3 Days Left to Save $400 on SANS Scottsdale 2015

SANSFIRE 2013

Washington, DC | Fri, Jun 14 - Sat, Jun 22, 2013

SEC505: Securing Windows and Resisting Malware

In April of 2014, Microsoft will stop releasing any new security patches for Windows XP. Like it or not, migrating off Windows XP is no longer optional, the clock is counting down. The Securing Windows and Resisting Malware course is fully updated for Windows Server 2012, Windows 8, Server 2008-R2, and Windows 7.

This course is about the most important things to do to secure Windows and how to minimize the impact on users of these changes. You'll see the instructor demo the important steps live, and you can follow along on your laptop. The manuals are filled with screenshots and step-by-step exercises, so you can do the steps alongside the instructor in seminar or later on your own time if you prefer.

We've all got anti-virus scanners, but what else needs to be done to combat malware and intruders using Advanced Persistent Threat (APT) techniques? Today's weapon of choice for hackers is stealthy malware with remote control channels, preferably with autonomous worm capabilities, installed through client-side exploits. While other courses focus on detection or remediation, the goal of this course is to prevent the infection in the first place (after all, first things first).

Especially in Server 2012 and beyond, PowerShell dominates Windows scripting and automation. It seems everything can be managed through PowerShell now. And if there's a needed skill that will most benefit the career of a Windows specialist, it's being able to write PowerShell scripts, because most of your competition will lack scripting skills, so it's a great way to make your resume stand out. This course devotes an entire day to PowerShell scripting, but you don't need any prior scripting experience.

This course will also prepare you for the GIAC Certified Windows Security Administrator (GCWN) certification exam to help prove your security skills and Windows expertise.

Operating System and Applications Hardening day:

  • Start with Malware-Resistant software
  • Painless (or Less Painful) Patch Management
  • How Your Anti-Virus scanners can fail you
  • Windows OS and Applications Hardening tools
  • The Group Policy Management Console (GPMC)
  • INF and XML Security templates
  • How to manage Group Policy
  • WMI filtering and GPO preferences
  • Custom ADM/ADMX templates
  • AppLocker whitelisting
  • Hardening Adobe Reader
  • Hardening Internet Explorer
  • Hardening Google Chrome
  • Hardening Microsoft Office
  • Virtual Desktop Infrastructure (pros and cons)

Dynamic Access Control & Restricting Admin Compromise day:

  • Server 2012 Dynamic Access Control (DAC)
  • DAC conditional expressions
  • DAC and complying with regulations
  • Automatic File Classification Infrastructure
  • Users in the local administrators group
  • Secretly limiting the power of administrative users
  • Limiting privileges, logon rights and permissions
  • User Account Control
  • Kerberos Armoring and eliminating NTLM
  • Delegating IT power more safely
  • Active Directory permissions and auditing

PKI, BitLocker and Secure Boot day:

  • Why must I have A PKI?
  • Examples: Smart Cards, VPNs, Wireless, SSL, S/MIME, etc.
  • How to install the Windows PKI
  • Root vs. Subordinate certification authorities
  • Should you be your own root CA?
  • How to manage your PKI
  • Group policy deployment of certificates
  • How to revoke certificates
  • Automatic private key backup
  • Deploying Smart Cards
  • Best practices for private keys
  • BitLocker drive encryption
  • Windows 8 secure boot
  • TPM and USB BitLocker options
  • BitLocker emergency recovery

Dangerous Protocols, IPSec, Windows Firewall, and Wireless day:

  • Dangerous protocols: SSL, RDP, SMB, DNS
  • Isn't IPSec just for VPNs? No!
  • IPSec for TCP port permissions
  • How to create IPSec policies
  • Group Policy Management of IPSec
  • DNSSEC and DNS dynamic updates
  • NETSH.EXE
  • Windows Firewall with advanced security
  • Configuring RADIUS Policies (NPS)
  • Wi-Fi Protected Access (WPA)
  • EAP vs. PEAP
  • PEAP-MS-CHAPv2
  • Secure access to wireless networks
  • Secure access to Ethernet networks
  • Smart cards for wireless and Ethernet
  • Best practices for wireless and Ethernet

Securing IIS Web Servers day:

