GIAC Certified Windows Security Administrator (GCWN)
Type: Certification
Course: No Specific training is required for any GIAC certification. If candidates need help in mastering the objectives for this certification, there are many sources of information available. Practical experience is one option; there are also numerous books on the market covering Computer Information Security. Another option is SANS training, or any relevant courses from other training providers.
Target: Individuals responsible for installing, configuring, and securing Microsoft Windows 2000/XP/2003 networks.GIAC Certified Windows System Administrators (GCWNs) have the knowledge, skills and abilities to secure and audit Windows systems, including services such as Group Policy, Active Directory, Internet Information Server, IPSec and Certificate Services.
Requirements: 1 proctored exam – 150 questions – 4-hour time limit – 70% (105 of 150 questions) minimum passing score
Renewal: Every 4 years
Delivery: Exams are delivered online through a standard web browser. For exams purchased with SANS training, access to the exam will be available 7-10 days following the end of the conference. Standalone challenge exams are issued within 24 hours upon receipt of payment. You will receive an email from GIAC when your exam has been issued to your portal account. You have 120 days to complete the exam from the time we send notice that it is available. The exams are proctored and should be scheduled using our
Securing Windows, Security 505
Course overview
Will you be transitioning from Windows XP to Windows 7? The Securing Windows track is fully updated for Windows Server 2008-R2 and Windows 7. Most of the content applies to Windows Server 2003 and XP too, but the focus is on 2008/Vista/7.
Concerned about the 20 Critical Security Controls of the Consensus Audit Guidelines? This course will help you implement the. not just audit them, and will walk you through most of the tools step-by-step too.
As a Windows security expert, how can you stand out from the crowd and offer management more than the usual apply-this-checklist advice? Be a security architect who understands the big picture. You can save your organization money, maintain compliance with regulations, secure your networks, and advance your career all at the same time. How? By leveraging the Windows infrastructure you’ve already paid for.
The Securing Windows track at SANS (SEC505) is a comprehensive set of courses for Windows security architects and administrators. It tackles tough problems like Active Directory forest design, how to use Group Policy to lock down desktops, deploying a Microsoft PKI and smart cards, pushing firewall and IPSec policies out to every computer in the domain, securing public IIS web servers, and PowerShell scripting.
PowerShell is the future of Windows scripting and automation. Easier to learn and more powerful than VBScript, PowerShell is an essential tool for automation and scalable management. And if there’s one skill that will most benefit the career of a Windows specialist, it’s scripting, because most of your competition lack scripting skills, so it’s a great way to make your resume stand out. Scripting skills is also essential for being able to implement the 20 Critical Security Controls.
You are encouraged to bring a virtual machine running Windows Server 2008 Enterprise Edition configured as a domain controller, but this is not a requirement for attendance since the instructor will demo everything discussed on-screen. You can get a free evaluation version of Server 2008 from Microsoft’s web site (just do a Google search on “site:microsoft.com Server 2008 trial”). You can use VMware, Virtual PC or any other virtual machine software.
This is a fun and fascinating course, a real eye-opener even for Windows administrators with years of experience. Come see why there’s a lot more to Windows security than just applying patches and changing passwords; come see why a Windows network needs a security architect.
Who Should Attend?
- Windows network security engineers and architects.
- Windows administrators with security duties.
- Anyone with Windows machines who wants to implement the SANS 20 Critical Security Controls
- Active Directory designers and administrators.
- Those who must enforce security policies on Windows hosts.
- Those deploying or managing a PKI or smart cards.
- IIS administrators and webmasters with web servers at risk.
- Administrators who use the command line or scripting to automate their duties and must learn PowerShell (the replacement for CMD scripting and VBScript).
