Explore the worlds best online cybersecurity training with OnDemand - view a Demo Today!

London 2016

London, United Kingdom | Sat, Nov 12 - Mon, Nov 21, 2016
This event is over,
but there are more training opportunities.

SEC505: Securing Windows and PowerShell Automation

Mon, November 14 - Sat, November 19, 2016

You have the best instructors available. Other training never comes close and is a waste of money.

Steve Sauro, McDermott Will and Emery

If you think you know Windows, take this Windows security class - your review of your own skills and understanding will be challenged, for the better!

Matthew Stoeckle, Nebraska Public Power District

SECURITY 505: Securing Windows and PowerShell Automation

Hackers know how to use PowerShell for evil, do you know how to use it for good? In SEC505 you will learn PowerShell and Windows security hardening at the same time. SecOps requires automation, and Windows automation means PowerShell.

You've run a vulnerability scanner and applied patches - now what? A major theme of this course is defensible design: we have to assume that there will be a breach, so we need to build in damage control from the beginning. Whack-a-mole incident response cannot be our only defensive strategy - we'll never win, and we'll never get ahead of the game. By the time your monitoring system tells you a Domain Admin account has been compromised, it's TOO LATE.

For the assume breach mindset, we must carefully delegate limited administrative powers so that the compromise of one administrator account is not a total catastrophe. Managing administrative privileges is a tough problem, so this course devotes an entire day to just this one critical task.

Learning PowerShell is also useful for another kind of security: job security. Employers are looking for people with these skills. You don't have to know any PowerShell to attend the course, we will learn it together. About half the labs during the week are PowerShell, while the rest use graphical security tools. PowerShell is free and open source on GitHub for Linux and Mac OS too.

This course is not a vendor show to convince you to buy another security appliance or to install yet another endpoint agent. The idea is to use built-in or free Windows and Active Directory security tools when we can (especially PowerShell and Group Policy) and then purchase commercial products only when absolutely necessary.

If you are an IT manager or CIO, the aim for this course is to have it pay for itself 10 times over within two years, because automation isn't just good for SecOps/DevOps, it can save money, too. Besides, PowerShell is also simply fun to use.

This course is designed for systems engineers, security architects, and the Security Operations (SecOps) team. The focus of the course is on how to automate the NSA Top 10 Mitigations and the CIS Critical Security Controls related to Windows, especially the ones that are difficult to implement in large environments.

SEC505 will also prepare you for the GIAC Certified Windows Security Administrator (GCWN) certification exam to prove your Windows security expertise. The GCWN certification counts towards a Master's Degree in Information Security from the SANS Technology Institute (www.sans.edu) and satisfies the Department of Defense 8570 computing environment requirement. The GCWN is also a foundational certification for soldiers in the U.S. Army's 255-S Information Protection Program, especially now that the DoD has standardized on Windows 10.

This is a fun course and a real eye-opener, even for Windows administrators with years of experience. We don't cover patch management, share permissions, or other such basics - the aim is to go far beyond that. Come have fun learning PowerShell and agile Windows security at the same time!


You Will Learn

  • How to use PowerShell for security automation
  • How to run PowerShell scripts on thousands of hosts
  • How to do SecOps/DevOps continuous enforcement
  • How to deploy and manage a Windows PKI
  • How to manage privileges for assumed breach
  • How to do endpoint protection for assumed breach
  • How to do pre-forensics to help the Hunt Team
  • How to secure Kerberos, DNS, TLS, RDP and SMB
  • How to use PowerShell WMI for the Blue Team


Day 1: PowerShell Automation and Security

  • New to scripting? No problem!
  • Quick intro to scripting, such as ForEach loops
  • PowerShell remote command execution
  • Transcription logging for forensics
  • Parsing and mining nmap port scanner XML output
  • Searching event logs faster with XPath queries
  • Writing your own functions and scripts
  • Capturing command output for parsing
  • Preparing to pipe .NET objects, not text

Day 2: Continuous Secure Configuration Enforcement

  • PowerShell Desired State Configuration (DSC)
  • Using Group Policy to target PowerShell scripts
  • Scheduling elevated PowerShell tasks safely
  • Empowering the Hunt Team and incident responders
  • Server hardening automation for DevOps
  • Why Server Nano and Server Core?
  • Microsoft Security Compliance Manager (free tool)
  • Windows Operating System and application hardening tools
  • Customizing INF security template text
  • Group Policy continuous enforcement

Day 3: Windows PKI and Smart Cards

  • Windows Public Key Infrastructure (PKI) can be fun!
  • Installing and managing a PKI, a step-by-step walk through
  • Detecting malicious trusted root Certification Authorities with PowerShell
  • Hands-free Group Policy deployment of certificates
  • Private key archival and lost key recovery
  • How to quickly deploy smart cards for admins
  • Best practices for private key security
  • Installing an Online Certificate Status Protocol (OCSP) responder
  • Issuing a code signing certificate for PowerShell scripts
  • Scripting to compare file hashes, like a poor-man's Tripwire