  • IIS server hardening
  • Configuring SSL and TLS
  • Centralized certificates and SNI
  • Securing WebDAV
  • Authentication options
  • Smart cards for web applications
  • Proper NTFS permissions and auditing
  • What are application pools?
  • Securing XML config files
  • Secure remote administration
  • Restricting webmasters
  • FTP Over SSL (FTPS)

PowerShell Scripting day:

  • What is PowerShell?
  • Running CmdLets and scripts
  • Writing your own functions
  • Writing your own scripts
  • Flow control within scripts
  • Managing the event logs
  • Managing Active Directory
  • Windows Management Instrumentation (WMI)
  • Accessing COM Objects
  • Security and execution policy

You are encouraged to bring a virtual machine running Windows Server 2012 Standard or Datacenter Edition configured as a domain controller, but this is not a requirement for attendance since the instructor will demo everything discussed on-screen. You can get a free evaluation version of Server 2012 from Microsoft's web site (just do a search on "site:microsoft.com Server 2012 evaluation trial"). You can use Hyper-V, VMware, VirtualBox, or any other virtual machine software you wish.

This is a fun course and a real eye-opener even for Windows administrators with years of experience. Whether you're taking SEC505 live or in OnDemand, get the PowerShell scripts now for the course from http://www.sans.org/windows-security (go to the Downloads link). There is no prior registration required, and all scripts are in the public domain.

Course Syllabus
Course Contents InstructorsSchedule
  SEC505.1: Windows Operating System and Applications Hardening Jason Fossen Mon Jun 17th, 2013
9:00 AM - 5:00 PM
Overview

The best analogy for modern network penetration is biological warfare. A vulnerable client is exploited through weak software and social engineering to install the hacker's malware. The malware opens an SSL command-and-control channel back to the attacker. This channel is used to control the initial "Typhoid Mary" computer to infect other vulnerable systems and to exfiltrate valuable data (or to destroy it). When you add stealth, self-updating features, worm-like mobility, and corporate/government sponsorship to the malware, you've got an Advanced Persistent Threat (APT) situation. You're in trouble.

We don't just want to detect hackers and malware; we want to try to prevent the case-zero compromise to begin with. Prevention comes first, and then detection and remediation come afterwards. An ounce of prevention is worth a pound of cure. Today's course is on prevention through Windows operating system and applications hardening. The aim is to try to deny hackers and malware that initial foothold inside the network, because once they're in, they're hard to clean out.

We start by choosing malware-resistant software and Windows operating systems, then we regularly update that software, limit what software users can run, and then configure that software so that its exploitable features are disabled or at least restricted to work-only purposes. Nothing is guaranteed, of course, but what if you could reduce your malware infection rate by more than half? What if your next penetration test wasn't just an exercise in embarrassment?

The trick is hardening Windows in a way that is cost-effective, scalable, and with minimal user impact. In this course we'll look at tools like Group Policy, security templates, WSUS, and SCWCMD.EXE to hopefully make it easier. In today's course and during the week, we'll see how to implement many of the SANS Critical Controls.

CPE/CMU Credits: 6

Who Should Attend
  • Windows security engineers and system administrators
  • Those who need to reduce malware and APT infections
  • Anyone who wants to implement the SANS Critical Security Controls
  • Those who must enforce security policies on Windows hosts

Topics

Malware-resistant software

  • What increases exploitability?
  • Cloud vendor relations
  • Metro apps and WinRT API
  • UEFI firmware vulnerabilities
  • DEP, ASLR, SEHOP

Updating vulnerable software

  • WSUS shortcomings
  • WSUS third-party enhancements
  • Patching off-site tablets and laptops
  • Identifying rogue devices (BYOD Hell)
  • Windows App Store (Metro)

OS Hardening with security templates

  • INF vs. XML security templates
  • How to edit and apply templates
  • Security configuration and analysis
  • SECEDIT.EXE
  • Security configuration wizard
  • Auditing with templates

Hardening with Group Policy

  • Group Policy Objects (GPOs)
  • Third-Party GPO enhancements
  • Pushing out PowerShell scripts
  • GPO remote command execution
  • GPO troubleshooting tools
  • Custom ADM/ADMX templates

Enforcing Critical Controls

  • Whitelisting with AppLocker
  • Hardening Internet Explorer
  • Hardening Google Chrome
  • Hardening Adobe Reader
  • Hardening Microsoft Office
  • Virtual Desktop Infrastructure (pros and cons)

 
  SEC505.2: Dynamic Access Control & Restricting Administrative Compromise Jason Fossen Tue Jun 18th, 2013
9:00 AM - 5:00 PM
Overview

Windows Server 2012 introduced a major new security enhancement called Dynamic Access Control (DAC). If you have millions of files spread across multiple servers, how can you manage access to and auditing of these ever-changing files? How can we avoid relying on NTFS permissions and auditing alone?

