Two Days Left to Get a Free GIAC Certification Attempt or Take $350 Off with OnDemand or vLive Training!

Cyber Defense Initiative® 2015

Washington, DC | Sat, Dec 12 - Sat, Dec 19, 2015
This event is over,
but there are more training opportunities.

SEC505: Securing Windows with PowerShell and the Critical Security Controls

Mon, December 14 - Sat, December 19, 2015

If you think you know Windows, take this Windows security class - your review of your own skills and understanding will be challenged, for the better!

Matthew Stoeckle, Nebraska Public Power District

This is my fifth SANS course. Jason is exceptionally hard working instructor who adds tremendous value with his unrestricted contributions to the community.

Matthew Wheeler, Los Alamos Natl Lab

SECURITY 505: Securing Windows with PowerShell and the Critical Security Controls

What is Windows Hello in Windows 10? How can we defend against pass-the-hash attacks, administrator account compromise, and the lateral movement of hackers inside our networks? How do we actually implement the Critical Security Controls on Windows in a large environment? We tackle these tough problems in SEC505: Securing Windows with PowerShell and the Critical Security Controls.

Understanding how penetration testers and hackers break into networks is not the same as knowing how to design defenses against them, especially when you work in a large and complex Active Directory environment. Knowing about tools like Metasploit, Cain, Netcat, and Poison Ivy is very useful, but there is no simple patch against the abuse of these tools. The goal of this course is to show you ways to defend against both current Windows attack techniques and the likely types of attacks we can expect in the future. This requires more than just reactive patch management - we need to proactively design security into our systems and networks. This course is like the defense-only mirror image of the SANS penetration testing course, SEC504, but for Windows only.

Your adversaries want to elevate their privileges to win control over your servers and domain controllers, so a major theme of this course is controlling administrative powers through Group Policy and PowerShell scripting.

Learning PowerShell is probably the single best new skill for Windows administrators, especially with the trend toward cloud computing. Most of your competition in the job market lacks scripting skills, so knowing PowerShell is a great way to make your resume stand out. This course devotes the entire first day to PowerShell, then we do more PowerShell exercises throughout the rest of the week. Don't worry, you don't need any prior scripting experience to attend.

SEC505 will also prepare you for the GIAC Certified Windows Security Administrator (GCWN) certification exam to prove your Windows security expertise. The GCWN certification counts toward getting a Master's Degree in information security from the SANS Technology Institute ( and also satisfies the Department of Defense 8570 computing environment requirement.

This is a fun course and a real eye-opener, even for Windows administrators with years of experience. Come have fun learning PowerShell and Windows security!



Day 1: PowerShell Scripting

  • New to scripting? No problem!
  • PowerShell remoting
  • Running cmdlets and scripts
  • Writing your own functions and scripts
  • Flow control within scripts
  • Accessing COM and .NET objects
  • Security and execution policy

Day 2: Operating System and Applications Hardening

  • PowerShell and Windows Management Instrumentation (WMI)
  • How your anti-virus scanners can fail you
  • AppLocker whitelisting
  • Microsoft EMET
  • Windows OS and application hardening tools
  • Group Policy Management Console (GPMC)
  • INF and XML Security templates
  • How to manage Group Policy
  • WMI filtering and GPO preferences
  • Virtual Desktop Infrastructure (VDI)

Day 3: High-Value Targets and Restricting Admin Compromise

  • PowerShell for Active Directory
  • What makes something a high-value target?
  • Users in the local Administrators group
  • Limiting privileges, logon rights, and permissions
  • Windows Hello biometric authentication
  • Token abuse and pass-the-hash attack mitigations
  • User Account Control (UAC)
  • Delegating IT power more safely
  • Organizational units for role-based controls
  • Active Directory permissions for delegation
  • Active Directory auditing and logging

Day 4: Windows PKI, Smart Cards, and Managing Cryptography

  • PowerShell for PKI
  • Hardening SSL and TLS
  • Why Public Key Infrastructure (PKI) is mandatory
  • Examples: Smart Cards, VPNs, Wireless, SSL, S/MIME, etc.
  • How to install and manage PKI
  • Root vs. subordinate certification authorities
  • Should you be your own root Certification Authority (CA)?
  • Detecting malicious trusted CA changes with PowerShell
  • Group policy deployment of certificates
  • How to revoke certificates
  • Automatic private key backup
  • Deploying smart cards
  • Best practices for private key security