Securing Active Directory and DNS Day:
- Read-Only Domain Controllers (RODC)
- Securing Domain Controllers
- SYSKEY.EXE
- Disaster Planning and Recovery
- Encrypting Replication Traffic
- Property-Level Permissions (DACLs)
- Audit Settings (SACLs)
- Delegation of Authority
- Organizational Unit Design
- Custom MMC Consoles
- The “Empty Root” Domain Model
- Best Practices for Forest Design
- DNS SRV Records
- Unix BIND Integration
- Secure Dynamic Updates
- Best Practices for Securing DNS
Group Policy Day:
- The Group Policy Management Console (GPMC)
- Security Templates
- Security Configuration and Analysis MMC Snap-In
- SECEDIT.EXE
- Group Policy Objects (GPOs)
- GPO Links to Domains, OUs and Sites
- Order of Precedence Processing: LSDOU
- WMI Filtering
- Custom ADM/ADMX Templates
- MSI Deployment through Group Policy
- Pushing Out Scripts
- Software Restriction Policies
- Managing Internet Explorer Settings
- Replacing the Desktop Interface
- Micro-Managing Users’ Applications
PKI, EFS and BitLocker Day:
- Why Must I Have A PKI?
- Examples: Smart Cards, VPNs, Wireless, SSL, S/MIME, etc.
- How To Install The Windows PKI
- Root vs. Subordinate Certification Authorities
- Should You Be Your Own Root CA?
- Controlling Certificate Enrollment
- How To Manage Your PKI
- Group Policy Deployment of Certificates
- How To Revoke Certificates
- Automatic Private Key Backup
- Delegation of Authority
- Deploying Smart Cards
- Smart Card Enrollment Station
- Best Practices for Private Keys
- Encrypting File System
- EFS Insecurity Myths
- BitLocker Drive Encryption
- TPM and USB BitLocker Options
- BitLocker Emergency Recovery
- MANAGE-BDE.WSF
- Best Practices for EFS and BitLocker
IPSec, Windows Firewall, NPS, VPNs and Wireless Day:
- Secure Socket Tunneling Protocol (SSTP)
- Isn’t IPSec Just For VPNs? No!
- IPSec Domain Isolation
- How to Create IPSec Policies
- Group Policy Management of IPSec
- NETSH.EXE
- Windows Firewall with Advanced Security
- Configuring RADIUS Policies (NPS)
- EAP vs. PEAP
- PEAP-MS-CHAPv2
- Smart Cards for VPN
- IPSec + L2TP = RRAS VPNs
- L2TP vs. PPTPv2
- Host-to-Router VPN Configuration Steps
- Router-to-Router VPN Configuration Steps
- VPN Best Practices
- Securing Wireless Networks
- Wi-Fi Protected Access (WPA)
- Smart Cards for Wireless
- Best Practices for Wireless
Securing IIS Day:
- FTP Over SSL (FTPS)
- IIS Server Hardening
- Security Template for IIS
- Patch Management
- Removing Dangerous Services
- Securing WebDAV
- Managing Bindings
- Hardening TCP/IP
- IPSec for IIS Servers
- Authentication Options
- Kerberos and NTLM for Web Applications
- Smart Cards for Web Applications
- Minimal HTTP Permissions
- Minimal NTFS Permissions
- Proper NTFS Auditing
- Running Scripts and Binaries on IIS
- Web-Based Applications
- Worker Process Isolation
- HTTP.SYS Filtering
- Securing XML Config Files
- Securing Logs Hands-Free
- Finding Hacking Signatures In Logs
PowerShell Scripting Day:
- What is PowerShell?
- CmdLets
- Running Scripts
- Namespace Providers
- Piping .NET Objects
- Parameter Binding
- Regular Expressions
- Functions and Filters
- The .NET Class Library
- Using Properties and Methods at the Command Line
- Security and Execution Policy
- Managing the Event Logs
- Accessing COM Objects: WMI, ADSI, ADO, etc.
