Last Day to Save $400 on 4-6 Day Courses at SANS Tysons Corner Fall 2017! Register Now.

Rocky Mountain 2013

Denver, CO | Sun, Jul 14 - Sat, Jul 20, 2013
This event is over,
but there are more training opportunities.

SEC505: Securing Windows and Resisting Malware

This is my fifth SANS course. Jason is exceptionally hard working instructor who adds tremendous value with his unrestricted contributions to the community.

Matthew Wheeler, Los Alamos Natl Lab

You have the best instructors available. Other training never comes close and is a waste of money.

Steve Sauro, McDermott Will and Emery

In April of 2014, Microsoft will stop releasing any new security patches for Windows XP. Like it or not, migrating off Windows XP is no longer optional, the clock is counting down. The Securing Windows and Resisting Malware course is fully updated for Windows Server 2012, Windows 8, Server 2008-R2, and Windows 7.

This course is about the most important things to do to secure Windows and how to minimize the impact on users of these changes. You'll see the instructor demo the important steps live, and you can follow along on your laptop. The manuals are filled with screenshots and step-by-step exercises, so you can do the steps alongside the instructor in seminar or later on your own time if you prefer.

We've all got anti-virus scanners, but what else needs to be done to combat malware and intruders using Advanced Persistent Threat (APT) techniques? Today's weapon of choice for hackers is stealthy malware with remote control channels, preferably with autonomous worm capabilities, installed through client-side exploits. While other courses focus on detection or remediation, the goal of this course is to prevent the infection in the first place (after all, first things first).

Especially in Server 2012 and beyond, PowerShell dominates Windows scripting and automation. It seems everything can be managed through PowerShell now. And if there's a needed skill that will most benefit the career of a Windows specialist, it's being able to write PowerShell scripts, because most of your competition will lack scripting skills, so it's a great way to make your resume stand out. This course devotes an entire day to PowerShell scripting, but you don't need any prior scripting experience.

This course will also prepare you for the GIAC Certified Windows Security Administrator (GCWN) certification exam to help prove your security skills and Windows expertise.

More

Operating System and Applications Hardening day:

  • Start with Malware-Resistant software
  • Painless (or Less Painful) Patch Management
  • How Your Anti-Virus scanners can fail you
  • Windows OS and Applications Hardening tools
  • The Group Policy Management Console (GPMC)
  • INF and XML Security templates
  • How to manage Group Policy
  • WMI filtering and GPO preferences
  • Custom ADM/ADMX templates
  • AppLocker whitelisting
  • Hardening Adobe Reader
  • Hardening Internet Explorer
  • Hardening Google Chrome
  • Hardening Microsoft Office
  • Virtual Desktop Infrastructure (pros and cons)

Dynamic Access Control & Restricting Admin Compromise day:

  • Server 2012 Dynamic Access Control (DAC)
  • DAC conditional expressions
  • DAC and complying with regulations
  • Automatic File Classification Infrastructure
  • Users in the local administrators group
  • Secretly limiting the power of administrative users
  • Limiting privileges, logon rights and permissions
  • User Account Control
  • Kerberos Armoring and eliminating NTLM
  • Delegating IT power more safely
  • Active Directory permissions and auditing

PKI, BitLocker and Secure Boot day:

  • Why must I have A PKI?
  • Examples: Smart Cards, VPNs, Wireless, SSL, S/MIME, etc.
  • How to install the Windows PKI
  • Root vs. Subordinate certification authorities
  • Should you be your own root CA?
  • How to manage your PKI
  • Group policy deployment of certificates
  • How to revoke certificates
  • Automatic private key backup
  • Deploying Smart Cards
  • Best practices for private keys
  • BitLocker drive encryption
  • Windows 8 secure boot
  • TPM and USB BitLocker options
  • BitLocker emergency recovery

Dangerous Protocols, IPSec, Windows Firewall, and Wireless day:

  • Dangerous protocols: SSL, RDP, SMB, DNS
  • Isn't IPSec just for VPNs? No!
  • IPSec for TCP port permissions
  • How to create IPSec policies
  • Group Policy Management of IPSec
  • DNSSEC and DNS dynamic updates
  • NETSH.EXE
  • Windows Firewall with advanced security
  • Configuring RADIUS Policies (NPS)
  • Wi-Fi Protected Access (WPA)
  • EAP vs. PEAP
  • PEAP-MS-CHAPv2
  • Secure access to wireless networks
  • Secure access to Ethernet networks
  • Smart cards for wireless and Ethernet
  • Best practices for wireless and Ethernet

