SEC505: Securing Windows and Resisting Malware
You have the best instructors available. Other training never comes close and is a waste of money.
Steve Sauro, McDermott Will and Emery
This is my fifth SANS course. Jason is exceptionally hard working instructor who adds tremendous value with his unrestricted contributions to the community.
Matthew Wheeler, Los Alamos Natl Lab
In April of 2014, Microsoft will stop releasing any new security patches for Windows XP. Like it or not, migrating off Windows XP is no longer optional, the clock is counting down. The Securing Windows and Resisting Malware course is fully updated for Windows Server 2012, Windows 8, Server 2008-R2, and Windows 7.
This course is about the most important things to do to secure Windows and how to minimize the impact on users of these changes. You'll see the instructor demo the important steps live, and you can follow along on your laptop. The manuals are filled with screenshots and step-by-step exercises, so you can do the steps alongside the instructor in seminar or later on your own time if you prefer.
We've all got anti-virus scanners, but what else needs to be done to combat malware and intruders using Advanced Persistent Threat (APT) techniques? Today's weapon of choice for hackers is stealthy malware with remote control channels, preferably with autonomous worm capabilities, installed through client-side exploits. While other courses focus on detection or remediation, the goal of this course is to prevent the infection in the first place (after all, first things first).
Especially in Server 2012 and beyond, PowerShell dominates Windows scripting and automation. It seems everything can be managed through PowerShell now. And if there's a needed skill that will most benefit the career of a Windows specialist, it's being able to write PowerShell scripts, because most of your competition will lack scripting skills, so it's a great way to make your resume stand out. This course devotes an entire day to PowerShell scripting, but you don't need any prior scripting experience.
This course will also prepare you for the GIAC Certified Windows Security Administrator (GCWN) certification exam to help prove your security skills and Windows expertise.
Operating System and Applications Hardening day:
- Start with Malware-Resistant software
- Painless (or Less Painful) Patch Management
- How Your Anti-Virus scanners can fail you
- Windows OS and Applications Hardening tools
- The Group Policy Management Console (GPMC)
- INF and XML Security templates
- How to manage Group Policy
- WMI filtering and GPO preferences
- Custom ADM/ADMX templates
- AppLocker whitelisting
- Hardening Adobe Reader
- Hardening Internet Explorer
- Hardening Google Chrome
- Hardening Microsoft Office
- Virtual Desktop Infrastructure (pros and cons)
Dynamic Access Control & Restricting Admin Compromise day:
- Server 2012 Dynamic Access Control (DAC)
- DAC conditional expressions
- DAC and complying with regulations
- Automatic File Classification Infrastructure
- Users in the local administrators group
- Secretly limiting the power of administrative users
- Limiting privileges, logon rights and permissions
- User Account Control
- Kerberos Armoring and eliminating NTLM
- Delegating IT power more safely
- Active Directory permissions and auditing
PKI, BitLocker and Secure Boot day:
- Why must I have A PKI?
- Examples: Smart Cards, VPNs, Wireless, SSL, S/MIME, etc.
- How to install the Windows PKI
- Root vs. Subordinate certification authorities
- Should you be your own root CA?
- How to manage your PKI
- Group policy deployment of certificates
- How to revoke certificates
- Automatic private key backup
- Deploying Smart Cards
- Best practices for private keys
- BitLocker drive encryption
- Windows 8 secure boot
- TPM and USB BitLocker options
- BitLocker emergency recovery
Dangerous Protocols, IPSec, Windows Firewall, and Wireless day:
- Dangerous protocols: SSL, RDP, SMB, DNS
- Isn't IPSec just for VPNs? No!
- IPSec for TCP port permissions
- How to create IPSec policies
- Group Policy Management of IPSec
- DNSSEC and DNS dynamic updates
- Windows Firewall with advanced security
- Configuring RADIUS Policies (NPS)
- Wi-Fi Protected Access (WPA)
- EAP vs. PEAP
- Secure access to wireless networks
- Secure access to Ethernet networks
- Smart cards for wireless and Ethernet
- Best practices for wireless and Ethernet
Securing IIS Web Servers day:
- IIS server hardening
- Configuring SSL and TLS
- Centralized certificates and SNI
- Securing WebDAV
- Authentication options
- Smart cards for web applications
- Proper NTFS permissions and auditing
- What are application pools?
