SEC505: Securing Windows and PowerShell Automation

GIAC Certified Windows Security Administrator (GCWN)
GIAC Certified Windows Security Administrator (GCWN)
  • In Person (6 days)
  • Online
36 CPEs
Want to block Windows attacks, thwart the lateral movement of hackers inside your LAN, and prevent administrative credential theft? And you want to have fun learning PowerShell scripting at the same time? Then SEC505 is the course for you! In SEC505 you will learn how to use PowerShell to automate Windows security and harden PowerShell itself. No prior PowerShell scripting experience is required to take the course because you will learn PowerShell along the way. We will even write a PowerShell ransomware script together in a lab in order to implement better ransomware defenses. The course author, Jason Fossen, is a Faculty Fellow who has taught defensible PowerShell at SANS for more than a decade. Jason gives away his PowerShell security scripts for free at https://BlueTeamPowerShell.com .
Course Authors:

What You Will Learn

WINDOWS SECURITY AUTOMATION MEANS POWERSHELL

In this course (SEC505) you will learn how to:

  • Write PowerShell scripts for Windows and Active Directory security automation
  • Run PowerShell scripts on remote hosts with SSH or SSL/TLS
  • Defend against PowerShell malware, such as ransomware
  • Harden Windows Server and Windows 11 against skilled attackers

You will leave this course ready to start writing your own PowerShell scripts to help secure your Windows environment. It's easy to find Windows security checklists, but how do you automate those changes across thousands of machines? How do you safely run scripts on many remote boxes? In this course you will learn not just Windows and Active Directory security, but how to manage security using PowerShell.

FOR GOV/MIL ATTENDEES, LEARN HOW TO LEVERAGE POWERSHELL AS A FORCE MULTIPLIER FOR WINDOWS SECURITY

There is another reason PowerShell has become popular: PowerShell is just plain fun! You will be surprised at how much you can accomplish with PowerShell in a short period of time, it's much more than just a scripting language, and you don't have to be a coding expert to get going.

Learning PowerShell is also useful for another kind of security: job security. Employers are looking for IT people with PowerShell skills. You don't have to know any PowerShell to attend this course, we will learn it together during the labs.

WE WILL WRITE A RANSOMWARE SCRIPT AND DEFEND AGAINST IT

Unfortunately, PowerShell is being abused by hackers and malware authors. On the last day of the course in the capstone lab, you will write and defend against a fully functional ransomware script. Don't worry, if you're new to PowerShell, you'll get lots of guidance in the lab when you write the script.

Topic Highlights

  • Quickly get up and running writing your own PowerShell scripts
  • PowerShell remote command execution with SSH or SSL/TLS
  • How to defend against PowerShell ransomware
  • PowerShell for Active Directory, Windows Server and DevOps
  • Certificate authentication, TLS and Public Key Infrastructure (PKI)
  • Windows Firewall, IPsec and WMI scripting

You Will Be Able To

  • Write PowerShell scripts for security automation.
  • Execute PowerShell scripts on remote systems with SSH or SSL/TLS.
  • Harden PowerShell itself against abuse.
  • Enable PowerShell transcription logging for your SIEM.
  • Use PowerShell to access the WMI service for remote command execution, searching event logs, reconnaissance, and more.
  • Use Group Policy and PowerShell to grant administrative privileges in a way that reduces the harm if an attack succeeds (assume breach).
  • Block the lateral movement of hackers and ransomware using Windows Firewall.
  • Configure PowerShell remoting to use Just Enough Admin (JEA) policies to create a Windows version of Linux sudo and setuid root.
  • Configure mitigations against pass-the-hash attacks, Kerberos Golden Tickets, Remote Desktop Protocol (RDP) man-in-the-middle attacks, Security Access Token abuse, and other attacks discussed in SEC504 and other SANS hacking courses.
  • Install and manage a full Windows Public Key Infrastructure (PKI), including smart cards, certificate auto-enrollment, Online Certificate Status Protocol (OCSP) web responders, and detection of spoofed root Certificate Authentications (CAs).
  • Harden essential protocols against exploitation, such as TLS, RDP, DNS, PowerShell Remoting, and SMB.