DAC allows you to mark files as "Trade Secret", "PII", or as any other classification tag you need, then apply restrictions and auditing based on these hidden file tags. But it's not done with AD group memberships and NTFS alone, DAC is not an NTFS management system, there's much more. With your own custom user and computer attributes defined in Active Directory, you can implement a Data Loss Prevention (DLP) solution based on "claims" associated with your users and their various devices. You can also perform auditing this way to help comply with regulations in your industry.

Dynamic Access Control works best with Server 2012 and Windows 8, but Windows 8 is not required. There is a gentle deployment pathway as you migrate off Windows XP. You do not have to deploy Windows 8 to benefit from DAC today.

Today's course also includes more recommendations for thwarting malware and APT adversaries. Hackers and malware love it when users are members of the local Administrators group on their computers. It makes it easier for the computer to get compromised. We will talk about what's so dangerous about the Administrators group and how to either get users out of that group or to secretly curtail the power of that group.

User Account Control (UAC) helps in this regard, but there's much more to UAC than just the annoying pop-up dialog boxes (in fact, those pop-ups can be turned off). We'll also talk about the dangers of NTLM, how to get rid of it, and use Kerberos only. But even Kerberos is vulnerable to attack, so there is a new enhancement in Server 2012 called "Kerberos armoring" to deal with the problem.

Network administrators are also prime targets for hackers. The Domain Admins group is just too attractive. In today's course we'll talk about how to delegate authority safely in order to limit the scope of harm from a compromise. Using Active Directory permissions we can delegate authority to various IT groups and contractors without giving the farm away.

CPE/CMU Credits: 6

Who Should Attend
  • Windows security engineers and system administrators
  • Those who need Dynamic Access Control (DAC)
  • Those who need to reduce malware and APT infections
  • Anyone who wants to implement the SANS Critical Security Controls
  • Those who must enforce security policies on Windows hosts
Topics

Dynamic Access Control (DAC)

  • Claims-based access control and auditing
  • DAC does not require Windows 8
  • DAC conditional expressions
  • DAC and complying with regulations
  • Automatic file classification infrastructure
  • User and device identity restrictions
  • Auditing without managing SACLs
  • Central access policy deployment

Compromise of administrative powers

  • Hackers and malware LOVE administrative users
  • Partially limiting pass-the-hash attacks
  • How to get users out of the administrators group
  • Secretly limiting the power of administrative users
  • Limiting privileges, logon rights and permissions
  • User Account Control (making it less annoying)
  • Kerberos armoring and eliminating NTLM
  • Picture password on touch tablets
  • Windows Credential Manager vs. KeePass
  • Managed service accounts
  • Scheduling tasks with admin privileges

Active Directory permissions and delegation

  • Delegating authority at the OU level
  • OU as administrative firewall
  • Domains are not security boundaries
  • Active Directory permissions
  • Active Directory auditing
  • Logging attribute content changes
 
  SEC505.3: Windows PKI, BitLocker, and Secure Boot Jason Fossen Wed Jun 19th, 2013
9:00 AM - 5:00 PM
Overview

Public Key Infrastructure (PKI) is not an optional security infrastructure anymore. Windows Server includes a complete built-in PKI for managing certificates and making their use transparent to users. With Windows Certificate Services you can be your own private Certification Authority (CA) and generate as many certificates as you want at no extra charge.

Digital certificates play an essential role in Windows security: IPSec, EFS, secure e-mail, SSL/TLS, Kerberos authentication with smart cards, smart card authentication to IIS and VPN servers, script signing, etc. They all use digital certificates. Everything needed to roll out a smart card solution, for example, is included with Windows except for the cards and readers themselves, and generic cards are available in bulk for cheap.

You also have to encrypt your laptops and portable drives to stay in compliance, but why spend a fortune on third-party products when BitLocker is built into Windows already? BitLocker is manageable through Group Policy and from the command line. BitLocker has automatic encryption key archival features for recovery, requires little or no user training, and can be used to encrypt portable USB drives. If you have a TPM chip in your motherboard, it can help BitLocker to detect rootkits, but note that a TPM chip is definitely not required to use BitLocker.