- Securing XML config files
- Secure remote administration
- Restricting webmasters
- FTP Over SSL (FTPS)
PowerShell Scripting day:
- What is PowerShell?
- Running CmdLets and scripts
- Writing your own functions
- Writing your own scripts
- Flow control within scripts
- Managing the event logs
- Managing Active Directory
- Windows Management Instrumentation (WMI)
- Accessing COM Objects
- Security and execution policy
You are encouraged to bring a virtual machine running Windows Server 2012 Standard or Datacenter Edition configured as a domain controller, but this is not a requirement for attendance since the instructor will demo everything discussed on-screen. You can get a free evaluation version of Server 2012 from Microsoft's web site (just do a search on "site:microsoft.com Server 2012 evaluation trial"). You can use Hyper-V, VMware, VirtualBox, or any other virtual machine software you wish.
This is a fun course and a real eye-opener even for Windows administrators with years of experience. Whether you're taking SEC505 live or in OnDemand, get the PowerShell scripts now for the course from http://www.sans.org/windows-security (go to the Downloads link). There is no prior registration required, and all scripts are in the public domain.
|SEC505.1: Windows Operating System and Applications Hardening||Jason Fossen||
Mon Jul 15th, 2013
9:00 AM - 6:30 PM
The best analogy for modern network penetration is biological warfare. A vulnerable client is exploited through weak software and social engineering to install the hacker's malware. The malware opens an SSL command-and-control channel back to the attacker. This channel is used to control the initial "Typhoid Mary" computer to infect other vulnerable systems and to exfiltrate valuable data (or to destroy it). When you add stealth, self-updating features, worm-like mobility, and corporate/government sponsorship to the malware, you've got an Advanced Persistent Threat (APT) situation. You're in trouble.
We don't just want to detect hackers and malware; we want to try to prevent the case-zero compromise to begin with. Prevention comes first, and then detection and remediation come afterwards. An ounce of prevention is worth a pound of cure. Today's course is on prevention through Windows operating system and applications hardening. The aim is to try to deny hackers and malware that initial foothold inside the network, because once they're in, they're hard to clean out.
We start by choosing malware-resistant software and Windows operating systems, then we regularly update that software, limit what software users can run, and then configure that software so that its exploitable features are disabled or at least restricted to work-only purposes. Nothing is guaranteed, of course, but what if you could reduce your malware infection rate by more than half? What if your next penetration test wasn't just an exercise in embarrassment?
The trick is hardening Windows in a way that is cost-effective, scalable, and with minimal user impact. In this course we'll look at tools like Group Policy, security templates, WSUS, and SCWCMD.EXE to hopefully make it easier. In today's course and during the week, we'll see how to implement many of the SANS Critical Controls.
CPE/CMU Credits: 6
Who Should Attend
Updating vulnerable software
OS Hardening with security templates
Hardening with Group Policy
Enforcing Critical Controls
|SEC505.2: Dynamic Access Control & Restricting Administrative Compromise||Jason Fossen||
Tue Jul 16th, 2013
9:00 AM - 6:00 PM
Windows Server 2012 introduced a major new security enhancement called Dynamic Access Control (DAC). If you have millions of files spread across multiple servers, how can you manage access to and auditing of these ever-changing files? How can we avoid relying on NTFS permissions and auditing alone?
DAC allows you to mark files as "Trade Secret", "PII", or as any other classification tag you need, then apply restrictions and auditing based on these hidden file tags. But it's not done with AD group memberships and NTFS alone, DAC is not an NTFS management system, there's much more. With your own custom user and computer attributes defined in Active Directory, you can implement a Data Loss Prevention (DLP) solution based on "claims" associated with your users and their various devices. You can also perform auditing this way to help comply with regulations in your industry.
Dynamic Access Control works best with Server 2012 and Windows 8, but Windows 8 is not required. There is a gentle deployment pathway as you migrate off Windows XP. You do not have to deploy Windows 8 to benefit from DAC today.
