Community SANS

Paris, France | Mon Dec 3 - Fri Dec 7, 2012

Please note that this course is taught in French but coursebooks are in English.

SEC505: Securing Windows

The Securing Windows and Resisting Malware course at SANS (SEC505) includes what you need to know to secure your clients and servers running Microsoft Windows. It includes topics like PowerShell, Active Directory delegation of authority, BitLocker, AppLocker, User Account Control, Group Policy, Windows Firewall, IPSec port permissions, PKI deployment, IIS hardening, and more. A major goal of the course is to prevent client-side exploits and malware infections from Advanced Persistent Threat (APT) adversaries.

Are you transitioning from Windows XP to Windows 7? The Securing Windows track is fully updated for Windows Server 2008 - R2 and Windows 7. Most of the content applies to Windows Server 2003 and XP too, but the focus is on 2008/Vista/7.

The SANS SEC505: Securing Windows is a comprehensive set of courses for Windows security architects and administrators. It also tackles tough problems like Active Directory forest design, how to use Group Policy to lock down desktops, deploying a Microsoft PKI and smart cards, pushing firewall and IPSec policies out to every computer in the domain, securing public IIS Web servers, and PowerShell scripting.

PowerShell is the future of Windows scripting and automation. Easier to learn and more powerful than VBScript, PowerShell is an essential tool for automation and scalable management. And if there's one skill that will most benefit the career of a Windows specialist, it's scripting, because most of your competition lacks scripting skills, so it's a great way to make your resume stand out. Scripting skills are also essential for being able to implement the 20 Critical Security Controls.

SEC505 will also prepare you for the GIAC Certified Windows Security Administrator (GCWN) certification exam to help prove your security skills. In fact, all the questions on the exam come from the manuals used in the course.

You are encouraged to bring a virtual machine running Windows Server 2008 Enterprise Edition configured as a domain controller, but this is not a requirement for attendance since the instructor will demo everything discussed on screen. You can get a free evaluation version of Server 2008 - R2 from Microsoft's Web site (just do a Google search on "site:microsoft.com Server 2008 trial"). You can use VMware, VirtualBox, or any other virtual machine software you wish.

This is a fun course and a real eye-opener even for Windows administrators with years of experience. Come see why there's a lot more to Windows security than just applying patches and changing passwords. Come see why a Windows network needs a security architect.

Download the scripts and other files for this course here.

Course Syllabus
Course Contents
  SEC505.1: Securing Active Directory and DNS
Overview

For a security architect, Active Directory is the foundation upon which the rest of Windows security depends. Active Directory (AD) is the infrastructure behind the other security infrastructures, such as PKI, identity management, Network Access Protection, and Group Policy. A compromise of AD, such as hacker accounts being added to the Enterprise Admins group, would lead to the collapse of all other security safeguards tied to it. And some of our most likely adversaries are other Domain Admins who have good intentions, but don't know what they're doing; hence, we must also delegate authority in AD to limit this kind of accidental damage.

Unfortunately, there is a lot of misinformation circulating out there about Active Directory security. For example, are you actually getting any benefit from having an "empty root domain," or does it just create hassles? Do you place your public IIS servers in your primary domain, in a new domain, or in a completely new forest with a cross-forest trust? Are all of your branch office domain controllers physically secured, or are you using read-only domain controllers, or both? Why is a "server core" domain controller supposedly more secure than a standard installation when they both have the exact same services listening on the same port numbers? AD design was never simple to begin with, and now it's even more complex with Server 2008 and later.

This course will quickly get you on top of what you need to know about Active Directory security and delegation of authority. Importantly, this course is not an introduction to AD or an overview of basic administration topics. This is a course for people who already manage AD, need to plan redeployment, or must lock down what they've got.

DNS is the Achilles' heel of Active Directory. SRV records in DNS are what provide fail-over fault tolerance and load-balancing to AD (not the cluster service, NLB, or round robin), and DNS is often overlooked. In addition to Active Directory security, we'll also cover what's new and different for DNS security too. This won't be an introduction to DNS; we'll jump straight into DNS security.