What You Will Receive

  • Over 200 PowerShell scripts written by the course author, plus security templates and other tools used in the labs.
  • Hard copy printed course books with tons of notes already in the manuals (in general, SEC505 attendees rarely need to take hand-written notes during seminar, the notes are already in the courseware).
  • Electronic copies of the courseware that can be searched.
  • Audio recordings of the entire course that you can download and keep.

Syllabus (36 CPEs)

Download PDF
  • Overview

    This section covers what you need to know to get started using PowerShell. You do not need to have any prior scripting or programming experience. We have PowerShell labs throughout the week, so today is not the only PowerShell material. We start with the essentials, then go more in depth as the week progresses. Do not worry, you will not be left behind, the PowerShell labs walk you through every step. If you already have PowerShell experience, then there will be intermediate topics for you too.

    Most of the labs this week are PowerShell, while the rest of the labs use graphical security tools only when necessary, such as when there is no PowerShell equivalent.

    PowerShell Core is different than Windows PowerShell. PowerShell Core is the new, cross-platform version of PowerShell for Windows, Linux, and macOS. The full source code of PowerShell Core is in GitHub. PowerShell Core has built-in integration with OpenSSH. We will use both Windows PowerShell and PowerShell Core in this course.

    As more of our systems move up to the cloud, PowerShell will become even more important. Amazon Web Services, Microsoft Azure, Office 365, Hyper-V, and VMware already support PowerShell administration for many tasks. Learning PowerShell is good for managing network security, and it's also good for job security.

    Your courseware files will include over 200 PowerShell scripts written by the course author. All the PowerShell code shown in the manuals during the week are included. All the scripts are in the public domain for your personal or business use without restriction (they can be downloaded from https://BlueTeamPowerShell.com).

    Topics

    PowerShell Is Dangerous (and Fun)

    • The backbone of Windows and Azure automation
    • Piping .NET and COM objects, not text
    • Graphical admin tools wrapped around PowerShell
    • Built-in remote script execution

    Writing Your Own Scripts, Functions, and Modules

    • Passing arguments into your scripts
    • Cmdlets, functions, and aliases in your profile script
    • Flow control: if-then, do-while, foreach, switch
    • The .NET Framework class library: a vast playground
    • How to pipe data in/out of your scripts
    • How to create your own module script

    Up and Running Quickly with PowerShell

    • Capturing the output of commands
    • Parsing text files and logs with regex patterns
    • Mounting the registry as a drive
    • Importing third-party modules and functions
    • https://www.PowerShellGallery.com

    Piping Objects Instead of Text

    • Classes, objects, properties, and methods
    • An array of objects is like a table of SQL records
    • Extracting just the properties you want
    • Exporting objects to CSV, HTML, XML, and JSON files
    • Filtering, sorting, and grouping objects (not text)
  • Overview

    How can we run PowerShell scripts on thousands of systems with just a few lines of code? Today is about remote command execution using PowerShell Remoting and the SSH service on Windows.

    OpenSSH is not just for Linux. Windows now has built-in support for Secure Shell (SSH) as both a client and a server. PowerShell Core has native support for SSH too.

    PowerShell Remoting is for encrypted remote command execution of PowerShell scripts in a way that can scale to thousands of workstations and servers. It is vastly better than PSEXEC.EXE. Remoting traffic can be encrypted with SSL/TLS or SSH and can be authenticated with a smart card or YubiKey.