With UEFI firmware and Windows 8, you can also use Secure Boot to help fight off bootkits and other malware too.

Planning a PKI or data encryption project isn't easy, and mistakes and redeployments can be costly, so this course, in part, is designed to assist in the planning process to help avoid these mistakes. If you're not encrypting tablets, laptops and portable drives now, you will be soon.

CPE/CMU Credits: 6

Who Should Attend
  • Anyone who needs a whole drive encryption solution
  • Anyone who needs to encrypt data on portable drives
  • Anyone deploying a Windows smart card solution
  • Anyone who needs digital certificates on Windows hosts
  • Anyone widely deploying SSL or S/MIME certificates
  • Anyone deploying or managing a PKI with Windows

Topics

Why must I have a PKI?

  • Not optional anymore; You don't have a choice.
  • Windows security designed for PKI
  • Examples: Smart cards, IPSec, WPA wireless, SSL, S/MIME, etc.
  • Biometrics and PKI were made for each other.

How to install the Windows PKI

  • Root vs. Subordinate certification authorities
  • Should you be your own root CA?
  • Custom certificate templates
  • Controlling certificate enrollment

How to manage your PKI

  • Group policy deployment of certificates
  • Group policy PKI settings
  • How to revoke certificates
  • Automatic private key backup
  • Delegation of authority

Deploying Smart Cards

  • Everything you need is built-in
  • Smart card enrollment station
  • Group Policy deployment

BitLocker drive encryption

  • Secure Boot (Windows 8)
  • TPM and USB options
  • Emergency recovery
  • Group Policy management
  • MANAGE-BDE.WSF
  • Best practices for BitLocker

 
  SEC505.4: Dangerous Protocols, IPSec, Windows Firewall, and Wireless Jason Fossen Thu Jun 20th, 2013
9:00 AM - 5:00 PM
Overview

Are you using Remote Desktop Protocol (RDP), DNS name resolution, or the File and Print Sharing (SMB) protocol? You shouldn't really trust them, they are hacker favorites. Do you have an 802.11 wireless network with just a pre-shared key? There's much more to wireless and Ethernet security than just key length. Today's course is on securing wireless and wired network access, hardening vulnerable protocols and ports, and using the Windows Firewall with IPSec.

You don't need third-party host firewalls anymore; the built-in Windows Firewall can be managed through Group Policy and is deeply integrated with IPSec.

IPSec is not just for VPNs. IPSec can authenticate users in Active Directory to implement share permissions for TCP and UDP ports based on the user's global group memberships. IPSec can also encrypt packet payloads to keep data secure. Imagine configuring the Windows Firewall on your servers and tablets to only permit access to RPC or SMB ports if 1) the client has a local IP address, 2) the client is authenticated by IPSec to be a member of the domain, and 3) the packets are all encrypted with AES. This is not only possible, but is actually relatively easy to deploy with Group Policy. We will see exactly how to do this in seminar.

But if the firewall allows the use of RDP, DNS and SMB, then the firewall by itself can't secure these dangerous protocols, they have to be hardened with DNSSEC, SMBv3 encryption, IPSec, and SSL. Many applications rely on SSL, but this ancient protocol is no silver bullet, it's better to upgrade to a recent version of TLS. And as more of our servers are moved out to the cloud, we will rely on SSL, RDP and IPSec even more.

Windows Server includes a built-in RADIUS service that can be used to regulate access to your wireless access points, managed Ethernet switches, and VPN gateways. Everything you need for a WPA2 wireless network solution, including certificate-based PEAP authentication, is built into Windows for free. This week we will see how to set it all up, step-by-step, including the PKI.

CPE/CMU Credits: 6

Who Should Attend
  • Anyone who needs to secure network traffic in Windows LANs
  • Anyone who wants to use IPSec for more than just VPNs
  • Anyone who needs to secure an 802.11 wireless network
  • Anyone who needs to understand Windows RADIUS

Topics

Dangerous protocols

  • SSL weaknesses
  • RDP credentials exposure
  • SMBv3 native encryption
  • NetBIOS and LLMNR
  • DNS dynamic updates
  • DNS sinkholes
  • DNSSEC

Windows Firewall and IPSec

  • Group Policy management
  • Metro app and service awareness
  • Location awareness
  • IPSec integration

Why IPSec?