Day 4: Administrative Compromise and Privilege Management

  • PowerShell Just Enough Admin (JEA)
  • Automate local Administrators group management
  • Limiting privileges, logon rights, and permissions
  • LSASS memory protections against DLL injection
  • Token abuse and pass-the-hash attack mitigations
  • User Account Control (UAC) and smart cards
  • Safely delegating IT power for least privilege
  • Active Directory permissions for IT delegation
  • Designing Organizational Units for administrative least privilege
  • Active Directory logging of bad admins
  • Windows 10 facial biometrics and Credential Guard

Day 5: Endpoint Protection and Pre-Forensics

  • Application whitelisting with AppLocker
  • Automating AppLocker with PowerShell
  • PowerShell constrained language mode
  • Microsoft's benevolent rootkit: EMET
  • IPSec is not just for VPNs!
  • IPSec is built into Windows for endpoint protection
  • IPSec share permissions for TCP/UDP ports
  • PowerShell scripting of Windows Firewall rules
  • Group Policy management of Windows Firewall
  • Pre-forensics for incident response preparation
  • Pre-forensics requires particular audit policies
  • System snapshot baselines to help the Hunt Team

Day 6: Defensible Networking and Blue Team WMI

  • Windows Management Instrumentation (WMI)
  • PowerShell for WMI scripting
  • Group Policy use of WMI filters
  • Remote Desktop Protocol (RDP) weaknesses
  • Hardening TLS and eliminating SSL
  • SSL/TLS cipher suites for perfect forward secrecy
  • Kerberos armoring and restricting NTLM
  • PowerShell management of DNS records
  • DNS sinkholes for malware and phishing sites
  • Implementing DNSSEC with PowerShell and Group Policy
  • DNS secure dynamic updates with Kerberos
  • SMBv3 encryption and downgrade attacks
  • How to disable IPv6 tunneling, but keep IPv6


Course Syllabus

Jason Fossen
Mon Nov 14th, 2016
9:00 AM - 5:00 PM


Today's course covers what you need to know to get started using PowerShell. You don't need to have any prior scripting or programming experience. We have PowerShell labs throughout the week, so today is not the only PowerShell material. We start with the essentials, then go more in depth as the week progresses. Don't worry, you won't be left behind, the PowerShell labs walk you through every step.

About half the labs this week are PowerShell, the rest use graphical security tools (some of which actually run on top of PowerShell). A six-day course on nothing but PowerShell would be too exhausting, so we mix Windows security and PowerShell together to make it more fun and practical. SEC505 has had at least one day of PowerShell since 2007, so we know how to get the right mix (for the more advanced scripters, we also talk about WMI, JEA, and DSC later in the week).

PowerShell is made for Security Operations (SecOps) automation on Windows. PowerShell is built into Windows 7, Server 2008, and later operating systems by default. Linux and Mac OS users can download PowerShell from GitHub. SecOps requires automation in order to scale out security changes and monitoring beyond a handful of hosts. For example, when a vulnerability must be remediated but there is no patch for it yet, automation is needed to quickly and consistently enact the changes necessary.

PowerShell "remoting" is encrypted remote command execution of PowerShell scripts in a way that can scale to thousands of endpoints and servers. It is vastly better than PSEXEC. Imagine being able to hunt for indicators of compromise across thousands of machines with just a few lines of PowerShell code. Or imagine having the local Administrator account password reset every night on thousands of endpoints in a secure way, and being able to retrieve that password securely too. We will show how to do these tasks and more.

We will also talk about security for PowerShell itself, such as transcription logging for forensics, strong encryption, code signing, application whitelisting of scripts, IPSec port control, and Just Enough Admin (JEA). JEA is like Linux sudo and setuid, but for PowerShell remoting.

As more and more of our systems are moved up to the cloud, PowerShell will become even more important. Amazon Web Services, Microsoft Azure, Office 365, Hyper-V and VMware already support PowerShell administration for many tasks, and open source PowerShell is available for Linux and Mac OS too. So learning PowerShell is not only good for network security, it's also good for job security.

CPE/CMU Credits: 6


Overview and Security

  • Transcription logging to catch hackers
  • IPSec and firewall rules for remoting
  • AppLocker for PowerShell
  • Just Enough Admin (JEA)
  • Constrained language mode to block hackers
  • Customizing your profile script

Getting Around Inside PowerShell

  • Don't memorize, use the built-in help
  • Cool tricks with the ISE graphical editor
  • Piping .NET and COM objects, not text
  • Using properties and methods of objects
  • Helping Linux admins feel more at home
  • Aliases, cmdlets, functions, modules, etc.

What Can We Do With It?

  • PowerShell remoting and scalability
  • Capturing the output of commands
  • Parsing text files and logs with regex patterns
  • Searching remote event logs faster with XPath
  • Mounting the registry as a drive
  • Parsing and mining nmap port scanner XML output
  • Running scripts as scheduled jobs
  • Pushing out scripts through Group Policy
  • What can't we do with it?