    But power is always a double-edged sword. PowerShell Remoting can be abused by ransomware and hackers too. Can we limit which groups may use PowerShell Remoting and restrict the commands each group is permitted to run? Yes, it's called Just Enough Admin (JEA) for PowerShell. JEA allows non-admin users to remotely execute commands with administrative privileges but without exposing any administrative credentials to them (kind of like setuid root on Linux). With JEA, all PowerShell commands are blocked by default except for those commands you explicitly allow. Graphical applications can be built on top of PowerShell JEA too, such as Microsoft's Windows Admin Center (WAC) web application.

    While PowerShell Remoting and SSH are great, they still don't scale enough. If you need to run dozens of PowerShell scripts on tens of thousands of hosts every night or every hour, then you need the Task Scheduler service. The built-in Task Scheduler service can be remotely managed through PowerShell and Group Policy. Ransomware often uses the Task Scheduler too. We will see how to run scheduled PowerShell scripts with elevated privileges while protecting administrative credentials.

    You might be familiar with Group Policy already, but today's course emphasizes the PowerShell capabilities of Group Policy. We can use Group Policy to push out PowerShell scripts to thousands of hosts and have the scripts executed hands-free, even if no one is logged on. These scripts can then return data back to us through shared folders, syslog packets, or SIEM logging.

    Topics

    PowerShell Remoting

    • Get a remote command shell with PowerShell
    • Smart card and YubiKey authentication
    • Using SSL/TLS or SSH to encrypt traffic
    • Remote command execution in scheduled tasks
    • File upload and download using the PowerShell Remoting protocol
    • Graphical apps can use PowerShell remoting too

    OpenSSH on Windows

    • Windows can be an SSH server? Yes!
    • OpenSSH support is now built into Windows
    • PowerShell Core integration with SSH
    • Hardening SSH for Internet use
    • Kerberos and public key authentication for SSH

    PowerShell Just Enough Admin (JEA)

    • JEA is like setuid root on Linux
    • Restricting PowerShell commands and arguments
    • Verbose transcription logging of commands
    • How to set up and configure JEA
    • JEA for Privileged Access Workstations (PAWs)

    PowerShell, Group Policy, and the Task Scheduler

    • Deploying PowerShell startup and logon scripts
    • Group Policy scheduled tasks to run PowerShell scripts
    • The Task Scheduler service and admin credentials
    • WMI item-level targeting of PowerShell scripts

  • Overview

    PowerShell is deeply integrated into the Windows Management Instrumentation (WMI) service. Many PowerShell commands are just wrappers for WMI functions. Hackers love the WMI service too, but for the wrong reasons.

    The WMI service is enabled by default and accessible over the network. With our PowerShell WMI scripts we can remotely execute commands, reboot machines, forcibly log users off, kill processes, and much more. Today, we will see how to do all this. WMI scripting is a bit difficult, but we'll go through all the strange namespaces and classes together.

    Today we will also use PowerShell to search, manage, and secure Active Directory. With PowerShell we can find abandoned user accounts and disable them. We can enforce our desired group memberships with scheduled scripts. We can reset passwords on thousands of user accounts. And when hackers are brute-forcing passwords, our PowerShell scripts can find the accounts being targeted. Of course, malicious insiders can do much of the same, such as with the Bloodhound tool, so how can we restrict what users can see or change?

    Every object in Active Directory has permissions and audit settings. Instead of simply adding everyone in the IT department to the Domain Admins group, we can more precisely delegate authority at the Organizational Unit (OU) level. Whether using PowerShell or graphical tools, these Active Directory permissions are always enforced by the domain controller.

    Don't use Microsoft LAPS! There are better ways to protect admin passwords. We can use PowerShell to manage domain accounts in Active Directory, but we can also use PowerShell to manage local admin accounts and passwords on servers and workstations in a way that is better than Microsoft LAPS. Today we will do a better-than-LAPS PowerShell lab, and you're welcome to use these scripts instead of LAPS on your networks after the conference.