CPE/CMU Credits: 6

Who Should Attend

Who Should Attend This Course:

  • Anyone redesigning their AD forest and trust structures
  • Anyone deciding where to place domain-joined IIS servers
  • Anyone who does identity management with AD
  • Anyone trying to delegate authority safely in AD
  • Anyone who manages Windows DNS servers
Topics

Securing Domain Controllers

  • Read-Only Domain Controllers
  • Server Core
  • SYSKEY.EXE
  • Disaster Planning and Recovery
  • Encrypting Replication Traffic
  • Replication Fault Tolerance
  • NTDSUTIL.EXE
  • FSMO Role Assignments

Active Directory Access Control Lists

  • Property-Level Permissions (DACLs)
  • Auditing (SACLs)
  • Command-Line Tools
  • DSACLS.EXE
 
  SEC505.2: Enforcing Critical Controls With Group Policy
Overview

Group Policy is the most underutilized security technology in the world, but not because no one is buying it. You already own it; it's built into Windows for free. If doing more with what you've already got is the hallmark of efficiency, then most organizations can do a lot more with the Group Policy investment they've already made.

Group Policy can be used to manage BitLocker encryption policies, regulate which applications users can run, push scripts out to computers which are then automatically executed, reconfigure NTFS permissions and audit settings, deploy MSI software installation packages, set password and account lockout policies, distribute IPSec encryption settings to all workstations and servers, change EFS recovery agents, control which Certification Authorities users should trust, set any number of registry values, and much, much more. In fact, it's better to ask what cannot be managed through Group Policy than the other way around.

In this course we'll see how to use Group Policy to lock down desktops and servers, implement many of the 20 Critical Security Controls, enforce regulatory compliance changes, configure services and applications, and scale our work out to thousands of systems conveniently. If you've never seen Group Policy before, you're in for a shock (a good shock!); and if you've been using Group Policy for years, this course should expand your understanding even more since the emphasis is on security, not Group Policy in general.

CPE/CMU Credits: 6

Who Should Attend
  • All Windows administrators whatsoever -- Group Policy really is that important
  • Anyone who must efficiently manage large numbers of computers
  • Anyone who needs to apply security templates to their systems
  • Anyone who needs to enforce consistent security policies on Windows hosts
  • Anyone who must combat malware infections on Windows hosts
Topics

Dynamic Access Control (DAC)

  • Claims-based access control and auditing
  • DAC does not require Windows 8
  • DAC conditional expressions
  • DAC and complying with regulations
  • Automatic file classification infrastructure
  • User and device identity restrictions
  • Auditing without managing SACLs
  • Central access policy deployment

Compromise of administrative powers

  • Hackers and malware LOVE administrative users
  • Partially limiting pass-the-hash attacks
  • How to get users out of the administrators group
  • Secretly limiting the power of administrative users
  • Limiting privileges, logon rights and permissions
  • User Account Control (making it less annoying)
  • Kerberos armoring and eliminating NTLM
  • Picture password on touch tablets
  • Windows Credential Manager vs. KeePass
  • Managed service accounts
  • Scheduling tasks with admin privileges

Active Directory permissions and delegation

  • Delegating authority at the OU level
  • OU as administrative firewall
  • Domains are not security boundaries
  • Active Directory permissions
  • Active Directory auditing
  • Logging attribute content changes
 
  SEC505.3: Windows PKI, EFS and BitLocker
Overview

Public Key Infrastructure (PKI) is not an optional security infrastructure anymore. Windows Server includes a complete built-in PKI for managing certificates and making their use transparent to users. With Windows Certificate Services you can be your own private Certification Authority (CA) and generate as many certificates as you want at no extra charge.

Digital certificates play an essential role in Windows security: IPSec, EFS, secure e-mail, SSL/TLS, Kerberos authentication with smart cards, smart card authentication to IIS and VPN servers, script signing, etc., they all use digital certificates. Everything needed to roll out a smart card solution, for example, is included with Windows except for the cards and readers themselves, and generic cards are available in bulk for cheap.