Write Your Own Scripts

  • Writing your own functions
  • Function parameters and returning output
  • Flow control: if-then, do-while, foreach, switch
  • The .NET Framework class library: a playground
  • How to pipe data in/out of your scripts

Jason Fossen
Tue Nov 15th, 2016
9:00 AM - 5:00 PM


Running a vulnerability scanner is easy; remediating vulnerabilities across a large number of systems is what can be difficult. Most vulnerabilities are fixed by applying patches, but this course does not talk about patch management, you're doing that already. What about the other vulnerabilities, the ones not fixed by applying patches? These vulnerabilities are, by definition, remediated by configuration changes. Enter SecOps.

So here is the challenge: How do we automate configuration changes across many endpoints and servers? How do we continuously reinforce these configuration changes to make sure they "stick," and that the desired configuration is automatically reapplied again if the host somehow drifts away from what we want? And by the way, we want to do this all for free, using only built-in Windows and Active Directory tools, and do it in a way that is relatively easy whether we have 100 or 10,000 hosts. Is this possible? Yes, we can do it with PowerShell and Group Policy!

Group Policy Objects (GPOs) are like configuration templates that can be applied and re-applied automatically. Desired State Configuration (DSC) is a PowerShell feature that can automatically return a machine to the desired configuration we want (hands-free) if the machine drifts away from this configuration. DSC is like Puppet or Chef, but built into PowerShell for free. DSC is good for DevOps too, not just SecOps.

Group Policy and PowerShell are made for each other. We can use Group Policy to push out PowerShell scripts to hundreds of thousands of hosts and have the scripts executed hands-free, even if no one is logged on, then return data back to us through Server Message Block (SMB) shares, syslog packets, or some other mechanism. Group Policy can also be used to manage scheduled jobs, and these jobs can run PowerShell scripts related to forensics, monitoring, continuous configuration enforcement, or kill chain commands. For example, we can hunt for indicators of compromise, gather inventory data, reset passwords, create/delete/disable/enable user accounts, kill malicious processes, remove malicious services/drivers, remotely hash files for tripwire-like integrity checking, search remote event logs, write to event logs, send syslog packets, and much more. This is how we can help the Hunt Team and incident responders to fight back!

You might be familiar with Group Policy already, but today's course emphasizes the targeting capabilities of Group Policy. How can we precisely target a security template or PowerShell script to just the machines in a particular global group, or just to the Server Nano VMs, or just to the Windows 7 laptops that have Adobe Acrobat installed, or just to the Windows 10 tablets that have a particular indicator of compromise? Group Policy gives us a scalable targeting system for PowerShell and security templates.

CPE/CMU Credits: 6


Continuous Secure Configuration Enforcement

  • How to use Group Policy and PowerShell together
  • Automate with INF security templates
  • How to customize INF templates
  • Microsoft Security Compliance Manager (SCM)
  • SECEDIT.EXE scripting
  • Building an in-house security repository for SecOps/DevOps

Group Policy Precision Targeting

  • Managing Group Policy Objects (GPOs) with PowerShell
  • LSDOU, Block Inheritance, Enforced GPOs
  • Group Policy permissions for targeting changes
  • ADMX templates for mass registry editing
  • Deploying PowerShell startup and logon scripts
  • WMI item-level targeting of GPO preferences
  • GPO scheduled tasks to run PowerShell scripts
  • Remote command execution via GPO (not remoting)
  • Empowering the Hunt Team to fight back!

Server Hardening for SecOps/DevOps

  • Server Manager scripting with PowerShell
  • Adding and removing roles and features
  • Remotely inventory roles, features, and apps
  • Why Server Nano or Server Core?
  • Running PowerShell automatically after service failure
  • Service account identities, passwords, and risks
  • Tools to reset service account passwords securely

PowerShell Desired State Configuration (DSC)

  • DSC is like Puppet or Chef, but built in for free
  • Using DSC for continuous reinforcement of settings
  • Writing your own DSC configuration scripts
  • Free DSC resource modules: www.PowerShellGallery.com
  • How to push DSC configurations to many targets
  • DSC background job processing in push mode
  • Examples: sync files, install roles, manage groups
  • Auditing a remote target against a DSC MOF template
  • "ApplyAndAutoCorrect" mode for continuous enforcement

Jason Fossen
Wed Nov 16th, 2016
9:00 AM - 5:00 PM


Don't believe what you hear on the street: Public Key Infrastructure (PKI) is not that hard to manage on Windows! You'll be pleasantly surprised at how much Group Policy, Active Directory, and PowerShell can help you manage your PKI. And we don't really have a choice anymore: having a PKI is pretty much mandatory for Microsoft security.

This day of the course is basically one long hands-on lab to install and configure a full Windows Server PKI. This includes a root Certification Authority (CA), Group Policy certificate auto-enrollment on endpoints, Online Certificate Status Protocol (OCSP) revocation checking, private key roaming for users, smart card certificate deployment, and, of course, more PowerShell examples.