Day 5: Server Hardening, IPSec, and Critical Protocols

  • PowerShell for IPSec and firewall rules
  • A recipe for hardening servers
  • Dangerous protocols: SSL, RDP, IPv6, and SMB
  • SMBv3 encryption and downgrade attacks
  • Pre-forensics and incident response preparation
  • Service accounts and recovery
  • Scheduling elevated tasks safely
  • Protocol stack hardening
  • Kerberos armoring and restricting NTLM
  • Server Nano versus Server Core
  • Isn't IPSec just for VPNs? No!
  • How to create IPSec policies
  • Windows Firewall and IPSec integration
  • Group Policy for IPSec and firewall rules

Day 6: Dynamic Access Control and Hardening DNS

  • What is Dynamic Access Control (DAC)?
  • DAC for data loss prevention
  • DAC for complying with regulations
  • PowerShell for DAC
  • Automatic File Classification Infrastructure
  • PowerShell for managing DNS
  • DNSSEC response validation
  • DNS secure dynamic updates
  • DNS sinkholes for malware

You Will Learn:

  • How to harden Windows clients and servers against attack.
  • How to use PowerShell
  • How to reduce the rate of APT malware infections.
  • How to use PowerShell and Group Policy to manage security.
  • How to implement PKI, AppLocker, IPSec, and more.
  • How to do pre-forensics to prepare for incident response.


Course Syllabus

Jason Fossen
Mon Dec 14th, 2015
9:00 AM - 5:00 PM


In the Windows world, everything is (thankfully) moving towards PowerShell. PowerShell is Microsoft's object-oriented command shell, scripting language, and remote management framework. Virtually everything can be managed from the command line now. Automation is very important for implementing the Critical Security Controls in large environments, so learning PowerShell is essential.

Today's course covers everything you need to know to get started using PowerShell. You don't need to have any prior scripting or programming experience. After today, we will look at PowerShell examples throughout the week as we work with our regular graphical tools to manage security. Ideally, we want to be able to manage security using either graphical tools or PowerShell (and usually both). In fact, some Microsoft graphical management tools are already built on top of PowerShell, and Microsoft is building more administrative tools this way.

As more and more of our systems are moved up to the cloud, PowerShell will become even more important. Microsoft Azure, Office 365, Amazon Web Services, Hyper-V and VMware already support PowerShell administration for many tasks. Learning PowerShell is a good investment in job security, too.

As a scripting language, PowerShell was specifically designed to be relatively easy to learn and immediately productive. You can quickly start doing very interesting things in PowerShell. Many attendees who feel anxious about writing code, perhaps after a bad experience with C/C++ or with another shell's strange syntax, are pleasantly surprised by how friendly PowerShell is to new coders. It was designed that way!

PowerShell is already built into Windows 7, Server 2008, and later operating systems. You can download sample scripts, documentation, and the latest version of PowerShell from

CPE/CMU Credits: 6


Overview and Security

  • What is PowerShell?
  • Why should we learn it?
  • PowerShell security and execution policy
  • Digitally signing scripts
  • Your profile scripts

Getting Around Inside PowerShell

  • Built-in help system
  • Built-in graphical editor
  • Aliases for CMD and bash users
  • Running cmdlets, functions, and scripts
  • Piping objects instead of text
  • Using properties and methods of objects

Example Commands

  • Capturing the output of Windows tools
  • Parsing text files
  • PowerShell remoting
  • Searching event logs
  • Parsing nmap XML output

Write Your Own Scripts

  • Writing your own functions
  • Function parameters and returning output
  • Flow control: if-then, do-while, foreach, switch
  • Accessing COM objects like in VBScript
  • The .NET Framework class library
  • How to pipe data in/out of scripts
  • Overall script design

Jason Fossen
Tue Dec 15th, 2015
9:00 AM - 5:00 PM


The best analogy for modern network penetration is biological warfare. The hacker exploits a vulnerable client through weak software and social engineering in order to install malware. The malware opens an SSL command-and-control channel back to the attacker. This channel is used to control the initial "Typhoid Mary" computer to infect other vulnerable systems and exfiltrate (or destroy) valuable data. When you add stealth, self-updating features, worm-like mobility, and corporate/government sponsorship to the malware, you have an Advanced Persistent Threat (APT) situation. You are in trouble.

We do not just want to detect hackers and malware, we want to try to prevent the case-zero compromise from ever happening. Prevention comes first, then detection and remediation afterward. Today's course covers graphical and PowerShell tools that can be used to do Windows OS and applications hardening. The aim is to deny hackers and malware that initial foothold inside the network, because once they are in, they are hard to clean out.