Securing IIS Web Servers day:

  • IIS server hardening
  • Configuring SSL and TLS
  • Centralized certificates and SNI
  • Securing WebDAV
  • Authentication options
  • Smart cards for web applications
  • Proper NTFS permissions and auditing
  • What are application pools?
  • Securing XML config files
  • Secure remote administration
  • Restricting webmasters
  • FTP Over SSL (FTPS)

PowerShell Scripting day:

  • What is PowerShell?
  • Running CmdLets and scripts
  • Writing your own functions
  • Writing your own scripts
  • Flow control within scripts
  • Managing the event logs
  • Managing Active Directory
  • Windows Management Instrumentation (WMI)
  • Accessing COM Objects
  • Security and execution policy

You are encouraged to bring a virtual machine running Windows Server 2012 Standard or Datacenter Edition configured as a domain controller, but this is not a requirement for attendance since the instructor will demo everything discussed on-screen. You can get a free evaluation version of Server 2012 from Microsoft's web site (just do a search on "site:microsoft.com Server 2012 evaluation trial"). You can use Hyper-V, VMware, VirtualBox, or any other virtual machine software you wish.

This is a fun course and a real eye-opener even for Windows administrators with years of experience. Whether you're taking SEC505 live or in OnDemand, get the PowerShell scripts now for the course from http://www.sans.org/windows-security (go to the Downloads link). There is no prior registration required, and all scripts are in the public domain.

Hide

Course Syllabus


Jason Fossen
Mon Jul 15th, 2013
9:00 AM - 6:30 PM

Overview

The best analogy for modern network penetration is biological warfare. A vulnerable client is exploited through weak software and social engineering to install the hacker's malware. The malware opens an SSL command-and-control channel back to the attacker. This channel is used to control the initial "Typhoid Mary" computer to infect other vulnerable systems and to exfiltrate valuable data (or to destroy it). When you add stealth, self-updating features, worm-like mobility, and corporate/government sponsorship to the malware, you've got an Advanced Persistent Threat (APT) situation. You're in trouble.

We don't just want to detect hackers and malware; we want to try to prevent the case-zero compromise to begin with. Prevention comes first, and then detection and remediation come afterwards. An ounce of prevention is worth a pound of cure. Today's course is on prevention through Windows operating system and applications hardening. The aim is to try to deny hackers and malware that initial foothold inside the network, because once they're in, they're hard to clean out.

We start by choosing malware-resistant software and Windows operating systems, then we regularly update that software, limit what software users can run, and then configure that software so that its exploitable features are disabled or at least restricted to work-only purposes. Nothing is guaranteed, of course, but what if you could reduce your malware infection rate by more than half? What if your next penetration test wasn't just an exercise in embarrassment?

The trick is hardening Windows in a way that is cost-effective, scalable, and with minimal user impact. In this course we'll look at tools like Group Policy, security templates, WSUS, and SCWCMD.EXE to hopefully make it easier. In today's course and during the week, we'll see how to implement many of the SANS Critical Controls.

CPE/CMU Credits: 6

Who Should Attend
  • Windows security engineers and system administrators
  • Those who need to reduce malware and APT infections
  • Anyone who wants to implement the SANS Critical Security Controls
  • Those who must enforce security policies on Windows hosts

Topics

Malware-resistant software

  • What increases exploitability?
  • Cloud vendor relations
  • Metro apps and WinRT API
  • UEFI firmware vulnerabilities
  • DEP, ASLR, SEHOP

Updating vulnerable software

  • WSUS shortcomings
  • WSUS third-party enhancements
  • Patching off-site tablets and laptops
  • Identifying rogue devices (BYOD Hell)
  • Windows App Store (Metro)

OS Hardening with security templates

  • INF vs. XML security templates
  • How to edit and apply templates
  • Security configuration and analysis
  • SECEDIT.EXE
  • Security configuration wizard
  • Auditing with templates

Hardening with Group Policy

  • Group Policy Objects (GPOs)
  • Third-Party GPO enhancements
  • Pushing out PowerShell scripts
  • GPO remote command execution
  • GPO troubleshooting tools
  • Custom ADM/ADMX templates