Even if you already have a PKI, this course will still be useful for you, since the hardest part of PKI is the endpoint management, not the CA installation.

Digital certificates have an essential role in Windows security. Certificates are used with smart cards, S/MIME e-mail, SSL/TLS to web servers, VPNs, PowerShell remoting, BitLocker drive encryption, the Encrypting File System (EFS), IPSec computer authentication, code signing, AppLocker process whitelisting, Device Guard policies, user authentication to web services, and more. As we move towards the cloud and Bring Your Own Device (BYOD) mobile devices, having your own PKI will become even more important.

Everything you need to roll out a smart card solution for your administrators is included with Windows, except for the cards and readers themselves (and generic cards are available in bulk for cheap). If you have a Trusted Platform Module (TPM) chip in your laptop or tablet, the TPM can also be used as a built-in smart card. TPM-based smart cards are invisible to users, requiring little or no training. Smart cards can hold other certificates too, such as for Remote Desktop Services, BitLocker, EFS, and code signing.

Because malware can inject fake root Certification Authority (CA) certificates into our machines, we will also look at PowerShell scripts to audit and manage trusted root CA certificates on endpoints. When hackers alter the trusted root CAs on our endpoints, it subverts the authentication provided by SSL/TLS and allows the attackers to create digitally-signed malware that our users will blindly trust.

The labs in today's course mostly use graphical PKI tools, but there are also PowerShell labs to delete unwanted certificates installed by malware, audit our lists of trusted CAs, perform file hashing, compare thousands of recorded file hashes at two different times (similar to Tripwire), and encrypt secret data in our own PowerShell applications, such as for encrypting admin passwords.

CPE/CMU Credits: 6


Why Is A PKI Necessary?

  • PKI is for strong authentication and encryption
  • Passwords are obsolete, we need smart cards!
  • Examples: VPNs, wireless, IPSec, SSL, S/MIME, etc.
  • Certificates for mobile endpoints and BYOD
  • Code signing certificates for AppLocker and PowerShell

How to Install the Windows PKI

  • PowerShell installation script for PKI
  • PKI installation with Server Manager
  • Root versus subordinate CAs
  • Enterprise versus Stand-Alone CAs
  • Should you be your own root CA?
  • Custom certificate templates in Active Directory
  • Controlling certificate auto-enrollment
  • Set up an Online Certificate Status Protocol (OCSP) responder web farm
  • Configure Certificate Revocation List (CRL) publication

How to Manage Your PKI

  • Where are private keys?
  • Private key security best practices
  • PowerShell script to audit trusted root CAs
  • PowerShell script to delete hacker certificates
  • Group Policy auto-deployment of certificates
  • How to revoke compromised certificates
  • Automatic private key backup and recovery
  • Credential roaming of keys and passwords
  • Delegation of PKI management to non-admins

Deploying Smart Cards

  • Everything you need is built in!
  • Smart cards for Kerberos, BitLocker, EFS, etc.
  • TPM virtual smart cards are just too cool...
  • Smart cards on a limited budget for the admins
  • Safely enroll cards on behalf of other users

Jason Fossen
Thu Nov 17th, 2016
9:00 AM - 5:00 PM


Why do submarines have pressure doors to seal off compartments? Because they are designed to assume a breach will occur. In a Windows environment, a security breach will occur, count on it, so we must design with an "assume breach" mindset as well.

If we assume that someday the computers and credentials of our administrators will be compromised, then how do we build damage control into the network from the beginning? This is not about detection and incident response. The challenge here is how to design for damage control when we decide how to delegate administrative privileges. We need to proactively design damage control into the system, not wait until after there is a breach (when it's too late). As always, our guide is the Principle of Least Privilege.

Is there a Windows version of sudo, like on Linux? Yes, it's called Just Enough Admin (JEA) for PowerShell. JEA allows non-admin users to remotely execute commands with administrative privileges, but without exposing any administrative credentials to them (kind of like setuid root on Linux). With JEA, all PowerShell commands are blocked by default except those you explicitly allow, and you can even use regular expression patterns to limit the arguments to those commands. And for less-technical users who'd prefer a graphical interface, don't forget that graphical applications can be built on top of PowerShell JEA too. In this course, we will see how to set up JEA and PowerShell Remoting.

The password of the local Administrator account on every machine must be different and reset at least weekly to limit post-exploitation abuse. We will see how to use scheduled PowerShell scripts to do this in a secure way that's also convenient for the admins when they need the plaintext password. To help defend against pass-the-hash attacks and token abuse, we talk about LSASS memory protections, Windows 10 Credential Guard, restricting network logon rights, User Account Control (UAC), RDP Restricted Admin Mode, and more.