    Is PowerShell only for scripts and command shells? No! Windows Admin Center (WAC) is a free Microsoft web application for remote administration with your web browser. WAC uses both WMI and PowerShell Remoting under the hood. It's a great example of how Microsoft is wrapping PowerShell with graphical tools to manage machines both on-premises and in Azure. We will install WAC and see the PowerShell functions it exposes.

    Topics

    PowerShell Baselines with WMI

    • What is WMI and why do hackers abuse it so much?
    • Remote command execution through WMI
    • Using PowerShell to query WMI namespaces and classes
    • WMI service authentication and traffic encryption
    • Gathering Reconnaissance data from remote systems
    • Microsoft Windows Admin Center (WAC) web application
    • WMI logging for hacker and malware visibility

    PowerShell for Active Directory

    • Querying and managing Active Directory with PowerShell
    • Enforcing desired Domain Admins group membership
    • Disabling abandoned user accounts and resetting passwords
    • Detecting password brute-force attacks
    • Searching organizational units using filter criteria
    • ADSI Edit and other helper tools for PowerShell
    • Active Directory Administrative Center (ADAC)

    Active Directory Permissions and Auditing

    • Active Directory objects have permissions
    • Active Directory objects have auditing
    • Limit what PowerShell scripts can do in Active Directory
    • Log what PowerShell scripts are doing in Active Directory
    • Delegate authority at the OU level instead
    • Designing Active Directory for the inevitable breach

  • Overview

    PowerShell is the primary tool for configuring and hardening Windows Server, Server Core and Server Nano, especially when hosted in Azure or AWS. Today we will see how to use PowerShell to install roles, manage services, apply Group Policy Objects to stand-alone servers (yes, that is possible), and accomplish other security tasks. Along the way, we will learn new PowerShell techniques too.

    Host-based firewalls can block the lateral movement of hackers inside the LAN and the outbound connections of malware as that malware "beacons" or "phones home." On mobile devices, we must do host-based packet filtering because mobile devices roam outside the LAN where the perimeter firewall cannot protect them. The trick is being able to apply different sets of firewall rules to different sets of machines in a scalable, repeatable, and automated way. This is what we will do with PowerShell and the built-in Windows Firewall.

    IPsec is not just for VPNs! In fact, we won't discuss VPNs at all today. The built-in Windows IPsec driver can authenticate users in Active Directory in order to implement share permissions for our TCP/UDP listening ports based on our users' global group memberships in Active Directory. Imagine using a PowerShell script to configure the Windows Firewall on your workstations and servers to only permit access to their RPC, RDP or SMB ports if (1) the remote computer is pre-authenticated by IPsec to be a member of the domain, (2) the user is pre-authenticated to be a member of the Domain Admins group, (3) the packets are all encrypted with 256-bit AES, and (4) the client has an IP address from an authorized subnet. This is not only possible, today's course will show you exactly how to do it with PowerShell!

    Topics

    Server Hardening Automation for DevOps

    • Replacing Server Manager with PowerShell
    • Windows Admin Center (WAC) web application
    • Adding and removing roles and features
    • Remotely gathering an inventory of roles and features
    • Why use Server Nano or Server Core?
    • Running PowerShell automatically after service failure
    • Service account identities, passwords, and risks
    • Tools to reset service account passwords securely

    Windows Firewall Scripting

    • PowerShell management of Windows Firewall rules
    • Blocking malware outbound connections
    • Role-based access control for listening ports
    • Deep IPsec integration for user authentication
    • Firewall logging to the event logs, not to text logs

    Share Permissions for TCP/UDP Listening Ports with IPsec

    • PowerShell management of IPsec rules
    • IPsec for blocking post-exploitation lateral movement
    • Limiting access to ports based on global group membership
    • IPsec-based encrypted VLANs
    • IPsec is not just for VPNs!
  • Overview

    Smart cards and smart tokens, such as YubiKeys, are the gold standard for multi-factor authentication (MFA). In this section we will use PowerShell to install a certificate server which can be used to deploy smart cards and smart USB tokens. Smart cards and tokens can be used for PowerShell Remoting, signing PowerShell scripts, Remote Desktop Protocol (RDP) logons, User Account Control (UAC), ASP.NET web application logons, and more.