Enforcing Critical Controls

  • Whitelisting with AppLocker
  • Hardening Internet Explorer
  • Hardening Google Chrome
  • Hardening Adobe Reader
  • Hardening Microsoft Office
  • Virtual Desktop Infrastructure (pros and cons)


Jason Fossen
Tue Jul 16th, 2013
9:00 AM - 6:00 PM

CPE/CMU Credits: 6


Jason Fossen
Wed Jul 17th, 2013
9:00 AM - 5:45 PM

Overview

Public Key Infrastructure (PKI) is not an optional security infrastructure anymore. Windows Server includes a complete built-in PKI for managing certificates and making their use transparent to users. With Windows Certificate Services you can be your own private Certification Authority (CA) and generate as many certificates as you want at no extra charge.

Digital certificates play an essential role in Windows security: IPSec, EFS, secure e-mail, SSL/TLS, Kerberos authentication with smart cards, smart card authentication to IIS and VPN servers, script signing, etc. They all use digital certificates. Everything needed to roll out a smart card solution, for example, is included with Windows except for the cards and readers themselves, and generic cards are available in bulk for cheap.

You also have to encrypt your laptops and portable drives to stay in compliance, but why spend a fortune on third-party products when BitLocker is built into Windows already? BitLocker is manageable through Group Policy and from the command line. BitLocker has automatic encryption key archival features for recovery, requires little or no user training, and can be used to encrypt portable USB drives. If you have a TPM chip in your motherboard, it can help BitLocker to detect rootkits, but note that a TPM chip is definitely not required to use BitLocker.

With UEFI firmware and Windows 8, you can also use Secure Boot to help fight off bootkits and other malware too.

Planning a PKI or data encryption project isn't easy, and mistakes and redeployments can be costly, so this course, in part, is designed to assist in the planning process to help avoid these mistakes. If you're not encrypting tablets, laptops and portable drives now, you will be soon.

CPE/CMU Credits: 6

Who Should Attend
  • Anyone who needs a whole drive encryption solution
  • Anyone who needs to encrypt data on portable drives
  • Anyone deploying a Windows smart card solution
  • Anyone who needs digital certificates on Windows hosts
  • Anyone widely deploying SSL or S/MIME certificates
  • Anyone deploying or managing a PKI with Windows

Topics

Why must I have a PKI?

  • Not optional anymore; You don't have a choice.
  • Windows security designed for PKI
  • Examples: Smart cards, IPSec, WPA wireless, SSL, S/MIME, etc.
  • Biometrics and PKI were made for each other.

How to install the Windows PKI

  • Root vs. Subordinate certification authorities
  • Should you be your own root CA?
  • Custom certificate templates
  • Controlling certificate enrollment

How to manage your PKI

  • Group policy deployment of certificates
  • Group policy PKI settings
  • How to revoke certificates
  • Automatic private key backup
  • Delegation of authority

Deploying Smart Cards

  • Everything you need is built-in
  • Smart card enrollment station
  • Group Policy deployment

BitLocker drive encryption

  • Secure Boot (Windows 8)
  • TPM and USB options
  • Emergency recovery
  • Group Policy management
  • MANAGE-BDE.WSF
  • Best practices for BitLocker


Jason Fossen
Thu Jul 18th, 2013
9:00 AM - 5:00 PM

CPE/CMU Credits: 6


Jason Fossen
Fri Jul 19th, 2013
9:00 AM - 5:00 PM

CPE/CMU Credits: 6


Jason Fossen
Sat Jul 20th, 2013
9:00 AM - 5:00 PM

Overview

PowerShell is Microsoft's upgrade for the old CMD.EXE shell and a Perl-like scripting language for it too. PowerShell is available as a free download for Windows XP/2003/Vista and is built into Windows 7 and later operating systems by default (get the latest version from http://www.microsoft.com/powershell/). In Server 2012 especially, everything is PowerShell, PowerShell, PowerShell...

PowerShell takes the best features of UNIX shells, like ksh and bash, and then blows them out of the water. What's the big deal? PowerShell rides on top of the .NET Framework; hence, the entire .NET class library is available at the command prompt. And, when PowerShell scripts and tools pipe data into other PowerShell scripts and tools, it's not plain text that gets piped, but entire .NET objects, including all their properties and methods.