You also have to encrypt your laptops and portable drives to stay in compliance, but why spend a fortune on third-party products when BitLocker and EFS are built into Windows already? Both EFS and BitLocker are manageable through Group Policy, both have automatic encryption key archival features for recovery, both require little or no user training, and both can be used to encrypt portable USB drives. If you have a TPM chip in your motherboard, it can help BitLocker to detect rootkits, but note that a TPM chip is definitely not required to use BitLocker.

Planning a PKI or data encryption project isn't easy, and mistakes and redeployments can be costly, so this course in part is designed to assist in the planning process to help avoid these mistakes. If you're not encrypting laptops and portable drives now, you will be soon, and BitLocker/EFS can save your organization money while making the deployment relatively easy. Using Group Policy, you can manage most features of BitLocker and EFS on all your machines without having to configure each of them by hand.

CPE/CMU Credits: 6

Who Should Attend
  • Anyone who needs a whole drive encryption solution
  • Anyone who needs to encrypt data on portable drives
  • Anyone deploying a Windows smart card solution
  • Anyone who needs digital certificates on Windows hosts
  • Anyone widely deploying SSL or S/MIME certificates
  • Anyone deploying or managing a PKI with Windows
Topics

Why Must I Have A PKI?

  • Not Optional Anymore, You Don't Have A Choice
  • Windows Security Designed for PKI
  • Examples: Smart Cards, IPSec, WPA Wireless, SSL, S/MIME, etc.
  • Biometrics and PKI Were Made for Each Other

How To Install The Windows PKI

  • Root vs. Subordinate Certification Authorities
  • Should You Be Your Own Root CA?
  • Custom Certificate Templates
  • Controlling Certificate Enrollment

How To Manage Your PKI

  • Group Policy Deployment of Certificates
  • Group Policy PKI Settings
  • How To Revoke Certificates
  • Automatic Private Key Backup
  • Delegation of Authority

Deploying Smart Cards

  • Everything You Need Is Built-In
  • Smart Card Enrollment Station
  • Group Policy Deployment

Encrypting File System

  • How to Encrypt and Recover Data
  • EFS Insecurity Myths
  • Sharing Encrypted Files
  • CIPHER.EXE

BitLocker Drive Encryption

  • TPM and USB Options
  • Emergency Recovery
  • Group Policy Management
  • MANAGE-BDE.WSF
  • Best Practices for EFS and BitLocker
 
  SEC505.4: Windows Firewall, IPSec, Wireless and VPNs
Overview

The Windows Firewall in Windows 7/2008 has been greatly enhanced over the crude firewall in XP. One of the best features of the new Windows Firewall is its easy-to-use integration with IPSec, and both IPSec and the Firewall are manageable through Group Policy. There really is no compelling reason to purchase third-party firewalls for Windows anymore, that money can be better spent elsewhere.

IPSec is not just for VPNs. IPSec can authenticate users in Active Directory to implement share permissions for TCP and UDP ports based on the user's global group memberships. IPSec can also encrypt packet payloads to keep data secure. Imagine configuring the Windows Firewall on all your servers and workstations to only permit access to RPC or File And Print Sharing ports if 1) the client has a local IP address, 2) the client is authenticated by IPSec to be a member of the domain, and 3) the packets are all encrypted with AES. This is not only possible, but is actually relatively easy to deploy with Group Policy. We will see exactly how to do this in seminar.

Windows Server includes a built-in RADIUS service that can be used to regulate access to VPN gateways, wireless access points, managed Ethernet switches, dial-up servers, and any other RADIUS-compliant access device. Everything you need for a full VPN solution on both the client-side and server-side is built into Windows for free. Everything you need for a WPA2 wireless network solution, including certificate-based PEAP authentication, is built into Windows for free. This week we will see step-by-step exactly how to set it all up, including the PKI.