Moving up to Active Directory (AD), we will see that every object in AD has a set of permissions and audit settings that we can leverage for delegation of authority. Instead of simply adding everyone in the IT department to the Domain Admins group, we can more precisely delegate authority at the Organizational Unit (OU) level. We can create an OU Admins group that is just like Domain Admins, except that its power is limited to that one OU only. Then we can create other custom groups, such the Help Desk group or the Auditors group, and grant them the minimum powers they need for the OU too. By analogy, AD forests and OUs can be used like those pressure doors on submarines mentioned earlier.

CPE/CMU Credits: 6


You Don't Know The Power!

  • What are the various "admin privileges" on Windows?
  • How do we manage privileges on thousands of hosts?
  • What privileges can be exploited to take over a machine?
  • How to steal a password hash or Security Access Token (SAT)

Compromise of Administrative Powers

  • Limiting pass-the-hash and token abuse attacks
  • Getting users out of the Administrators group (without a revolt)
  • Limiting the power of administrative users
  • Limiting privileges, logon rights, and permissions
  • User Account Control (UAC) instead of RUNAS.EXE
  • Enforcing different per-group password and lockout policies
  • Using PowerShell to manage password resets
  • Picture password and PIN logons on Windows 10
  • Windows 10 biometric logons
  • Password managers for administrators
  • KeePass best practices and PowerShell script
  • Windows 10 Credential Guard

PowerShell Just Enough Admin (JEA)

  • JEA is Windows sudo, like on Linux
  • JEA is Windows setuid root, like on Linux
  • Restricting commands and arguments
  • Verbose transcription logging
  • How to set up and configure JEA

Active Directory Permissions and Delegation

  • Active Directory objects have permissions
  • Active Directory objects have auditing
  • Empty the Domain Admins group!
  • Delegating authority at the OU level instead
  • Granting limited powers to the Help Desk
  • Designing Active Directory for the inevitable breach

Jason Fossen
Fri Nov 18th, 2016
9:00 AM - 5:00 PM


You are already applying patches and updating anti-virus signatures. But endpoint protection is much more than that. Because most advanced malware infections start with a compromised endpoint, we want to proactively build defensibility and damage control into our systems using a zero-trust or assume-breach model. How?

The Enhanced Mitigation Experience Toolkit (EMET) is a benevolent rootkit from Microsoft, not an anti-virus scanner. It's one of the several anti-exploitation products that are growing in popularity today. EMET integrates into vulnerable applications, like browsers and PDF viewers, to reduce infection rates and disrupt post-exploitation actions. And EMET is free! In the hands-on lab, we will see how to manage EMET through Group Policy and configuration scripts.

AppLocker is an application whitelisting tool built into Windows to control which executables, scripts, DLLs and installer packages users may run. If hackers or malware attempt to launch an unauthorized process post-exploitation, the aim is to block it and log it. In the lab, we'll use PowerShell and Group Policy to manage AppLocker. Application whitelisting can be hard to manage if used too aggressively, so we'll also talk about how to get started without making the help desk phone ring off the hook.

When we adopt the assume breach mindset, we assume hackers are attacking us and sniffing packets from inside the Local Area Network (LAN). This is how they can move laterally from host to host. When we focus too much on perimeter defenses, these internal malicious actions go unchecked. We need defense-in-depth at the endpoint level. And for more data-centric security, we need to secure sensitive data not just on disk, but also while in motion inside the LAN, not just in motion across the perimeter.

Host-based firewalls can block the lateral movement of hackers inside the LAN and the outbound connections of malware. On mobile devices, we must do host-based packet filtering because mobile devices roam outside the LAN where the perimeter firewall cannot protect them. The trick is being able to apply different sets of firewall rules to different sets of machines in a scalable, repeatable, and automated way. This is what we will do with the built-in Windows Firewall through Group Policy and PowerShell.

IPSec is not just for VPNs! In fact, we won't discuss VPNs at all today. The built-in Windows IPSec driver can authenticate users in Active Directory in order to implement share permissions for our TCP/UDP listening ports based on our users' global group memberships in Active Directory. Imagine configuring the Windows Firewall on your endpoints and servers to only permit access to their RPC, RDP or SMB ports if (1) the client has a local IP address, (2) the computer is pre-authenticated by IPSec to be a member of the domain, (3) the user is pre-authenticated to be a member of the Domain Admins group, and (4) the packets are all encrypted with 256-bit AES. Not only is this possible, today's course will show you exactly how to do it!

Despite our best efforts, we must still assume breach. Pre-forensics describes what we should configure on Windows to prepare for a security incident. It's not about the response itself, it's about the preparations, such as enabling centralized logging. Preparation is half the battle. Pre-forensics also means gathering ongoing operational data to give to the Hunt Team and incident responders while they look for indicators of compromise. When the Hunt Team has a baseline of what is "normal" on a server to compare against, identifying what is new and out of place is vastly easier. PowerShell makes creating these scheduled baseline snapshots easy.