The trick is hardening Windows in a way that is cost-effective, scalable, and has a minimal impact on users. We will look at tools like EMET and Group Policy to make that process easier. As throughout the week, today's section will also look at how to implement many of the Critical Security Controls.

The day begins with a continuation of the PowerShell material on the first day. In PowerShell, we will see how to interact with the Windows Management Instrumentation (WMI) service on remote computers. By talking to the WMI service, we can search event logs, start or stop processes, manage DNS records, reboot systems, and do hundreds of other tasks. PowerShell and WMI are tightly integrated, and learning WMI is very important for honing your PowerShell skills as a cyber-defense operator.

CPE/CMU Credits: 6


PowerShell and Windows Management Instrumentation (WMI)

  • What is WMI and why is it so powerful?
  • WMI queries and remote command execution
  • Searching remote event logs faster
  • Inventory installed software
  • Sample scripts to walk through together

Going Beyond Just Anti-Virus Scanning

  • How your AV scanners can fail you
  • Application whitelisting
  • AppLocker
  • Script and executable signing
  • Controlling USB devices
  • Benevolent Microsoft rootkit: EMET
  • Virtual Desktop Infrastructure (VDI)

OS Hardening with Security Templates

  • INF versus XML security templates
  • How to edit and apply templates
  • Security configuration and analysis
  • Security Configuration Wizard (SCW)
  • Auditing with templates

Hardening with Group Policy

  • Microsoft Security Compliance Manager
  • Group Policy Objects (GPOs)
  • Third-party GPO enhancements
  • Pushing out PowerShell scripts
  • GPO remote command execution
  • GPO troubleshooting tools

Jason Fossen
Wed Dec 16th, 2015
9:00 AM - 5:00 PM


If a member of the Domain Admins group is compromised, the entire network is lost. How can we better prevent the compromise of administrative accounts and contain the harm when they do get compromised? What can we do about pass-the-hash and token abuse attacks? Remember, as a network administrator, you are a high-value target and your adversaries will try to take over your user account and infect the computers you use at work (and at home).

Hackers also love it when "regular" users are members of the local Administrators group on their computers because it makes it easier to compromise those computers and then to move laterally to other machines. We will talk about what is so dangerous about the Administrators group, how to get users out of that group while still allowing them to get their work done, and, if we just cannot get users out of Administrators, then how to make User Account Control (UAC) less annoying to them...and to us.

We will also see how to delegate authority in Active Directory. Every object in Active Directory has a set of permissions and audit settings that we can leverage for security. Instead of simply adding everyone in the IT department to the Domain Admins group, we can more precisely delegate authority at the organizational unit level and grant limited powers to specific groups, such as the help desk or incident response groups.

Like almost everything else, Active Directory can be managed through PowerShell. In today's PowerShell section, we will see how to create, delete, and edit objects in Active Directory, such as user accounts and passwords. We will also see how to search Active Directory with any criteria we wish, like discovering all administrative accounts or listing those users with a large number of failed password attempts. PowerShell scripting of Active Directory is surprisingly easy and fun!

CPE/CMU Credits: 6


Compromise of Administrative Powers

  • Why hackers and malware love administrative users
  • Partially limiting pass-the-hash and token abuse
  • How to get users out of the administrators group
  • Limiting the power of administrative users
  • Limiting privileges, logon rights, and permissions
  • User Account Control (making it less annoying)
  • Authentication policies
  • Using PowerShell to manage admin password updates
  • Picture password and PIN logons
  • Windows Hello biometric logons
  • Password managers for administrators
  • Device Guard for LSASS protection

PowerShell for Active Directory

  • PowerShell scripting of Active Directory
  • Managing users, computers, and groups
  • Searching Active Directory with PowerShell
  • Active Directory Administrative Center

Active Directory Permissions and Delegation

  • Active Directory permissions
  • Active Directory auditing
  • Delegating authority at the OU level
  • Why domains are not security boundaries
  • Logging attribute content changes

Jason Fossen
Thu Dec 17th, 2015
9:00 AM - 5:00 PM


Public Key Infrastructure (PKI) is not an optional security service anymore. Windows Server includes a complete built-in PKI for managing certificates and making their use transparent to users. You can be your own Certification Authority (CA) and generate as many certificates as you wish at no extra charge. It is all centrally managed through Group Policy and PowerShell.