PowerShell is the future of administrative scripting on Windows. For example, Exchange Server and Operations Manager have graphical management tools, but these tools are really just GUI wrappers for PowerShell commands. There are also PowerShell cmdlets for IIS, Server Manager, AppLocker, Active Directory, Server Core, and more. Microsoft has promised that other products will be PowerShell-ized too, so the long-term trend is clear: almost everything in Windows will eventually be manageable through PowerShell.

What about managing older systems and software? PowerShell can access scriptable COM objects just like VBScript and JavaScript too. This means you can use PowerShell with Windows Management Instrumentation (WMI), Active Directory Services Interface (ADSI), ActiveX Data Objects (ADO), and other COM interfaces. So while VBScript gives you COM, PowerShell gives you both .NET and COM.

And just like the old CMD shell, PowerShell is also designed to run built-in binaries, like WMIC.EXE, NETSH.EXE, SC.EXE, etc., but with a scripting language that's far more flexible than CMD batch scripting. What does the PowerShell scripting language look like? It looks a little bit like Perl or C#, but it's much easier to learn.

During the course we will walk through all the essentials of PowerShell together. The course presumes nothing. You don't have to have any prior scripting experience to attend. And, most importantly, be prepared to have fun - PowerShell is just plain cooooooool...

CPE/CMU Credits: 6

Who Should Attend
  • All Windows administrators who use the command line
  • Windows administrators that want to use scripting
  • Batch file coders looking to upgrade or avoid obsolescence
  • UNIX admins who want to feel more at home on Windows
  • Anyone who writes scripts for Windows - PowerShell is the future!
Topics

Overview and security

  • What is PowerShell?
  • Why should I learn it?
  • Why is everything in Windows getting PowerShell-ized?
  • Signing scripts and execution policy

Getting around inside PowerShell

  • Built-in help system
  • Built-in graphical editor
  • Aliases for CMD and bash users
  • Running cmdlets, functions, and scripts Piping objects instead of text Using properties and methods of objects

Example commands

  • Active Directory scripting
  • Searching event logs
  • Parsing nmap XML output

Write your own scripts

  • Writing your own functions
  • Flow control: if-then, do-while, foreach, switch Accessing COM objects like in VBScript How to pipe data in/out of scripts

Windows Management Instrumentation (WMI) What is WMI and why is it so powerful?

  • WMI queries and remote command execution Searching remote event logs faster Inventory installed software Sample scripts to walk through together

Additional Information

âYou will know and be confident on how to enable Windows PKI after taking this course. I had no practical experience, but plenty of theory. Jason broke down the pros and cons of the whole process. Excellent!!â

-OTHELLO SWANSTON, DTRA-DOD

Please note that bringing a laptop is optional, but recommended, and it's nice to bring a CD-ROM drive too.

Should I use a Virtual Machine?

Yes, in fact, using a virtual machine is preferred. Windows 8 Pro and Enterprise both include Hyper-V. You can also obtain VMware Player or Oracle VirtualBox for free.

How should my virtual machine be configured?

Please install Windows Server 2012 Standard or Datacenter Edition in your VM.

If you want to have a second VM running Windows 8 or Windows 7, then that is useful too, but certainly not required. The host computer can be anything.

You can download a free trial version of Windows Server from Microsoft (just do an Internet search on "site:microsoft.com windows server trial eval" ). Remember that Server 2012 is 64-bit only, so your laptop and VM software will need to support 64-bit virtual machines.

Additionally, the Server VM should have a static IP address (perhaps 10.1.1.1) and have the primary DNS server set to this same IP address, i.e., you will be your own DNS server. Afterwards, use the Server Manager tool to install the Active Directory Domain Services role. Along the way, install the DNS service when prompted to do so, and choose any domain name you wish (perhaps "testing.local"), but don't use your organization's real domain name.

Specific instructions for installing Active Directory are below.

What if I do not have a laptop or Windows Server Virtual Machine?

You are very welcome to attend the course if your VM does not meet the above specifications or if you cannot bring a laptop at all. The manuals are filled with screenshots and the instructor will be demonstrating software on a projection screen, so you will not miss out. Typically, 50% of the audience will not have laptops with Windows Server configured as a domain controller, so you will not be alone; however, the course is much more enjoyable and educational if you have Windows Server in a VM with you.

What if I am new to scripting?