CPE/CMU Credits: 6



  • Microsoft's benevolent rootkit: EMET
  • EMET scripting and Group Policy
  • Application whitelisting with AppLocker
  • Scripting AppLocker with PowerShell
  • PowerShell constrained language mode
  • The Principle of (Endpoint) Least Privilege

IPSec Port Permissions

  • IPSec for everything besides VPNs
  • We don't discuss VPNs at all today!
  • IPSec for blocking lateral post-exploitation
  • Limit access to ports based on global group membership
  • IPSec-based encrypted VLANs
  • Group Policy management of IPSec rules
  • PowerShell and NETSH.EXE control of IPSec

Host-Based Firewalls

  • PowerShell scripting of Windows Firewall rules
  • Group Policy management of Windows Firewall
  • Blocking malware outbound connections
  • Role-based access control at the network level
  • What does "deep IPSec integration" mean?
  • Using the firewall logs for network forensics


  • Pre-forensics for incident response preparation
  • Audit policy and Windows event logs
  • System snapshots to help the Hunt Team
  • Event log wrapping vs. flush attacks
  • Preparation is half the battle

Jason Fossen
Sat Nov 19th, 2016
9:00 AM - 5:00 PM


Hackers love the Windows Management Instrumentation (WMI) service, and so should we. We are the linebackers on the Blue Team and the WMI service was made for us, not them. The WMI service is enabled by default and accessible over the network. Through WMI we can do remote command execution (without PowerShell being installed at the target), forcibly log off the user, reboot the machine, stop services, search for processes running as Administrator, kill any process, and much more. The WMI service is nearly all-powerful and it's built for remote administration. PowerShell is tightly integrated into WMI, and we'll look at several PowerShell examples.

Hackers will try to elevate their privileges and move laterally from machine to machine inside the LAN. One way they do it is by abusing protocols and network services that we cannot live without. Could you live without SSL/TLS, DNS, Kerberos, Remote Desktop Protocol (RDP), or the File and Print Sharing protocol (SMB/CIFS)? Probably not, but these protocols can all be attacked with terrible consequences. In particular, we are totally dependent on DNS, but it is difficult to design a protocol worse than DNS.

Hackers love DNS too, but for all the wrong reasons. There are several things we can do to make DNS more secure though. We can do DNS sinkholing of names used by malware, use DNSSEC, require Kerberos dynamic updates, disable zone transfers, implement a split architecture, and encrypt DNS traffic with IPSec. DNSSEC is vastly easier to configure now than in the past. DNS sinkholing is also very effective in disrupting malware control channels, and sinkholing can be done for free with a PowerShell script. DNS logging helps with threat detection too.

SSL should be eliminated, there are too many flaws in this old protocol. Instead, we should use the latest version of TLS available, and optimize our cipher suites for 256-bit AES with Perfect Forward Secrecy (PFS).

Kerberos Golden Ticket attacks allow hackers to impersonate domain controllers. If this catastrophe were to happen in your environment, how would you respond? We will talk about how to reset the krbtgt password and force immediate Active Directory replication.

Wireshark can sniff SMB traffic to file shares and carve files out of the packet payloads. Hackers can also inject malware into Group Policy Objects as the endpoints download their GPOs over SMB. SMB is plaintext by default, but we'll see how to configure SMB encryption with or without IPSec. It's also time to eliminate SMB 1.0 from our LANs.

Finally, the most popular way to remotely manage Windows is to use the Remote Desktop Protocol (RDP) and a thin client like MSTSC.EXE. But RDP is vulnerable to man-in-the-middle attacks! And an RDP logon can leave admin credentials in memory for malware to steal. As more virtual machines are moved up to the networks of cloud providers, RDP use over the Internet will increase. But with PKI, IPSec encryption, and proper hardening, RDP can be made safe enough to use, even for administrators.

CPE/CMU Credits: 6


PowerShell and WMI

  • Windows Management Instrumentation (WMI) service
  • What is WMI and why do hackers abuse it so much?
  • Using PowerShell to query WMI CIM classes
  • Searching remote event logs faster with WMI
  • Inventory operating system versions and installed software
  • WMI remote command execution versus PowerShell remoting

Hardening DNS

  • Why is DNS so easy to attack?
  • Don't believe the haters, DNSSEC is fun!
  • How to deploy DNSSEC step-by-step
  • Kerberos for DNS secure dynamic updates
  • DNS sinkholes for malware and threat detection
  • Sinkholing unwanted DNS names with PowerShell
  • PowerShell management of all networking settings

Dangerous Protocols We Can't Live Without

  • Hackers want you to use RDP
  • Remote Desktop Pwnage (RDP)
  • SSL is dead, long live TLS
  • TLS cipher suite optimization
  • SMBv3 native encryption vs. Wireshark
  • NTLM, NTLMv2, and Kerberos
  • Kerberos Golden Tickets (Silver too)
  • Kerberos double-encryption armoring
  • What about IPv6 tunneling?

Additional Information

Please bring the following with you when you attend SEC505:

  • Laptop with 8GB or more of memory, a USB port, with any operating system you wish.