Digital certificates play an essential role in Windows security: IPSec, BitLocker, S/MIME, SSL/TLS, smart cards, script signing, etc. all use digital certificates. Everything needed to roll out a smart card solution, for example, is included with Windows except for the cards and readers themselves, and generic cards are available in bulk for cheap. If you have a TPM chip in your laptop or tablet, it can actually be used as a built-in smart card too.

As more and more of our servers are pushed up to cloud hosting providers, and as more of our devices become mobile, certificate authentication and encryption will become more necessary. We are putting so much hope and trust into protocols like SSL and TLS, but these protocols are not perfect and have less-than-ideal default cipher settings on Windows. Hence, we will also talk about how to disable SSL, enable the latest version of TLS, eliminate weak ciphers, and maximize the cryptographic security of TLS. Because malware can inject fake root certification authority certificates into our machines, which subverts the authentication provided by TLS, we will also look at PowerShell scripts to audit and manage trusted root CA certificates on endpoints.

PowerShell management of PKI and cryptography can be a challenge, but there are tricks to making it easier. In this course, we will see how PowerShell can access certificates, audit our lists of trusted certification authorities, perform file hashing, and encrypt secret data, such as user passwords being sent over the wire. In fact, one of the scripts we use during the week does exactly that - it resets an administrator's password, the password is encrypted with our public key, and then sent securely over the network for archival. This sounds complex, but PowerShell makes it relatively easy.

CPE/CMU Credits: 6


Why Have Public Key Infrastructure?

  • Strong authentication and encryption
  • Passwords are dead and obsolete
  • Smart cards, IPSec, wireless, SSL/TLS, S/MIME, etc.
  • Mobile and BYOD computers
  • Code and document signing

How to Install the Windows PKI

  • Root versus subordinate certification authorities
  • Should you be your own root CA?
  • Custom certificate templates
  • Controlling certificate enrollment

How to Manage Your PKI

  • PowerShell access to certificates
  • PowerShell script to audit trusted root CAs
  • Group Policy deployment of certificates
  • Group Policy PKI settings
  • How to revoke certificates
  • Automatic private key backup
  • Credential roaming of keys
  • Delegation of authority
  • Disable SSL and only use TLS
  • Optimizing TLS cipher suites

Deploying Smart Cards

  • Everything you need is built in
  • TPM virtual smart cards
  • Smart card enrollment station
  • Group policy deployment
  • Smart cards on a limited budget

Jason Fossen
Fri Dec 18th, 2015
9:00 AM - 5:00 PM


What are the best practices for hardening Windows servers, especially servers exposed to the Internet? How can we remotely manage our servers in a secure way? If we have service accounts or scheduled jobs running as Domain Admin, what are the risks and what can we do about these risks? This part of the course is about server hardening.

IPSec is not just for VPNs. IPSec can authenticate users in Active Directory to implement share permissions for TCP and UDP ports based on the user's global group memberships. IPSec can also encrypt packet payloads to keep data secure. Imagine configuring the Windows Firewall on your servers and tablets to only permit access to your RPC or SMB ports if (1) the client has a local IP address, (2) the client is authenticated by IPSec to be a member of the domain, and (3) the packets are all encrypted with 256-bit AES. This is not only possible, it is actually relatively easy to deploy with Group Policy and can be scripted in PowerShell. This course section will show exactly how to do this.

For in-depth defense, we can no longer rely on just our perimeter firewalls. Many of our devices are mobile, so they are not protected by our perimeter firewalls anyway. You do not need to purchase third-party host-based firewalls like we did for Windows XP. The new Windows Firewall is a vast improvement and can be managed through Group Policy and PowerShell. For BYOD computers, the firewall and IPSec settings can also be scripted.

Are you using NTLM, Kerberos, Remote Desktop Protocol (RDP), or the File and Print Sharing protocol (SMB/CIFS)? These protocols and their listening ports are hacker favorites, but we cannot live without them, so we will see how to make these and other protocols more resilient against attacks. The cryptography we learned yesterday will help us better understand and harden the protocols in today's course section.

And, of course, IPSec policies, firewall rules, service account passwords, SMB encryption settings, etc. can almost always be scripted with PowerShell. We will see several PowerShell examples in today's course.

CPE/CMU Credits: 6


Creating IPSec Policies

  • IPSec is not just for VPNs!
  • Require versus prefer IPSec
  • Share permissions on TCP ports
  • IDS/IPS compatibility options
  • IPSec-based encrypted VLANs
  • Group Policy management
  • PowerShell and NETSH.EXE

Windows Firewall

  • Group Policy management
  • PowerShell management
  • Metro app and service awareness
  • Roaming and VPN compatibility
  • Deep IPSec integration

Dangerous Server Protocols

  • RDP man-in-the-middle attacks
  • SMBv3 native encryption
  • SMB downgrade attacks
  • NTLM, NTLMv2, and Kerberos
  • Kerberos armoring
  • Hardening the protocol stack
  • What about IPv6?