Windows Server 2008 and later also natively supports SSL VPNs, so you don't have to use IPSec or PPTP if you prefer not to. SSL VPNs operate on TCP port 443 and are easy to enable once the RADIUS policies are configured. You don't need to purchase a new expensive SSL VPN appliance if you've already got the Windows Server license.

In short, this course is about how to use the Windows Firewall, IPSec, RADIUS, the RRAS VPN gateway service, and WPA2 for wireless and wired networks to secure the network layer in our Windows environments. Virtually all these client settings, including wireless settings, are manageable through Group Policy and PowerShell.

CPE/CMU Credits: 6

Who Should Attend
  • Anyone who needs to secure network traffic in Windows LANs
  • Anyone who wants to use IPSec for more than just VPNs
  • Anyone who needs an SSL VPN solution
  • Anyone who needs to secure an 802.11 wireless network
  • Anyone who needs to understand Windows RADIUS
Topics

The New Windows Firewall

  • Group Policy management
  • Application awareness
  • Location awareness
  • IPSec integration

Why Use IPSec?

  • IPSec Is NOT Just For VPNs!
  • Packet Encryption and Integrity
  • User/Computer Authentication
  • Transparent to Users
  • Group Policy Management
  • NETSH.EXE

Creating IPSec Policies

  • Packet Filtering with IPSec
  • Encryption Options
  • Scripting IPSec Policies
  • Require vs. Prefer IPSec

RADIUS for Network Security

  • Smart Card Authentication
  • EAP vs. PEAP
  • PEAP-MS-CHAPv2
  • Firewalling Options
  • Require Strong Encryption and Authentication
  • Limit Access To Chosen Global Groups

Virtual Private Networking

  • SSTP = SSL VPN
  • IPSec + L2TP
  • Host-to-Router VPN Configuration Steps
  • Router-to-Router VPN Configuration Steps
  • VPN Best Practices

Securing Wireless Networks

  • Wi-Fi Protected Access (WPA2)
  • RADIUS Policy Enforcement
  • Certificates For Laptops And Users
  • PKI Integration
  • Wireless Best Practices
 
  SEC505.5: Securing IIS 7.5
Overview

IIS 7.5 in Windows Server 2008-R2 is not an incremental upgrade over IIS 6; it's a whole new beast. Both the management GUI and the underlying architecture are very different than before. IIS is highly modular, meaning that we can strip away what we don't need, but we can also add modules to enhance security. For example, the URL Rewrite module can use regular expressions, just like Apache's mod_rewrite, to block attacks or modify requests, making this module much more powerful than URLSCAN.

Something else new is FTP over SSL (FTPS) for secure file transfer. No matter where you go, you can always securely get to your files using FTPS or WebDAV over SSL. WebDAV can use SSL for file management too; hence, you can map a drive letter on Windows 7/2008 over SSL to a WebDAV share on IIS.

IIS is a magnet for hackers, so great care must be taken in planning how to deploy and configure Microsoft's notorious Web server. In this course, we will talk about how to harden the OS, how to strip IIS down to its essentials to reduce its attack surface, how to enforce authentication and authorization rules, how to implement application-layer HTTP filtering rules, and in general how to help keep your Web site from becoming another victim statistic. During the day, the Code Red worm will be used as an example of an exploit which could have been easily blocked through proper configuration even if the patch for Code Red had not been applied prior to the attack. IIS security is much more than just setting up a firewall and applying patches; it's about proactively anticipating tomorrow's attacks and being ready for them.

The demand for IIS security personnel is great because IIS is so widely deployed. This course focuses on IIS 7.5 in Windows Server 2008-R2, but many of the principles discussed will apply to earlier versions of IIS as well. If you're new to IIS, this course will get you up to speed.