  • A virtual machine (VM) running the free, evaluation version of Windows Server 2012 R2 Datacenter Edition (make sure it is "Server 2012 R2", not just "2012"). Please install your VM before you arrive, not the morning of the training.

  • When you install the VM using Microsoft's OS installation program, choose the option for "Windows Server 2012 R2 Datacenter Evaluation (Server with a GUI)". Do not accept the default "Server Core" option.

  • Bring a copy of the evaluation ISO file for Windows Server 2012 R2 with you.

Please don't let your IT department spoil your training experience by giving you a "loaner laptop" that is too slow. Also, do not install Windows Server directly onto your laptop, you must use a VM for the training.

How should the Windows Server training VM be configured?

To test your training VM for the course, please confirm the following:

  • In your virtualization software, such as VMware or Hyper-V, configure the VM to use "Host-Only" or "Private" networking (not "NAT", "Bridged" or "External"). Do not apply updates to the VM.

  • Confirm that you can log into the VM using the built-in Administrator account. Do not rename the Administrator account or use a different account. Do not install Active Directory or run any SETUP scripts.

  • On the desktop of the VM, confirm that it does not say "Evaluation Expired" in the bottom right-hand corner of the desktop. Create a new, fresh VM if your evaluation period has expired (do not run slmgr.vbs).

  • Disconnect your host laptop from any wireless network and pull out any networking cables. Then, open the Control Panel inside the training VM, go to the "Network and Sharing Center" applet, click on the "Change adapter settings" link on the left, then confirm that your network interface is still enabled and appears to be connected to a live network. If your VM's network interface cannot stay enabled or connected, right-click that interface and disable it (disable the interface inside the VM, not on your host laptop). You will need to install the Loopback Adapter in Control Panel inside the VM (see instructions below).

If you wish to install VMware Tools or other similar virtualization support software inside your training VM, feel free to do so, but it is not required.

Setup Questions?

If you have questions about the laptop setup, please contact laptop_prep@sans.org. We are here to help!

What does the "Server with a GUI" option look like when installing Windows Server?

You will see the following screen after you've booted your VM from the Windows Server installation ISO file. Choose the "Server with a GUI" option at the bottom of the list.

Where can I get the free evaluation version of Windows Server 2012 R2?

You can download a free trial version of Windows Server 2012 R2 from Microsoft as an ISO image file (an ISO file is an exported copy of a CD/DVD disk). Just do an Internet search on "site:microsoft.com windows server trial eval" to find the download link to the ISO file on Microsoft's web site. Make sure to get Windows Server 2012 R2, not Server 2012.

Bring the ISO file with you on your hard drive when you attend the course.

VMware prompts me for a license number or I get a license error message!

Make sure you have the evaluation version of Windows Server, not the retail version.

When creating the virtual machine in VMWare, it is best to choose the option that says "I will install the operating system later" and then provide the path to the ISO file for Windows Server after the VM has been created, not during the initial creation.

After the VM has been created, go to the Settings of that VM and provide the path to the source ISO file. Now, when you start the VM, there should be no evaluation licensing problems.

Why doesn't SANS just provide attendees with a pre-built virtual machine?

We would if we could! Microsoft does not allow us to redistribute evaluation versions of Windows Server 2012 R2 virtual machines, even though the ISO download is free and does not require a license number.

Do I need to install the Microsoft Loopback adapter? (Most likely not.)

Most likely, you do not need to install the Microsoft Loopback adapter inside your VM. Inside the VM, not on your host laptop, if the VM's network adapter will not stay enabled and connected when your host laptop does not have a live network connection, you will need to install the Microsoft Loopback adapter in Control Panel. This problem is common on older Dell laptops, but rare on other laptops (it's a driver issue, not hardware).

If you need to install the Microsoft Loopback adapter, follow these steps:

First, open the Control Panel inside the training VM, go to the "Network and Sharing Center" applet, click on the "Change adapter settings" link on the left, then right-click your current interface and disable it (this is the non-loopback interface). Go back to the main Control Panel list of applet icons.

Second, in Control Panel inside your training VM, double-click the "Device Manager" applet > right-click your server at the top in Device Manager > select "Add Legacy Hardware" > Next > select "Install the hardware that I manually select from a list (Advanced)" > select "Network Adapters" > Next > choose "Microsoft" as the manufacturer on the left > choose "Microsoft KM-TEST Loopback Adapter" on the right > Next > Next > Finish.

The Microsoft Loopback adapter is a simulated Ethernet network interface card which always appears to be connected to a live network, even though it is not.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Security Operations (SecOps) engineers
  • Windows endpoint and server administrators.
  • Anyone who wants to learn PowerShell automation.
  • Anyone implementing the NSA Top 10 Mitigations.
  • Anyone implementing the CIS Critical Security Controls.
  • Those deploying or managing a Public Key Infrastructure (PKI) or smart cards.
  • Anyone who needs to reduce malware infections.

There are no prerequisites to attend the course, but a familiarity with basic Windows and Active Directory concepts is presumed. You do not need any prior scripting experience; we will learn PowerShell as we go along together.