  • IPSec is NOT just for VPNs!
  • More secure than SSL
  • User/computer authentication
  • Transparent to users
  • No user training required
  • NIC hardware acceleration
  • Compatible with NAT

Creating IPSec policies

  • Require vs. prefer encryption
  • Share permissions on TCP ports
  • IDS/IPS compatibility options
  • IPSec-based encrypted VLANs
  • Group Policy management
  • Scripting for stand-alones

Securing Wireless Networks

  • Wi-Fi Protected Access (WPA2)
  • Pre-shared key weaknesses
  • DoS attack vulnerabilities
  • Rogue access point detection
  • BYOD and network bridging
  • Wireless best practices

RADIUS for Wireless and Ethernet

  • Certificate authentication and PKI
  • How to use smart cards
  • EAP vs. PEAP
  • PEAP-MS-CHAPv2
  • 802.1X for Ethernet switches
  • Account lockout DoS attacks
  • Group Policy configuration of clients
 
  SEC505.5: Server Hardening and IIS Jason Fossen Fri Jun 21st, 2013
9:00 AM - 5:00 PM
Overview

Of all the servers you manage, your Internet-facing IIS servers are probably the most at risk. IIS is a magnet for hackers, so great care must be taken in planning how to deploy and configure Microsoft's notorious HTTP and FTP server.

In this course, we will talk about how to harden the OS, how to strip IIS down to its essentials to reduce its attack surface, how to enforce authentication and authorization rules, how to implement application-layer HTTP/FTP filtering rules, and in general how to help keep your website from becoming another victim statistic.

During the day, the Code Red worm will be used as an example of an exploit, which could have been easily blocked through proper configuration even if the patch for Code Red had not been applied prior to the attack. IIS security is much more than just setting up a firewall and applying patches; it's about proactively anticipating tomorrow's attacks and being ready for them. Using free Microsoft add-ons, like URL Rewrite, we can do our own application-layer firewalling and satisfy some PCI requirements at the same time.

We will also see how to require SSL/TLS for the greatly improved FTP service and how to configure an FTP server farm to provide secure remote access to internal file servers.

The demand for IIS security personnel is great because IIS is so widely deployed. As more and more of your previously-internal servers are pushed out to cloud providers as VMs, you'll want to know how to harden them, your IaaS cloud provider will not do it all for you. If you're new to IIS, this course will get you up to speed.

CPE/CMU Credits: 6

Who Should Attend
  • Anyone who manages the security of IIS servers
  • IIS webmasters and application developers
  • Anyone who needs an FTP-over-SSL solution
  • Anyone using WebDAV with IIS
  • Anyone who uses the new IIS interface and XML system

Topics

Server Hardening

  • Security templates and Group Policy
  • Service packs and hotfixes
  • Website location
  • Dangerous files
  • Dangerous services
  • WebDAV
  • Protocols and bindings
  • TCP/IP parameters
  • IPSec filtering and authentication

XML configuration system

  • The metabase is gone
  • How the XML configuration files work
  • The new GUI management interface

IIS Authentication and Authorization

  • Anonymous, basic, digest, Kerberos, and NTLM authentication
  • Smart Card certificate authentication to IIS
  • IIS/HTTP permissions
  • NTFS permissions and auditing
  • Running scripts and binaries on IIS
  • How to configure SSL/TLS
  • Centralized certificates and SNI

Web-based applications

  • Worker processes
  • Application pools
  • HTTP.SYS
  • Buffer overflow attacks
  • URL Rewrite Module
  • Request filtering
  • Process isolation techniques

Logging and auditing

  • Event viewer logs
  • IIS logs and accounting
  • Hacking signatures in logs
  • SSL connection logging
  • Securing log files

FTP over SSL (FTPS)

How to configure FTPS

FTPS clients and issues

 
  SEC505.6: Windows PowerShell Scripting Jason Fossen Sat Jun 22nd, 2013
9:00 AM - 5:00 PM
Overview

PowerShell is Microsoft's upgrade for the old CMD.EXE shell and a Perl-like scripting language for it too. PowerShell is available as a free download for Windows XP/2003/Vista and is built into Windows 7 and later operating systems by default (get the latest version from http://www.microsoft.com/powershell/). In Server 2012 especially, everything is PowerShell, PowerShell, PowerShell...