Today's course also includes more recommendations for thwarting malware and APT adversaries. Hackers and malware love it when users are members of the local Administrators group on their computers. It makes it easier for the computer to get compromised. We will talk about what's so dangerous about the Administrators group and how to either get users out of that group or to secretly curtail the power of that group.
User Account Control (UAC) helps in this regard, but there's much more to UAC than just the annoying pop-up dialog boxes (in fact, those pop-ups can be turned off). We'll also talk about the dangers of NTLM, how to get rid of it, and use Kerberos only. But even Kerberos is vulnerable to attack, so there is a new enhancement in Server 2012 called "Kerberos armoring" to deal with the problem.
Network administrators are also prime targets for hackers. The Domain Admins group is just too attractive. In today's course we'll talk about how to delegate authority safely in order to limit the scope of harm from a compromise. Using Active Directory permissions we can delegate authority to various IT groups and contractors without giving the farm away.
CPE/CMU Credits: 6
Who Should Attend
Dynamic Access Control (DAC)
Compromise of administrative powers
Active Directory permissions and delegation
|SEC505.3: Windows PKI, BitLocker, and Secure Boot||Jason Fossen||
Wed Jul 17th, 2013
9:00 AM - 5:45 PM
Public Key Infrastructure (PKI) is not an optional security infrastructure anymore. Windows Server includes a complete built-in PKI for managing certificates and making their use transparent to users. With Windows Certificate Services you can be your own private Certification Authority (CA) and generate as many certificates as you want at no extra charge.
Digital certificates play an essential role in Windows security: IPSec, EFS, secure e-mail, SSL/TLS, Kerberos authentication with smart cards, smart card authentication to IIS and VPN servers, script signing, etc. They all use digital certificates. Everything needed to roll out a smart card solution, for example, is included with Windows except for the cards and readers themselves, and generic cards are available in bulk for cheap.
You also have to encrypt your laptops and portable drives to stay in compliance, but why spend a fortune on third-party products when BitLocker is built into Windows already? BitLocker is manageable through Group Policy and from the command line. BitLocker has automatic encryption key archival features for recovery, requires little or no user training, and can be used to encrypt portable USB drives. If you have a TPM chip in your motherboard, it can help BitLocker to detect rootkits, but note that a TPM chip is definitely not required to use BitLocker.
With UEFI firmware and Windows 8, you can also use Secure Boot to help fight off bootkits and other malware too.
Planning a PKI or data encryption project isn't easy, and mistakes and redeployments can be costly, so this course, in part, is designed to assist in the planning process to help avoid these mistakes. If you're not encrypting tablets, laptops and portable drives now, you will be soon.
CPE/CMU Credits: 6
Who Should Attend
Why must I have a PKI?
How to install the Windows PKI
How to manage your PKI
Deploying Smart Cards
BitLocker drive encryption
|SEC505.4: Dangerous Protocols, IPSec, Windows Firewall, and Wireless||Jason Fossen||
Thu Jul 18th, 2013
9:00 AM - 5:00 PM
Are you using Remote Desktop Protocol (RDP), DNS name resolution, or the File and Print Sharing (SMB) protocol? You shouldn't really trust them, they are hacker favorites. Do you have an 802.11 wireless network with just a pre-shared key? There's much more to wireless and Ethernet security than just key length. Today's course is on securing wireless and wired network access, hardening vulnerable protocols and ports, and using the Windows Firewall with IPSec.
You don't need third-party host firewalls anymore; the built-in Windows Firewall can be managed through Group Policy and is deeply integrated with IPSec.
IPSec is not just for VPNs. IPSec can authenticate users in Active Directory to implement share permissions for TCP and UDP ports based on the user's global group memberships. IPSec can also encrypt packet payloads to keep data secure. Imagine configuring the Windows Firewall on your servers and tablets to only permit access to RPC or SMB ports if 1) the client has a local IP address, 2) the client is authenticated by IPSec to be a member of the domain, and 3) the packets are all encrypted with AES. This is not only possible, but is actually relatively easy to deploy with Group Policy. We will see exactly how to do this in seminar.