    Everything you need to deploy a full smart card/token solution for your administrators is included with Windows, except for the cards and tokens themselves. PowerShell and Group Policy makes it relatively easy.

    If you have a Trusted Platform Module (TPM) chip in your laptop or tablet, the TPM can also be used as a built-in smart card. TPM-based smart cards are invisible to users, requiring little or no training, similar to the security processors in Apple iPhones. TPMs also protect biometric data, encrypt BitLocker keys, and help to enhance Windows 11 Credential Guard.

    PowerShell Remoting network traffic can be encrypted with SSL/TLS. The target server is authenticated with its certificate, just like a web server using HTTPS, and the user can be authenticated with a certificate too.

    Your organization will need certificates for many other purposes. In this course we will sign PowerShell scripts, install an OCSP responder for revocation checking, configure auto-enrollment for hands-free certificate installation and renewals, use PowerShell to audit and manage trusted root CA certificates on endpoints, and more.

    Unfortunately, a compromised certificate server can also be used for privilege escalation all the way up to a Domain Admin! Certificate servers must be hardened and monitored just like domain controllers. Can we use PowerShell to harden our certificate servers? Certainly! We will see how to do it (and this is why DevOps orchestration is covered in the prior section).

    Topics

    Certificate Authentication and TLS Encryption for PowerShell

    • Certificates for smart card authentication of PowerShell remoting
    • Certificates for TLS encryption of PowerShell remoting
    • Certificates to sign PowerShell scripts for AppLocker
    • Certificates for TLS encryption of WMI queries with PowerShell
    • Certificates for web servers, domain controllers, and everything else

    Install a Windows Certificate Server with PowerShell

    • PowerShell installation script for Public Key Infrastructure (PKI)
    • Managing digital certificates with PowerShell
    • Custom certificate templates in Active Directory
    • Controlling certificate auto-enrollment
    • Setting up an Online Certificate Status Protocol (OCSP) responder web farm
    • Configuring Certificate Revocation List (CRL) publication

    Deploying Smart Cards, Smart Tokens, and TPM Virtual Smart Cards

    • The gold standard for multi-factor authentication is a smart card/token
    • YubiKey smart tokens for logon, PowerShell remoting, and much more
    • Trusted Platform Module (TPM) virtual smart cards
    • Safely enroll tokens and cards on behalf of other users
    • How to revoke compromised certificates
    • PowerShell script to audit trusted root CAs
    • PowerShell script to delete hacker certificates

    Security Best Practices

    • Privilege escalation to Domain Admin through bad PKI
    • Protect the private keys of your certificates from malware
    • How to use PKI smart cards and smart tokens
    • How to encrypt private keys on the hard drive
    • Hardware Security Module (HSM) for CAs
    • How to digitally sign PowerShell scripts
    • SSL is dead, long live TLS
    • TLS cipher suite optimization
  • Overview

    Today we will write a PowerShell ransomware script and unleash it inside our training VM (don't release it into the wild, you'll go to federal prison). The purpose of this ethical hacking is to discuss defenses against this kind of PowerShell abuse.

    How can we secure PowerShell itself? PowerShell is not a single tool. There is no one registry value or patch to magically make PowerShell "secure", but there is a lot we can do. Today we will cover many defensive techniques to prevent future compromises, reduce the harm we suffer after a compromise, and gain visibility into PowerShell malicious activity for the sake of forensics, incident response and threat hunting.

    Because we want to automate our hardening work, we will also see how to roll our defensive changes into a DevOps PowerShell script for building new servers or workstations, including all the networking settings. This pulls together all the PowerShell material from the prior days of the course. The aim is to be able to reconfigure a Windows machine with as little manual labor as possible. When in doubt about whether a computer has been infected with malware, we should be able to "nuke it from orbit" by rebuilding that machine from scratch.