CPE/CMU Credits: 6

Who Should Attend
  • Anyone who manages the security of IIS servers
  • IIS web masters and application developers
  • Anyone who needs an FTP-over-SSL solution
  • Anyone using WebDAV with IIS
  • Anyone who needs to understand the new IIS interface and XML configuration system
Topics

Server Hardening

  • Security Templates and Group Policy
  • Service Packs and Hotfixes
  • Web Site Location
  • Dangerous Files
  • Dangerous Services
  • WebDAV
  • Protocols and Bindings
  • TCP/IP Parameters
  • IPSec Filtering and Authentication

XML Configuration System

  • The metabase is gone
  • How the XML configuration files work
  • The new GUI management interface

IIS Authentication and Authorization

  • Anonymous, Basic, Digest, Kerberos, and NTLM Authentication
  • Smart Card Certificate Authentication to IIS
  • IIS/HTTP Permissions
  • NTFS Permissions and Auditing
  • Running Scripts and Binaries on IIS
  • How to configure SSL/TLS

Web-Based Applications

  • Worker Processes
  • Application Pools
  • HTTP.SYS
  • Buffer Overflow Attacks
  • URL Rewrite Module
  • Request Filtering
  • Process Isolation Techniques

Logging and Auditing

  • Event Viewer Logs
  • IIS Logs and Accounting
  • Hacking Signatures in Logs
  • SSL Connection Logging
  • Securing Log Files

FTP Over SSL (FTPS)

  • How to configure FTPS
  • FTPS clients and issues
 
  SEC505.6: Windows PowerShell
Overview

PowerShell is Microsoft's upgrade for the old CMD.EXE shell and a Perl-like scripting language for it too. PowerShell is available as a free download for Windows XP/2003/Vista and is built into Windows 7/2008 and later operating systems by default (get the latest version from the Microsoft Powershell page).

PowerShell takes the best features of UNIX shells, like ksh and bash, and then blows them out of the water. What's the big deal? PowerShell rides on top of the .NET Framework; hence, the entire .NET class library is available at the command prompt. And, when PowerShell scripts and tools pipe data into other PowerShell scripts and tools, it's not plain text that gets piped, but entire .NET objects, including all their properties and methods.

PowerShell is the future of administrative scripting on Windows. For example, Exchange Server and Operations Manager have graphical management tools, but these tools are really just GUI wrappers for PowerShell commands. There are also PowerShell cmdlets for IIS, Server Manager, AppLocker, Active Directory, Server Core, and more. Microsoft has promised that other products will be PowerShell-ized too, and the long-term trend is clear: almost everything in Windows will eventually be manageable through PowerShell.

What about managing older systems and software? PowerShell can access scriptable COM objects just like VBScript and JavaScript too. This means you can use PowerShell with Windows Management Instrumentation (WMI), Active Directory Services Interface (ADSI), ActiveX Data Objects (ADO), and other COM interfaces. So while VBScript gives you COM, PowerShell gives you both .NET and COM.

And just like the old CMD shell, PowerShell is also designed to run built-in binaries, like WMIC.EXE, NETSH.EXE, SC.EXE, etc., but with a scripting language that's far more flexible than CMD batch scripting. What does the PowerShell scripting language look like? It looks a little bit like Perl or C#, but it's much easier to learn.

During the course we will walk through all the essentials of PowerShell together. The course presumes nothing; you don't have to have any prior scripting experience to attend. And, most importantly, be prepared to have fun - PowerShell is just plain cooooooool...

CPE/CMU Credits: 6

Who Should Attend
  • All Windows administrators who use the command line
  • Windows administrators that want to use scripting
  • Exchange Server administrators
  • Batch file coders looking to upgrade or avoid obsolescence
  • UNIX admins who want to feel more at home on Windows
  • Anyone who writes scripts for Windows - PowerShell is the future!
Topics
  • What is PowerShell?
  • Cmdlets
  • Running Scripts
  • Namespace Providers
  • Piping Objects
  • Parameter Binding
  • Regular Expressions
  • Functions and Filters
  • The .NET Class Library
  • Using Properties and Methods at the Command Line
  • Accessing COM Objects
  • Security and Execution Policy
  • And lots and lots of sample scripts to walk through...
 