But if the firewall allows the use of RDP, DNS and SMB, then the firewall by itself can't secure these dangerous protocols, they have to be hardened with DNSSEC, SMBv3 encryption, IPSec, and SSL. Many applications rely on SSL, but this ancient protocol is no silver bullet, it's better to upgrade to a recent version of TLS. And as more of our servers are moved out to the cloud, we will rely on SSL, RDP and IPSec even more.
Windows Server includes a built-in RADIUS service that can be used to regulate access to your wireless access points, managed Ethernet switches, and VPN gateways. Everything you need for a WPA2 wireless network solution, including certificate-based PEAP authentication, is built into Windows for free. This week we will see how to set it all up, step-by-step, including the PKI.
CPE/CMU Credits: 6
Who Should Attend
Windows Firewall and IPSec
Creating IPSec policies
Securing Wireless Networks
RADIUS for Wireless and Ethernet
|SEC505.5: Server Hardening and IIS||Jason Fossen||
Fri Jul 19th, 2013
9:00 AM - 5:00 PM
Of all the servers you manage, your Internet-facing IIS servers are probably the most at risk. IIS is a magnet for hackers, so great care must be taken in planning how to deploy and configure Microsoft's notorious HTTP and FTP server.
In this course, we will talk about how to harden the OS, how to strip IIS down to its essentials to reduce its attack surface, how to enforce authentication and authorization rules, how to implement application-layer HTTP/FTP filtering rules, and in general how to help keep your website from becoming another victim statistic.
During the day, the Code Red worm will be used as an example of an exploit, which could have been easily blocked through proper configuration even if the patch for Code Red had not been applied prior to the attack. IIS security is much more than just setting up a firewall and applying patches; it's about proactively anticipating tomorrow's attacks and being ready for them. Using free Microsoft add-ons, like URL Rewrite, we can do our own application-layer firewalling and satisfy some PCI requirements at the same time.
We will also see how to require SSL/TLS for the greatly improved FTP service and how to configure an FTP server farm to provide secure remote access to internal file servers.
The demand for IIS security personnel is great because IIS is so widely deployed. As more and more of your previously-internal servers are pushed out to cloud providers as VMs, you'll want to know how to harden them, your IaaS cloud provider will not do it all for you. If you're new to IIS, this course will get you up to speed.
CPE/CMU Credits: 6
Who Should Attend
XML configuration system
IIS Authentication and Authorization
Logging and auditing
FTP over SSL (FTPS)
How to configure FTPS
FTPS clients and issues
|SEC505.6: Windows PowerShell Scripting||Jason Fossen||
Sat Jul 20th, 2013
9:00 AM - 5:00 PM
PowerShell is Microsoft's upgrade for the old CMD.EXE shell and a Perl-like scripting language for it too. PowerShell is available as a free download for Windows XP/2003/Vista and is built into Windows 7 and later operating systems by default (get the latest version from http://www.microsoft.com/powershell/). In Server 2012 especially, everything is PowerShell, PowerShell, PowerShell...
PowerShell takes the best features of UNIX shells, like ksh and bash, and then blows them out of the water. What's the big deal? PowerShell rides on top of the .NET Framework; hence, the entire .NET class library is available at the command prompt. And, when PowerShell scripts and tools pipe data into other PowerShell scripts and tools, it's not plain text that gets piped, but entire .NET objects, including all their properties and methods.
PowerShell is the future of administrative scripting on Windows. For example, Exchange Server and Operations Manager have graphical management tools, but these tools are really just GUI wrappers for PowerShell commands. There are also PowerShell cmdlets for IIS, Server Manager, AppLocker, Active Directory, Server Core, and more. Microsoft has promised that other products will be PowerShell-ized too, so the long-term trend is clear: almost everything in Windows will eventually be manageable through PowerShell.
And just like the old CMD shell, PowerShell is also designed to run built-in binaries, like WMIC.EXE, NETSH.EXE, SC.EXE, etc., but with a scripting language that's far more flexible than CMD batch scripting. What does the PowerShell scripting language look like? It looks a little bit like Perl or C#, but it's much easier to learn.
During the course we will walk through all the essentials of PowerShell together. The course presumes nothing. You don't have to have any prior scripting experience to attend. And, most importantly, be prepared to have fun - PowerShell is just plain cooooooool...