    Most importantly, we must prevent PowerShell malware from acquiring administrative credentials. Malware can scrape credentials out of memory for privilege escalation and lateral movement to other machines, such as with pass-the-hash and Kerberos Golden Ticket attacks. Once ransomware steals the credentials of a Domain Admin, it's GAME OVER.

    To help defend against pass-the-hash attacks and token abuse, we will cover LSASS memory protections, Credential Guard, Remote Credential Guard, restricting network logon rights, User Account Control (UAC), RDP Restricted Admin Mode, and more. All these settings can be applied or audited with PowerShell scripts.

    From a defender's perspective, PowerShell is great. In comparison to compiled C++ hacker tools, we want our adversaries to use PowerShell. PowerShell transcription logging gives us deep visibility into the tactics of our adversaries. There is a special anti-virus scanning interface (AMSI) for examining PowerShell malware in memory, even when that malware is obfuscated. We can lock down PowerShell remoting using Just Enough Admin (JEA) sandboxes and enforce AppLocker rules to restrict PowerShell execution.

    Topics

    PowerShell Ransomware

    • We will write a PowerShell ransomware script in a lab
    • What can be done to combat ransomware?
    • Just having backups is not enough

    Anti-Exploitation Defenses for PowerShell

    • AppLocker for PowerShell
    • Scripting AppLocker with PowerShell
    • PowerShell execution policy
    • PowerShell constrained language mode
    • Anti-Malware Scan Interface (AMSI)
    • Restricting network access to block pivoting
    • Hashing scripts for change detection
    • How to digitally sign our PowerShell scripts
    • The Principle of (Endpoint) Least Privilege
    • Prevent Domain Admin credential theft at all costs!
    • Windows 10 Credential Guard
    • User Account Control (UAC) instead of RUNAS.EXE

    PowerShell Visibility and Detection

    • PowerShell transcription logging
    • WMI namespace auditing
    • Windows Event Log audit policies
    • Querying Windows Event Logs with PowerShell

    DevOps Automation with PowerShell

    • Putting it all together with PowerShell
    • How to write an all-in-one build script with OS hardening
    • PowerShell for roles, features, networking, policies, etc.
    • The future of IT administration is automation
    • We will all need to be "full stack engineers" soon

GIAC Certified Windows Security Administrator

The GIAC Certified Windows System Administrator (GCWN) certification validates a practitioner's ability to secure Microsoft Windows clients and servers. GCWN certification holders have the knowledge and skills needed to configure and manage the security of Microsoft operating systems and applications, including: PKI, Group Policy, AppLocker, PowerShell, and hardening Windows against malware and persistent adversaries.

  • Securing PowerShell
  • Zero Trust multifactor authentication
  • Windows endpoint protection
  • Operating system and application hardening
  • PKI management
  • Restricting administrative compromise
More Certification Details

Prerequisites

  • A general familiarity with Windows Server and Active Directory basic concepts.
  • Comfortable opening a command shell and running commands.
  • Able to create a virtual machine using VMware, VirtualBox or similar.
  • Prior PowerShell scripting experience is not required.

Laptop Requirements

CRITICAL NOTE: Apple Silicon devices cannot perform the necessary virtualization and cannot be used for this course.

Important! Bring your own system configured according to these instructions!

Bring a laptop with 8GB or more of memory and a USB port.

Your laptop may run any operating system you prefer, such as Windows, Linux, or macOS.

Install any virtualization software you prefer, such as VMware, Parallels or VirtualBox; if you are uncertain what to use, prefer VMware Workstation, since that is the product SANS technical support knows best.

Download the evaluation version of Windows Server 2022 from Microsoft's Evaluation Center. This ISO file is free and does not require a license number. Click here to go to the Microsoft Evaluation Center for Windows Server 2022 to download the ISO. To install your VM, you'll boot from this ISO file in the VM.