Schedule Instructor
 
Mon Dec 3rd, 2012
9:00 AM - 7:00 PM
Benjamin Arnault
Tue Dec 4th, 2012
9:00 AM - 7:00 PM
Benjamin Arnault
Wed Dec 5th, 2012
9:00 AM - 7:00 PM
Benjamin Arnault
Thu Dec 6th, 2012
9:00 AM - 7:00 PM
Benjamin Arnault
Fri Dec 7th, 2012
9:00 AM - 7:00 PM
Benjamin Arnault
Additional Information
 
  Laptop Recommended

Please note that bringing a laptop is optional, but recommended, and it's best to bring a CD ROM drive too. If you have a choice, please install your test computer as a Virtual Machine on your laptop.

Can I use a Virtual Machine?

Yes, in fact, using a virtual machine is preferred. You can obtain VMware Player from the VMware web site or Oracle VirtualBox from the VirtualBox web site.

Windows 8 Pro and Enterprise both include Hyper-V too.

How should my laptop or Virtual Machine be configured?

Ideally, please install Windows Server 2008 Enterprise Edition, either the R1 or R2 version (preferably R2). You can download a free evaluation copy of Windows Server from Microsoft, just do a Google search on "site:microsoft.com windows server trial." Windows 7 Enterprise or Ultimate by itself is insufficient to follow all the exercises in the course, but is nice to have too. Enterprise edition of Windows Server is preferred, but if you can only get Standard edition, that's fine.

Additionally, the Server VM should have a static IP address (perhaps 10.1.1.1) and have the primary DNS server set to this IP address, i.e., you will be your own DNS server. Afterwards, use Server Manager in Administrative Tools to install the Active Directory Domain Services role, then afterwards run DCPROMO.EXE to complete the configuration of the VM as a domain controller. Along the way, install the DNS service when prompted to do so, and choose any domain name you wish, e.g., "testing.local", but don't use your organization's real domain name.

What should I download and have with me?

If you only have Server 2008 R1, please download the following tools and have them with you. Feel free to install them too, but otherwise you'll install them during the seminar. We would simply give you a CD ROM with these tools (or an entire pre configured VM), but Microsoft's licensing does not allow it.

If you have Server 2008 R2, the above extensions are already installed.

What if I do not have a Windows Server laptop?

You are certainly welcome to attend the seminars if your laptop does not meet the above specifications or if you cannot bring a laptop at all. The manuals are filled with screenshots and the instructor will be demonstrating software on projection screens, so you will not miss out. Typically, 50% of the audience will not have laptops with Windows Server configured as domain controllers, so you will not be alone.

What if I have problems configuring my laptop?

Since laptops are optional and there may be hundreds of people who have installation problems per conference, the SANS Institute unfortunately cannot provide technical support. Please use Google to search for the phrases and error numbers shown in the error messages you see.

What if I am totally new to scripting/programming?

You do not need any programming or scripting background whatsoever to attend the course. On the other hand, we will spend the day going through scripts written in PowerShell, so if you want to peruse an article or tutorial on PowerShell, that would be nice, but it's certainly not required. Don't feel too much stress about the PowerShell course, though, since half of the other attendees in there will be new to scripting as well. PowerShell is built into windows 7 and Server 2008, but you must download PowerShell and install it on Windows XP/2003/Vista. You can find links to PowerShell articles and tutorials on Microsoft's site as well.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

 
  Who Should Attend
  • Windows security engineers and system administrators
  • Anyone who wants to learn PowerShell
  • Anyone who wants to implement the SANS Critical Security Controls
  • Those who must enforce security policies on Windows hosts
  • Anyone who needs a whole drive encryption solution
  • Those deploying or managing a PKI or smart cards
  • IIS administrators and webmasters with servers at risk
 

Venue Information

  • Herve Schauer Consultants - Please note: Training is taught in French and the course books are in English
  • 191 avenue Charles de Gaulle
    Neuilly sur Seine, 92200 FR
  • Phone: +33 (0) 1.58.37.94.49