CPE/CMU Credits: 6
Who Should Attend
Overview and security
Getting around inside PowerShell
Write your own scripts
Windows Management Instrumentation (WMI) What is WMI and why is it so powerful?
"You will know and be confident on how to enable Windows PKI after taking this course. I had no practical experience, but plenty of theory. Jason broke down the pros and cons of the whole process. Excellent!!"
-OTHELLO SWANSTON, DTRA-DOD
Please note that without a virtual machine or laptop running Windows Server, you will only be able to watch the instructor demonstrate the exercises, you won't be able to follow along on your own computer, and that is half the fun!
Should I use a Virtual Machine?
How should my virtual machine be configured?
Please install Windows Server 2012 Standard or Datacenter Edition in your VM.
If you want to have a second VM running Windows 8 or Windows 7, then that is useful too, but certainly not required. The host computer can be anything.
You can download a free trial version of Windows Server from Microsoft (just do an Internet search on "site:microsoft.com windows server trial eval" ). Remember that Server 2012 is 64-bit only, so your laptop and VM software will need to support 64-bit virtual machines.
Additionally, the Server VM should have a static IP address (perhaps 10.1.1.1) and have the primary DNS server set to this same IP address, i.e., you will be your own DNS server. Afterwards, use the Server Manager tool to install the Active Directory Domain Services role. Along the way, install the DNS service when prompted to do so, and choose any domain name you wish (perhaps "testing.local"), but don't use your organization's real domain name.
Specific instructions for installing Active Directory are below.
What if I am new to scripting?
You do not need any scripting background whatsoever to attend the course. We will spend the last day going through scripts written in PowerShell together. Half of the other attendees will be new to scripting as well.
How do I configure a static IP address in my Windows Server virtual machine?
Open Control Panel in the virtual machine, not on your host computer > Network and Sharing Center > Change adapter settings > right-click your network interface > Properties > select Internet Protocol Version 4 (TCP/IPv4) > Properties > configure that adapter with a static IP address (10.1.1.1) and set both DNS servers for that adapter to be your own IP address (10.1.1.1).
How do I install Active Directory in my Server 2012 virtual machine?
Open the Server Manager tool in the virtual machine > select your Local Server > Manage menu > Add Roles and Features > Next.
Select "Role-based or feature-based installation" > Next > choose "Select a server from the server pool" and make sure your own local server is highlighted > Next.
Check the box for "Active Directory Domain Services" > click the "Add Features" button.
Check the box for "DNS Server" > click "Add Features" button > Next > Next (there are no extra features to be installed now).
Click Next repeatedly until you can click Install > click the Install button > Close.
Wait a few minutes for Active Directory Domain Services to install. (If you are prompted to provide the path to the installation media, and if you have mounted the DVD or ISO file on drive letter "D:", then click the link at the bottom to provide an alternate path of "d:\sources\sxs".)
Go back to Server Manager, click the triangle notification near the flag at the top to see the progress of the installation of the role. Every minute or so, click the circular double-arrow refresh button and pull down the triangular alert menu again. Eventually, when it finishes, you will see and then click on "Promote this server to a domain controller".
Select "Add a new forest" > enter "testing.local" as the root domain name (or any domain name you wish) > Next.
Select forest and domain functional levels of "Windows Server 2012". Enter a password of "Sans*8" for the DSRM password (or anything you'll remember) > Next.
If you get an error concerning the DNS configuration, ignore it > Next.
Leave the NetBIOS name to the default > Next.
Leave the folder locations to their defaults > Next.
Next > Install. Ignore any error messages concerning DNS, cryptography, or anything else which does not block the installation process. Reboot the server VM after the install is finished.
Log onto your new domain controller with the same password you had before > launch Server Manager (if it does not run automatically) > Tools menu > Active Directory Users and Computers. If this tool launches successfully, you have promoted the server to a domain controller successfully. If the tool does not launch, or if other errors have blocked the installation, please search the Internet with the relevant keywords or error code numbers to find a fix, or, it may be simpler to just reinstall again (after confirming that your networking and DNS settings are correct).
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
|Who Should Attend|
|You Will Be Able To|