Create a VM running Windows Server 2022 using the ISO you downloaded. Do this before the first day of class. This will help to identify any firmware problems. Do not plan to create a VM on a remote virtualization server or in the cloud; the VM must run on your laptop. If you have any setup questions, please contact SANS for friendly help.

When you install the Windows Server VM, choose the option for "Windows Server 2022 Datacenter Evaluation (Desktop Experience)." See below for a screenshot. No other special OS configuration is required. Just accept all the defaults during installation. Again, if you have any questions, please contact SANS.

Do not apply patches or updates to the Windows Server VM. There is nothing else to do.

Setup Questions?

If you have questions about the laptop or VM setup, please contact support. We are here to help!

What does the "Desktop Experience" option look like when installing Windows Server?

You will see the screen below after you've booted your VM from the Windows Server installation ISO file. Choose the "Desktop Experience" option at the bottom of the list for Windows Server 2022 Datacenter.

Where can I get the free evaluation version of Windows Server?

You can download a free version of Windows Server 2022 from Microsoft as a bootable ISO file. No license number is required. Just go to Microsoft's Evaluation Center for Windows Server 2022 and download the ISO file. When you create your VM, you'll boot from this ISO file just like you would boot from a DVD on a physical server.

Bring the ISO file with you on your hard drive when you attend the course.

If you have questions about how to install virtualization software or how to create a VM, please contact support for friendly assistance.

VMware prompts me for a license number or I get a license error message!

Make sure you have the evaluation version of Windows Server, not the retail version.

When creating the virtual machine in VMWare, it is best to choose the option that says "I will install the operating system later" and then provide the path to the ISO file for Windows Server after the VM has been created, not during the initial creation.

After the VM has been created, go to the Settings of that VM and provide the path to the source ISO file. Now, when you start the VM, there should be no evaluation licensing problems. Contact SANS for friendly help.

Why doesn't SANS just provide attendees with a pre-built virtual machine?

We would if we could! Microsoft does not allow us to redistribute evaluation versions of Windows Server virtual machines, even though the ISO download is free and does not require a license number.

Also, we want you to have your own local VM to take back home with you so that you will not be dependent on Internet access or any other virtualized lab environment. This is especially important for GOV/MIL attendees who work in restricted networks.

I have more questions!

If you have any questions about the laptop requirements or Virtual Machine setup, please contact support. We are here to help!

Author Statement

"The courses I write for SANS are always guided by two questions: (1) What do my attendees need to know to secure their networks? and (2) What should they learn to advance their careers as IT professionals? I don't work for Microsoft, my only concerns are with the health of your network and your career. After 25 years as a security consultant and SANS instructor, I have seen it all (good, bad, and ugly), and my experience goes into the manuals I write for SANS and the stories I tell. We always have fun in SEC505, so I hope to meet you at the next training event!"

- Jason Fossen, SANS Faculty Fellow

"The best Windows Security course I've attended in 25 years of administering Windows environments. Every time I pick up one of my GCWN books, I learn something new that's immediately applicable to my current situation. A must-have course for any system administrator who is serious about securing their environment." - Armond Rouillard, NES Associates, U.S. Army (retired)

Reviews

Gold standard of Windows security training.
Alexander Kotkov
EY
Invaluable! Every day was directly pertinent to what we are doing at work. I wish I had taken this course many years ago.
Jerry Sanchez
Southwest Research Institute
It’s nice to see Windows training that isn’t ‘controlled’ by Microsoft.
Rich Wessler
West Virginia University
Every lesson provides information I can immediately use at work when I return.
Dan Fleischer
MiTek Industries
Home run hit for modern Windows security.
Russ Gritto
ERG
I loved the course, when I return to the office I am recommending it to the rest of my team.
Alex Fox
Federal Home Loan Bank Chicago

    Register for SEC505

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.

    Loading...