You do not need any scripting background whatsoever to attend the course. We will spend the last day going through scripts written in PowerShell together. Half of the other attendees will be new to scripting as well.

How do I configure a static IP address in my Windows Server virtual machine?

Open Control Panel in the virtual machine, not on your host computer > Network and Sharing Center > Change adapter settings > right-click your network interface > Properties > select Internet Protocol Version 4 (TCP/IPv4) > Properties > configure that adapter with a static IP address (10.1.1.1) and set both DNS servers for that adapter to be your own IP address (10.1.1.1).

How do I install Active Directory in my Server 2012 virtual machine?

Open the Server Manager tool in the virtual machine > select your Local Server > Manage menu > Add Roles and Features > Next.

Select "Role-based or feature-based installation" > Next > choose "Select a server from the server pool" and make sure your own local server is highlighted > Next.

Check the box for "Active Directory Domain Services" > click the "Add Features" button.

Check the box for "DNS Server" > click "Add Features" button > Next > Next (there are no extra features to be installed now).

Click Next repeatedly until you can click Install > click the Install button > Close.

Wait a few minutes for Active Directory Domain Services to install. (If you are prompted to provide the path to the installation media, and if you have mounted the DVD or ISO file on drive letter "D:", then click the link at the bottom to provide an alternate path of "d:\sources\sxs".)

Go back to Server Manager, click the triangle notification near the flag at the top to see the progress of the installation of the role. Every minute or so, click the circular double-arrow refresh button and pull down the triangular alert menu again. Eventually, when it finishes, you will see and then click on "Promote this server to a domain controller".

Select "Add a new forest" > enter "testing.local" as the root domain name (or any domain name you wish) > Next.

Select forest and domain functional levels of "Windows Server 2012". Enter a password of "Sans*8" for the DSRM password (or anything you'll remember) > Next.

If you get an error concerning the DNS configuration, ignore it > Next.

Leave the NetBIOS name to the default > Next.

Leave the folder locations to their defaults > Next.

Next > Install. Ignore any error messages concerning DNS, cryptography, or anything else which does not block the installation process. Reboot the server VM after the install is finished.

Log onto your new domain controller with the same password you had before > launch Server Manager (if it does not run automatically) > Tools menu > Active Directory Users and Computers. If this tool launches successfully, you have promoted the server to a domain controller successfully. If the tool does not launch, or if other errors have blocked the installation, please search the Internet with the relevant keywords or error code numbers to find a fix, or, it may be simpler to just reinstall again (after confirming that your networking and DNS settings are correct).

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Windows security engineers and system administrators
  • Anyone who wants to learn PowerShell
  • Anyone who wants to implement the SANS Critical Security Controls
  • Those who must enforce security policies on Windows hosts
  • Anyone who needs a whole drive encryption solution
  • Those deploying or managing a PKI or smart cards
  • IIS administrators and webmasters with servers at risk
  • Harden the configuration settings of the Internet Explorer, Google Chrome, Adobe Reader and Micro- soft Office applications to better withstand client- side exploits.
  • Use Group Policy to harden the Windows operating system by configuring DEP, ASLR, SEHOP, EMET and AppLocker whitelisting by applying security templates and running custom PowerShell scripts.
  • Deploy a WSUS patch server with third-party enhancements to overcome its limitations.
  • Implement Server 2012 Dynamic Access Control permissions, file tagging and auditing for Data Loss Prevention (DLP).
  • Use Active Directory permissions and Group Policy to safely delegate administrative authority in a large enterprise to better cope with token abuse, pass-the-hash, service/task account hijacking, and other advanced attacks.
  • Install and manage a full Windows PKI, including smart cards, Group Policy auto-enrollment, and detection of spoofed root CA certificates.
  • Configure BitLocker drive encryption with a TPM chip using graphical and PowerShell tools.
  • Harden SSL, RDP, DNSSEC and other dangerous protocols using Windows Firewall and IPSec rules managed through Group Policy and PowerShell scripts.
  • Install the Windows RADIUS server (NPS) for PEAPTLS authentication of 802.11 wireless clients, and hands-free client configuration through Group Policy.
  • Harden an IIS web and FTP server against determined attackers, including WebDAV, FTP over SSL, HTTP-layer firewalling, and smart card authentication.
  • Learn how to automate security tasks on local and remote systems with the PowerShell scripting language and remoting framework.