PowerShell takes the best features of UNIX shells, like ksh and bash, and then blows them out of the water. What's the big deal? PowerShell rides on top of the .NET Framework; hence, the entire .NET class library is available at the command prompt. And, when PowerShell scripts and tools pipe data into other PowerShell scripts and tools, it's not plain text that gets piped, but entire .NET objects, including all their properties and methods.

PowerShell is the future of administrative scripting on Windows. For example, Exchange Server and Operations Manager have graphical management tools, but these tools are really just GUI wrappers for PowerShell commands. There are also PowerShell cmdlets for IIS, Server Manager, AppLocker, Active Directory, Server Core, and more. Microsoft has promised that other products will be PowerShell-ized too, so the long-term trend is clear: almost everything in Windows will eventually be manageable through PowerShell.

What about managing older systems and software? PowerShell can access scriptable COM objects just like VBScript and JavaScript too. This means you can use PowerShell with Windows Management Instrumentation (WMI), Active Directory Services Interface (ADSI), ActiveX Data Objects (ADO), and other COM interfaces. So while VBScript gives you COM, PowerShell gives you both .NET and COM.

And just like the old CMD shell, PowerShell is also designed to run built-in binaries, like WMIC.EXE, NETSH.EXE, SC.EXE, etc., but with a scripting language that's far more flexible than CMD batch scripting. What does the PowerShell scripting language look like? It looks a little bit like Perl or C#, but it's much easier to learn.

During the course we will walk through all the essentials of PowerShell together. The course presumes nothing. You don't have to have any prior scripting experience to attend. And, most importantly, be prepared to have fun - PowerShell is just plain cooooooool...

CPE/CMU Credits: 6

Who Should Attend
  • All Windows administrators who use the command line
  • Windows administrators that want to use scripting
  • Batch file coders looking to upgrade or avoid obsolescence
  • UNIX admins who want to feel more at home on Windows
  • Anyone who writes scripts for Windows - PowerShell is the future!
Topics

Overview and security

  • What is PowerShell?
  • Why should I learn it?
  • Why is everything in Windows getting PowerShell-ized?
  • Signing scripts and execution policy

Getting around inside PowerShell

  • Built-in help system
  • Built-in graphical editor
  • Aliases for CMD and bash users
  • Running cmdlets, functions, and scripts Piping objects instead of text Using properties and methods of objects

Example commands

  • Active Directory scripting
  • Searching event logs
  • Parsing nmap XML output

Write your own scripts

  • Writing your own functions
  • Flow control: if-then, do-while, foreach, switch Accessing COM objects like in VBScript How to pipe data in/out of scripts

Windows Management Instrumentation (WMI) What is WMI and why is it so powerful?

  • WMI queries and remote command execution Searching remote event logs faster Inventory installed software Sample scripts to walk through together
 
Additional Information
 
  Testimonial

âYou will know and be confident on how to enable Windows PKI after taking this course. I had no practical experience, but plenty of theory. Jason broke down the pros and cons of the whole process. Excellent!!â

-OTHELLO SWANSTON, DTRA-DOD

 
  Laptop Required

Please note that without a virtual machine or laptop running Windows Server, you will only be able to watch the instructor demonstrate the exercises, you won't be able to follow along on your own computer, and that is half the fun!

Should I use a Virtual Machine?

Yes, in fact, using a virtual machine is preferred. Windows 8 Pro and Enterprise both include Hyper-V. You can also obtain VMware Player or Oracle VirtualBox for free.

How should my virtual machine be configured?

Please install Windows Server 2012 Standard or Datacenter Edition in your VM.

If you want to have a second VM running Windows 8 or Windows 7, then that is useful too, but certainly not required. The host computer can be anything.

You can download a free trial version of Windows Server from Microsoft (just do an Internet search on "site:microsoft.com windows server trial eval" ). Remember that Server 2012 is 64-bit only, so your laptop and VM software will need to support 64-bit virtual machines.

Additionally, the Server VM should have a static IP address (perhaps 10.1.1.1) and have the primary DNS server set to this same IP address, i.e., you will be your own DNS server. Afterwards, use the Server Manager tool to install the Active Directory Domain Services role. Along the way, install the DNS service when prompted to do so, and choose any domain name you wish (perhaps "testing.local"), but don't use your organization's real domain name.

Specific instructions for installing Active Directory are below.

What if I am new to scripting?

