The SANS Institute is a partner in the Critical Security Controls project to define the most important tasks for network security. SANS offers a great course entitled "Implementing and Auditing the Critical Security Controls (SEC566)", but which course should one take after attending SEC566?
Course SEC566 defines recommendations in a vendor-neutral way, but in fact most environments run Microsoft Windows and most of these Windows machines are joined to Active Directory domains. Is there a SANS course which offers a deep dive into the Critical Security Controls as they specifically relate to Windows and Active Directory?
Yes, the six-day Securing Windows with the Critical Security Controls course at SANS (course number SEC505) is specifically written to provide in-depth coverage of just those Critical Controls which affect Windows servers and clients.
Which Controls Are Covered In SEC505 and Which Are Not?
For each of the Critical Controls, the following describes what's covered in the Securing Windows (SEC505) course that can help you implement the controls on Windows systems, not just audit them. It also offers suggestions for other SANS courses after taking SEC566.
You might open another tab in your browser to Critical Controls page to see a summary of the controls for comparison.
Control 1: Inventory of Hardware Devices
SEC505 does not cover hardware inventory applications. However, when gathering inventory data with nmap and other tools, you inevitably run up against problems of how to organize, store, search, compare and generate reports from the mountains of data collected. Whether you use databases, spreadsheets, XML or just comma-delimited text files to store the data, PowerShell is a superb command shell and scripting language for manipulating that data. Many security tasks are not performed because the administrators lack scripting skills, and inventory tasks are perfect examples. Because of this, SEC505 includes a full day on PowerShell scripting.
Control 2: Inventory of Software
More important than just inventory, though, this control also advises locking down software configurations, using application whitelisting, logging application usage, and preventing unwanted application installation. In SEC505 an entire day is devoted to Group Policy and there are many Group Policy technologies for just these sorts of problems, e.g., AppLocker, audit/logging policies, managing NTFS permissions, configuring almost every aspect of Internet Explorer and the Microsoft Office applications, code signing requirements for scripts/macros, restricting MSI package installation, running scripts to identify non-standard software, etc. SEC505 specifically discusses hardening techniques for Java, Internet Explorer, Google Chrome, Adobe Reader, and Microsoft Office.
Control 3: Secure Configurations for Computer Systems
Windows machines are not hardened by hand, but by the application of INF/XML security templates, such as those provided with the Microsoft Security Compliance Manager. These templates are applied using Group Policy, SECEDIT.EXE, the Security Configuration and Analysis MMC snap-in, or the Security Configuration Wizard (all of which are covered in SEC505). For the few settings that cannot be configured through a template or Group Policy, it is likely that a script would be used so that the changes could be automated (PowerShell again).
Control 4: Vulnerability Assessment and Remediation
SEC505 does not cover vulnerability scanners, which are covered in other courses, such as Security Essentials (SEC401). On the other hand, vulnerability remediation is covered very well in the sections on patch management, Group Policy, applications hardening, etc.
Control 5: Malware Defenses
Anti-malware techniques are discussed throughout the week, such as User Account Control, DNS sinkholes, hardening Internet Explorer and Chrome, Java, Adobe Reader, using jump servers, AutoPlay/AutoRun, etc. But a comparison of particular AV scanning products or debate about where to install them, that is not covered.
Control 6: Application-Layer Software Security
Control 7: Wireless Device Control
SEC505 walks you through the steps of setting up a PKI, pushing out wireless certificates (or smart cards), installing RADIUS servers, configuring the wireless settings on laptops through Group Policy, and enforcing the use of WPA2, AES encryption and PEAP authentication at the RADIUS servers. Through Group Policy you can also lock down and then hide the other wireless options from non-administrative users, e.g., you can prevent them from connecting to ad hoc networks. The problem of rogue access points, tethering and BYOD computers is also discussed. SANS has a great week-long track on wireless security (SEC617), but that course isn't for Windows networks specifically, SEC505 is.
Control 8: Data Recovery Capability
SEC505 does not cover how to perform backups and recovery, please see Security Essentials (SEC401) or contact your backup solution vendor.
Control 9: Skills Assessment and Training
SEC505 does not cover security training or awareness testing in detail, please see Securing the Human (MAN433).
Control 10: Secure Configurations for Network Devices
SEC505 does not cover firewall design or the configuration of routers and switches; please instead see Perimeter Protection In-Depth (SEC502).