Server Hardening

  • Server Manager and PowerShell
  • Server Nano/Core/Minimal/Full
  • Security templates and Group Policy
  • Preparing for incidents: doing pre-forensics
  • Service account security

Jason Fossen
Sat Dec 19th, 2015
9:00 AM - 5:00 PM


Windows Server 2012 introduced a major new security enhancement called Dynamic Access Control (DAC). If you have millions of files spread across multiple servers, how can you manage access to and auditing of these ever-changing files? How can we avoid relying on NTFS permissions and auditing alone?

DAC allows you to label files with such classifications as "Top Secret" or "PII," then apply restrictions and auditing based on these hidden file tags. But it is not done with AD group memberships and NTFS. DAC is not an NTFS management system, there is much more to it. With your own custom user and computer attributes defined in Active Directory, you can implement a Data Loss Prevention (DLP) solution based on "claims" associated with your users and their various devices. You can also perform auditing this way to help comply with regulations in your industry.

DAC works best with Server 2012 and Windows 8/10, but Windows 8/10 is not required. Even Windows XP clients can benefit. DAC is not just for file servers, either, it can also be extended to other platforms such as SharePoint, Rights Management Services (RMS), and Exchange. Finally, DAC is not a single tool or service, it is a new access control system with ties into the kernel.

Today's course also continues the server hardening theme from the previous day with coverage of DNS security. DNS is mandatory on our networks, but the protocol itself is horrible - hackers love it! There are several things we can do to make DNS less insecure. We can use DNSSEC to digitally signs DNS records to prevent spoofing and man-in-the-middle attacks, do DNS secure dynamic updates with Kerberos, set permissions on DNS records in Active Directory, use the DNS sinkhole technique to frustrate malware, and apply IPSec to DNS packets. DNS was not designed for security to begin with, so security has to be bolted on afterward.

Finally, it is no surprise that PowerShell can be used to manage DNS and Dynamic Access Control (DAC) settings. We will see plenty of examples, such as a PowerShell script for DNS sinkholing and PowerShell commands to manage DAC claims and file classifications.

CPE/CMU Credits: 6


Dynamic Access Control (DAC)

  • Claims-based access control and auditing
  • DAC does not require Windows 8/10
  • DAC conditional expressions
  • DAC and complying with regulations
  • Automatic file classification infrastructure
  • User and device identity restrictions
  • Auditing without managing SACLs
  • Central access policy deployment
  • PowerShell scripts to manage DAC

Hardening DNS

  • IPSec for DNS
  • Secure dynamic updates
  • Sinkholing unwanted DNS names with PowerShell
  • The hosts file on mobile devices
  • PowerShell scripting of the hosts file

Additional Information

Please bring a virtual machine running an evaluation version Windows Server 2012 R2, Datacenter or Standard edition, installed with a full GUI (not Core). You will use the virtual machine throughout the week.

Here is a short video showing how to install your virtual machine.

Windows 8 and Windows 10, both Pro and Enterprise editions, include Client Hyper-V for running virtual machines. You can also obtain VMware Player for free. On a Mac, there is also VMware Fusion and Parallels.

Please note that if your laptop has an old CPU or less than 8GB of memory, you will be frustrated trying to keep up with the other attendees in the course. Please don't let your IT department spoil your experience by their giving you an old "loaner laptop" which is only used for training because it is so slow.

Your host computer must have a USB port or a USB adapter (the regular "Type-A" size used for USB flash drives).

The host computer can have any operating system because all of the labs are done in the guest virtual machine (and you must use a VM for the labs, not your host computer).

Where can I get the free evaluation version of Windows Server 2012 R2?

You can download a free trial version of Windows Server 2012 R2 from Microsoft as an ISO image file (an ISO file is an exported copy of a CD/DVD disk). Just do an Internet search on windows server trial eval to find the download link to the ISO file on Microsoft's web site.

Bring the ISO file with you on your hard drive when you attend the course.

How should my virtual machine be configured?

Other than simply creating the Windows Server virtual machine, there is nothing else to configure. Everything else will be done during the course.

Please install Windows Server 2012 R2 in your virtual machine. You can use either the Standard or Datacenter edition, either one works fine.