You do not need any scripting background whatsoever to attend the course. We will spend the last day going through scripts written in PowerShell together. Half of the other attendees will be new to scripting as well.

How do I configure a static IP address in my Windows Server virtual machine?

Open Control Panel in the virtual machine, not on your host computer > Network and Sharing Center > Change adapter settings > right-click your network interface > Properties > select Internet Protocol Version 4 (TCP/IPv4) > Properties > configure that adapter with a static IP address (10.1.1.1) and set both DNS servers for that adapter to be your own IP address (10.1.1.1).

How do I install Active Directory in my Server 2012 virtual machine?

Open the Server Manager tool in the virtual machine > select your Local Server > Manage menu > Add Roles and Features > Next.

Select "Role-based or feature-based installation" > Next > choose "Select a server from the server pool" and make sure your own local server is highlighted > Next.

Check the box for "Active Directory Domain Services" > click the "Add Features" button.

Check the box for "DNS Server" > click "Add Features" button > Next > Next (there are no extra features to be installed now).

Click Next repeatedly until you can click Install > click the Install button > Close.

Wait a few minutes for Active Directory Domain Services to install. (If you are prompted to provide the path to the installation media, and if you have mounted the DVD or ISO file on drive letter "D:", then click the link at the bottom to provide an alternate path of "d:\sources\sxs".)

Go back to Server Manager, click the triangle notification near the flag at the top to see the progress of the installation of the role. Every minute or so, click the circular double-arrow refresh button and pull down the triangular alert menu again. Eventually, when it finishes, you will see and then click on "Promote this server to a domain controller".

Select "Add a new forest" > enter "testing.local" as the root domain name (or any domain name you wish) > Next.

Select forest and domain functional levels of "Windows Server 2012". Enter a password of "Sans*8" for the DSRM password (or anything you'll remember) > Next.

If you get an error concerning the DNS configuration, ignore it > Next.

Leave the NetBIOS name to the default > Next.

Leave the folder locations to their defaults > Next.

Next > Install. Ignore any error messages concerning DNS, cryptography, or anything else which does not block the installation process. Reboot the server VM after the install is finished.

Log onto your new domain controller with the same password you had before > launch Server Manager (if it does not run automatically) > Tools menu > Active Directory Users and Computers. If this tool launches successfully, you have promoted the server to a domain controller successfully. If the tool does not launch, or if other errors have blocked the installation, please search the Internet with the relevant keywords or error code numbers to find a fix, or, it may be simpler to just reinstall again (after confirming that your networking and DNS settings are correct).

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

 
  Who Should Attend
  • Windows security engineers and system administrators
  • Anyone who wants to learn PowerShell
  • Anyone who wants to implement the SANS Critical Security Controls
  • Those who must enforce security policies on Windows hosts
  • Anyone who needs a whole drive encryption solution
  • Those deploying or managing a PKI or smart cards
  • IIS administrators and webmasters with servers at risk
 
  You Will Be Able To
  • Harden the configuration settings of the Internet Explorer, Google Chrome, Adobe Reader and Micro- soft Office applications to better withstand client- side exploits.
  • Use Group Policy to harden the Windows operating system by configuring DEP, ASLR, SEHOP, EMET and AppLocker whitelisting by applying security templates and running custom PowerShell scripts.
  • Deploy a WSUS patch server with third-party enhancements to overcome its limitations.
  • Implement Server 2012 Dynamic Access Control permissions, file tagging and auditing for Data Loss Prevention (DLP).
  • Use Active Directory permissions and Group Policy to safely delegate administrative authority in a large enterprise to better cope with token abuse, pass-the-hash, service/task account hijacking, and other advanced attacks.
  • Install and manage a full Windows PKI, including smart cards, Group Policy auto-enrollment, and detection of spoofed root CA certificates.
  • Configure BitLocker drive encryption with a TPM chip using graphical and PowerShell tools.
  • Harden SSL, RDP, DNSSEC and other dangerous protocols using Windows Firewall and IPSec rules managed through Group Policy and PowerShell scripts.
  • Install the Windows RADIUS server (NPS) for PEAPTLS authentication of 802.11 wireless clients, and hands-free client configuration through Group Policy.
  • Harden an IIS web and FTP server against determined attackers, including WebDAV, FTP over SSL, HTTP-layer firewalling, and smart card authentication.
  • Learn how to automate security tasks on local and remote systems with the PowerShell scripting language and remoting framework.