Control 11: Control of Network Ports, Protocols and Services
Group Policy and command-line administration of IPSec and the Windows Firewall is covered in SEC505 in great detail. The combination of IPSec + Windows Firewall + Group Policy grants very precise and flexible control over which users and computers are permitted to access which ports/services on which machines. Day four of SEC505 is devoted to IPSec, Windows Firewall, Microsoft RADIUS service for 802.1x authentication of wireless and Ethernet clients.
Control 12: Administrative Privileges
Every recommendation in this control regarding administrative user accounts is discussed or demonstrated in SEC505 (day 2). The PKI day of SEC505 (day 3) also walks the attendee through the process of setting up a Windows PKI and issuing smart cards and other certificates to administrative users for secure multi-factor authentication. Securely managing administrative credentials, which includes service accounts, is one of the most difficult and important tasks. SEC505 spends almost an entire day on just this one control because of its importance to Windows in particular.
Control 13: Boundary Defense
Control 14: Audit Logs
Windows audit policy and logging is configured through security templates and Group Policy, as mentioned above, since each machine has its own event logs. SEC505 also covers how to enable logging in the RADIUS servers controlling remote access, such as for VPN gateways and wireless access points (in Day 4). All of this data will need to be consolidated at a central location, usually with a third-party SIEM, but when the human touch is needed to go beyond the canned queries and reports of your SIEM, how can that data be efficiently extracted and analyzed? Again, PowerShell scripts using regular expressions and SQL queries work very nicely. What about configuring third-party SIEM products? Not covered in SEC505.
Control 15: Controlled Access Based on Need To Know
It's all well and good to talk about the principle of Need To Know, but where does the rubber meet the road? How do you actually implement this principle across servers in an enterprise? This control would be largely enforced through Windows user groups, security templates, Group Policy, and Dynamic Access Control policies. Testing could also be automated through PowerShell scripts which authenticate over the network as different users with different privileges. Dynamic Access Control (DAC) is something new with Server 2012 specifically for Data Loss Prevention (DLP) and enforcing need-to-know rules. All these topics are covered in SEC505.
Control 16: Account Monitoring and Control
Most recommendations in this control would be implemented through a combination of Active Directory permissions, Group Policy settings, and custom AD queries, such as with PowerShell scripts. And these topics are covered in SEC505.
Control 17: Data Loss Prevention
SEC505 covers many of the recommendations of this control for DLP, including BitLocker whole drive encryption, "BitLocker To Go" for USB flash drives, Group Policy control of USB device usage, and something new built into Server 2012 and later called Dynamic Access Control. Dynamic Access Control (DAC) is specifically for enforcing need-to-know rules and DLP, and it's already built into Server 2012. To search for Personally Identifiable Information (PII) on systems, a custom PowerShell script could be used as well. Monitoring the network for data leakage, on the other hand, is not covered in SEC505 (try SEC503).
Control 18: Incident Response
SEC505 does not cover incident response planning, this topic is discussed in other courses, such as Hacker Techniques, Exploits and Incident Handling (SEC504) and also Advanced Computer Forensic Analysis and Incident Response (FOR508).
Control 19: Secure Network Engineering
Firewall design is covered in a different course at SANS, but this control is more broad than just perimeter firewalls. As discussed above, we have Group Policy control over IPSec and Windows Firewall settings for rapid response to attacks. We also cover DNSSEC, DNS sinkholes, DNS secure dynamic updates, eliminating NetBIOS and LLMNR, and DHCP logging is easy to enable. One might also use PowerShell to extract data from large DHCP/DNS logs. Hence, most of the recommendations in this control are covered in SEC505, and then some.
Control 20: Penetration Tests
SEC505 does not cover penetration testing, which is discussed in other courses, such as Network Penetration Testing and Ethical Hacking (SEC560).
Australian Government Four Controls
The Australian government has determined that four of the 20 Critical Controls are the most effective in blocking intrusions. All four are discussed and demonstrated at length in SEC505: we use Group Policy and WSUS for software management, AppLocker for whitelisting, and devote nearly an entire day to one of the most difficult-to-implement controls, namely, controlling administrative privileges.
Automation: Group Policy + PowerShell
The 20 Critical Controls project emphasizes the importance of automation. Automation and scalability are accomplished in SEC505 by providing training on Group Policy and PowerShell. Group Policy is an Enterprise Management System (EMS) built into Active Directory that can more-or-less manage every Windows configuration setting and user application, including Chrome and Java. PowerShell is not just a scripting language, it is a remote management framework that can scale to very large networks, such as Microsoft's own cloud infrastructure. The combination of Group Policy plus PowerShell is a force multiplier for automation of the 20 Critical Controls. And where these fall short, SEC505 also includes recommendations for third-party products, such as vulnerability scanners, SIEM systems, and USB device blockers.