the Windows Server virtual machine, there is nothing else to configure. Everything else will be done during the training.

Please install Windows Server 2012 R2 in your VM.

You can use either the Standard or Datacenter Edition, either one works fine.

When you install the VM, choose the "Server with a GUI" version of Windows Server, not the "Core" version. If you've accidentally installed the "Core" version, you will only get a CMD command shell when you log into the VM; you will need to delete this Core VM and install a new one to choose the "Server with a GUI" version instead.

Bring the ISO file with you when you attend the training.

If I install Windows Server directly on the laptop, do I need a virtual machine?

No, if you install Windows Server directly onto your laptop, you do not need to also install a virtual machine with Windows Server. Make sure to use either the evaluation version or a license-activated version of Windows Server though (activate in the System applet in Control Panel). It is better, though, if you install Windows Server in a virtual machine.

VMware prompts me for a license number or I get a license error message!

Make sure you have the evaluation version of Windows Server, not the retail version.

In VMware, when creating the virtual machine, it is best to choose the option which says "I will install the operating system later" and then provide the path to the ISO file for Windows Server after the VM has been created, not during the initial creation. After the virtual machine has been created, go to the Settings of that VM and provide the path to the source ISO file. Now, when you start the VM, there should be no evaluation licensing problems.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

 
  Who Should Attend
  • Windows security engineers and system administrators
  • Anyone who wants to learn PowerShell
  • Anyone who wants to implement the 20 Critical Security Controls
  • Anyone implementing the Australian Directorate's Four Controls
  • Those who must enforce security policies on Windows hosts
  • Anyone who needs a whole drive encryption solution
  • Those deploying or managing a PKI or smart cards
  • Anyone who needs to prevent malware infections

 
  Prerequisites

There are no prerequisites to attend the course, but a familiarity with basic Windows and Active Directory concepts is presumed. This is not an introductory course.

 
  Other Courses People Have Taken

Other Courses People Have Taken

Security Essentials (SEC401) - Provides a grounding in the essential Windows and Active Directory concepts necessary for this course.

Implementing and Auditing the Critical Security Controls (SEC566) - Presents the overall security framework of which this course is a part. This course is a deep-dive into how to apply this framework to Windows and Active Directory specifically.

Hacker Techniques, Exploits and Incident Handling (SEC504) - Presents the hacker's perspective, whereas this course provides a defense or mitigation against the attacks described in SEC504. This course is like the defense-only mirror image of SEC504.

 
  What You Will Receive

You will receive six manuals filled with hundreds of screenshots and "Try It Now" exercises, plus a CD with scripts and other tools related to the material. The manuals have the full text of the presentation, not just sparse notes for the slides, plus a table of contents.

 
  You Will Be Able To
  • Harden the configuration settings of Internet Explorer, Google Chrome, Adobe Reader, Java, and Microsoft Office applications to better withstand client-side exploits.
  • Use Group Policy to harden the Windows operating system by configuring DEP, ASLR, SEHOP, EMET and AppLocker whitelisting by applying security templates and running custom PowerShell scripts.
  • Deploy a WSUS patch server with third-party enhancements to overcome its limitations.
  • Implement Server 2012 Dynamic Access Control permissions, file tagging and auditing for Data Loss Prevention (DLP).
  • Use Active Directory permissions and Group Policy to safely delegate administrative authority in a large enterprise to better cope with token abuse, pass-the-hash, service/task account hijacking, and other advanced attacks.
  • Install and manage a full Windows PKI, including smart cards, Group Policy auto-enrollment, and detection of spoofed root CA certificates.
  • Configure BitLocker drive encryption with a TPM chip using graphical and PowerShell tools.
  • Harden SSL, RDP, DNSSEC and other dangerous protocols using Windows Firewall and IPSec rules managed through Group Policy and PowerShell scripts.
  • Install the Windows RADIUS server (NPS) for PEAP-TLS authentication of 802.11 wireless clients, and hands-free client configuration through Group Policy.
  • Learn how to automate security tasks on local and remote systems with the PowerShell scripting language and remoting framework.

 
  Hands-on Training

Please bring a virtual machine running an evaluation version Windows Server 2012 R2, Datacenter or Standard, installed with a full GUI (not Core). In seminar, we will install Active Directory, Certificate Services, RADIUS (NPS), WSUS, plus other services and tools. You will use the virtual machine throughout the week to follow along with the instructor demos.

 

Author Statement

The courses I write for SANS are always guided by two questions: 1) What do administrators need to know to secure their networks? and 2) What should administrators learn to advance their careers as IT professionals? I'm not a Microsoft employee or a Microsoft-basher, so you won't get either kind of propaganda here. My concern is with the health of your network and your career. As a security consultant I've seen it all (good, bad, and ugly), and my experience goes into the manuals I write for SANS and the stories I tell in seminar. The Securing Windows course is packed with interesting and useful advice that is hard to find on the Internet. We always have a good time, so I hope to meet you at the next training event!

-- Jason Fossen, SANS Faculty Fellow