When you install the virtual machine, choose the "Server with a GUI" version of Windows Server, not the "Core" version. If you install the "Core" version, you will only get a CMD command shell when you log into the virtual machine. If you accidentally install the "Core" version, delete it and install a new virtual machine choosing the "Server with a GUI" option instead.

The virtual machine should not have network or Internet access, so configure the network interface of the virtual machine to be "host-only" or "private network" in your VM software. Do not apply any patches or updates.

Bring the ISO file with you on your hard drive when you attend the training.

If possible, configure your virtual machine to have two virtual CPUs. This helps to avoid error messages with some of the hacker tools used in the course. Your host laptop does not require two physical CPUs.

If your laptop can handle running two virtual machines simultaneously, then create a second identical virtual machine also running Windows Server. Having two virtual machines is not required for the course, it just makes some of the experimentation more fun (and is handy if there is a disaster).

VMware prompts me for a license number or I get a license error message! What should I do?

Make sure you have the evaluation version of Windows Server, not the retail version.

When creating the virtual machine in VMWare, it is best to choose the option that says "I will install the operating system later" and then provide the path to the ISO file for Windows Server after the virtual machine has been created, not during the initial creation. After the virtual machine has been created, go to the Settings of that virtual machine and provide the path to the source ISO file. Now, when you start the virtual machine, there should be no evaluation licensing problems.


If you have additional questions about the laptop specifications, please contact

  • Anyone who wants to learn PowerShell.
  • Windows security engineers and system administrators.
  • Anyone implementing the Critical Security Controls.
  • Those who must enforce security policies on Windows hosts.
  • Those deploying or managing a PKI or smart cards.
  • Anyone who needs to reduce APT malware infections.

There are no prerequisites to attend the course, but a familiarity with basic Windows and Active Directory concepts is presumed. You do not need any prior scripting experience.

Other Courses People Have Taken

  • A CD or USB flash drive with scripts and other tools related to the material.
  • MP3 audio files of the complete course lecture,
  • Use Group Policy to harden Windows and applications, deploy Microsoft EMET, do AppLocker whitelisting, apply security templates, and write your own PowerShell scripts.
  • Implement Dynamic Access Control (DAC) permissions, file tagging, and auditing for Data Loss Prevention (DLP).
  • Use Active Directory permissions and Group Policy to safely delegate administrative authority in a large enterprise to better cope with token abuse, pass-the-hash, service/task account hijacking, and other advanced attacks.
  • Install and manage a full Windows PKI, including smart cards, certificate auto-enrollment, and detection of spoofed root CAs.
  • Harden SSL, RDP, DNS, and other dangerous protocols.
  • Deploy Windows Firewall and IPSec rules through Group Policy and PowerShell.
  • Learn how to automate security tasks on local and remote systems with the PowerShell scripting language and remoting framework.
  • Run many PowerShell commands and scripts all week.
  • PowerShell remoting.
  • Install a domain controller.
  • Apply security templates.
  • Run the Security Configuration Wizard.
  • Use and customize Group Policy.
  • Configure scheduled jobs to run PowerShell scripts.
  • Install Microsoft EMET.
  • Install Process Hacker.
  • Configure AppLocker rules.
  • Install a PKI and deploy certificates.
  • Install an OCSP responder.
  • Use PowerShell to hash files.
  • Use PowerShell to audit root CAs and remove unwanted CAs.
  • Configure firewall and IPSec rules.
  • Configure DNS sinkholed names with PowerShell.
  • Deploy Dynamic Access Control (DAC) settings.
  • Manage DAC with PowerShell.

"You will know and be confident how to enable Windows PKI after taking this course. I had no practical experience but plenty of theory. The instructor broke down the pros and cons of the whole process. Excellent!!" - Othello Swanston, DTRA-DOD

"If you think you know Windows, take this Windows security class - your review of your own skills and understanding will be challenged, for the better!!" - Matthew Stoeckle, Nebraska Public Power District

Author Statement

The courses I write for SANS are always guided by two questions: (1) What do administrators need to know to secure their networks? and (2) What should administrators learn to advance their careers as IT professionals? I am neither a Microsoft employee nor a Microsoft basher, so you will not get either kind of propaganda here. My concern is with the health of your network and your career. As a security consultant, I have seen it all (good, bad, and ugly), and my experience goes into the manuals I write for SANS and the stories I tell in seminar. The Securing Windows course is packed with interesting and useful advice that is hard to find on the Internet. We always have a good time, so I hope to meet you at the next training event!

- Jason Fossen, SANS Faculty Fellow