  • A USB flash drive or DVD disk with over 200 PowerShell scripts written by the course author, plus security templates and other tools used in the labs.

  • A set of SEC505 manuals. The manuals are much more than just slides with some sparse notes. They are written as textbooks with screenshots, lab exercises, table of contents, and more. In general, SEC505 attendees rarely need to take hand-written notes during seminar, the notes are already in the books.

  • When bundled with the GCWN certification exam, audio recordings of the entire course that you can take with you.
  • Execute PowerShell commands on remote systems and begin to write your own PowerShell scripts.

  • Harden PowerShell itself against abuse, and enable transcription logging.

  • Use Group Policy to execute PowerShell scripts on an almost unlimited number of hosts, while using Group Policy Object permissions, organizational units, and Windows Management Instrumentation (WMI) to target just the systems that need the scripts run.

  • Use PowerShell Desired State Configuration (DSC) and Server Manager scripting for the sake of SecOps/DevOps automation of server hardening.

  • Assuming a breach will occur, use Group Policy and PowerShell to grant administrative privileges in a way that reduces the harm if an attack succeeds.

  • Configure PowerShell remoting to use Just Enough Admin (JEA) policies to create a Windows version of Linux sudo and setuid root.

  • Configure mitigations against attacks such as pass-the-hash, Kerberos golden tickets, Remote Desktop Protocol (RDP) man-in-the-middle, Security Access Token abuse, and others.

  • Use PowerShell and Group Policy to manage the Microsoft Enhanced Mitigation Experience Toolkit (EMET), AppLocker whitelisting rules, INF security templates, Windows Firewall rules, IPSec rules, and many other security-related settings.

  • Install and manage a full Windows Public Key Infrastructure (PKI), including smart cards, certificate auto-enrollment, Online Certificate Status Protocol (OCSP) web responders, and detection of spoofed root Certification Authorities (CAs).

  • Harden SSL/TLS, RDP, DNS, and SMB against attacks. This includes deploying DNSSEC, DNS sinkholes for malware, SMB encryption, and TLS cipher suite optimization.

  • Use PowerShell with the WMI service, such as remote command execution, searching event logs, and doing a remote inventory of user applications.

"Gold standard of Windows security training." - Alexander Kotkov, Ernst & Young

"The best Windows Security course I've attended in 25 years of administering Windows environments. Every time I pick up one of my GCWN books, I learn something new that's immediately applicable to my current situation. A must-have course for any system administrator who is serious about securing their environment." - Armond Rouillard, NES Associates, U.S. Army (retired)

"SEC505 course content is on point with projects I am currently working on to improve our Windows security posture. The lessons learned will help me achieve my project goals with a high degree of confidence and quality." - Anthony DeVoto, EY

"Home run hit for modern Windows security." - Russ Gritto, ERG

"I loved the course, when I return to the office I am recommending it to the rest of my team." - Alex Fox, Federal Home Loan Bank Chicago

"Invaluable! Every day was directly pertinent to what we are doing at work. I wish I had taken this course many years ago." - Jerry Sanchez, Southwest Research Institute

"Every lesson provides information I can immediately use at work when I return." - Dan Fleischer, MiTek Industries

"It's nice to see Windows training that isn't 'controlled' by Microsoft." - Rich Wessler, West Virginia University

"If you think you know Windows, take this Windows security class - your review of your own skills and understanding will be challenged, for the better!!" - Matthew Stoeckle, Nebraska Public Power District

"You will know and be confident how to enable Windows PKI after taking this course. I had no practical experience but plenty of theory. The instructor broke down the pros and cons of the whole process. Excellent!!" - Othello Swanston, DTRA-DOD

  • SEC401: Security Essentials provides a foundation in the essential Windows and Active Directory concepts necessary for this course.

  • SEC566: Implementing and Auditing the Critical Security Controls presents the overall framework that this course applies. SEC505 is a deep-dive into how to specifically apply this framework to Windows and Active Directory.

  • SEC504: Hacker Tools, Techniques, Exploits and Incident Handling presents the hacker's perspective, whereas SEC505 examines how to defend against or mitigate the attacks described in SEC504.

  • SEC511: Continuous Monitoring and Security Operations emphasizes threat detection, logging, alerting, and monitoring at both the network and host levels.

Author Statement

The courses I write for SANS are always guided by two questions: (1) What do administrators need to know to secure their networks? and (2) What should administrators learn to advance their careers as IT professionals? I am neither a Microsoft employee nor a Microsoft basher, so you will not get either kind of propaganda here. My concern is with the health of your network and your career. As a security consultant, I have seen it all (good, bad, and ugly), and my experience goes into the manuals I write for SANS and the stories I tell in seminar. The Securing Windows with PowerShell course is packed with interesting and useful advice that is hard to find on the Internet. We always have a good time, so I hope to meet you at the next training event!

- Jason Fossen, SANS Faculty Fellow