For a security architect, Active Directory is the foundation upon which the rest of Windows security depends. Active Directory (AD) is the infrastructure behind the other security infrastructures, such as PKI, identity management, Network Access Protection, and Group Policy. A compromise of AD, such as hacker accounts being added to the Enterprise Admins group, would lead to the collapse of all other security safeguards tied to it. And some of our most likely adversaries are other Domain Admins who have good intentions, but don’t know what they’re doing, hence, we must also delegate authority in AD to limit this kind of accidental damage.
Unfortunately, there is a lot of misinformation circulating out there about Active Directory security. For example, are you actually getting any benefit from having an “empty root domain” or does it just create hassles? Do you place your public IIS servers in your primary domain, in a new domain, or in a completely new forest with a cross-forest trust? Are all of your branch office domain controllers physically secured, or are you using read-only domain controllers, or both? Why is a “server core” domain controller supposedly more secure than a standard installation when they both have the exact same services listening on the same port numbers? AD design was never simple to begin with, and now it’s even more complex with Server 2008 and later.
This course will quickly get you on top of what you need to know about Active Directory security and delegation of authority. Importantly, this course is not an introduction to AD or an overview of basic administration topics. This is a course for people who already manage AD, need to plan a redeployment, or must lock down what they’ve got.
DNS is the Achilles’ heel of Active Directory. SRV records in DNS are what provide fail-over fault tolerance and load-balancing to AD (not the cluster service, NLB, or round robin) and DNS is often overlooked. In addition to Active Directory security, we’ll also cover what’s new and different for DNS security too. This won’t be an introduction to DNS, we’ll jump straight into DNS security.
Who Should Attend This Course:
- All Windows administrators and security architects.
- Anyone redesigning their forest and trust structures.
- Anyone deciding where to place domain-joined IIS servers.
- Anyone who does identity management.
- Anyone trying to delegate authority safely in AD.
- Anyone who manages Windows DNS servers.
-
Topics Covered
Securing Domain Controllers
- Read-Only Domain Controllers
- Server Core
- SYSKEY.EXE
- Disaster Planning and Recovery
- Encrypting Replication Traffic
- Replication Fault Tolerance
- NTDSUTIL.EXE
- FSMO Role Assignments
Active Directory Access Control Lists
- Property-Level Permissions (DACLs)
- Auditing (SACLs)
- Command-Line Tools
- DSACLS.EXE
Delegation of Authority
- Leveraging AD Permissions
- Delegation Wizard
- Organizational Unit Design
- Delegating Password Reset
- Custom MMC Consoles
Forest Designs
- Different Types of Trusts
- The “Empty Root” Domain Model
- Extranet Forest (IIS)
- Best Practices for Forest Design
Secure Dynamic DNS
- SRV Records
- Unix BIND Integration
- No More Zone Files
- No More Secondaries
- Secure Dynamic Updates
- DHCP Integration
Enforcing Critical Controls With Group Policy, Security 505- Day 2
Group Policy is the most underutilized security technology in the world. But not because no one is buying it, you already own it, it’s built into Windows for free. If doing more with what you’ve already got is the hallmark of efficiency, then most organizations can do a lot more with the Group Policy investment they’ve already made.
Group Policy can be used to manage BitLocker encryption policies, regulate which applications users can run, push scripts out to computers which are then automatically executed, reconfigure NTFS permissions and audit settings, deploy MSI software installation packages, set password and account lockout policies, distribute IPSec encryption settings to all workstations and servers, change EFS recovery agents, control which Certification Authorities users should trust, set any number of registry values, and much much more. In fact, it’s better to ask what cannot be managed through Group Policy than the other way around.
In this course we’ll see how to use Group Policy to lock down desktops and servers, implement many of the SANS 20 Critical Controls, enforce regulatory compliance changes, configure services and applications, and scale our work out to thousands of systems conveniently. If you’ve never seen Group Policy before, you’re in for a shock (a good shock!) and if you’ve been using Group Policy for years, this course should expand your understanding even more since the emphasis is on security, not Group Policy in general.
Who Should Attend This Course:
- All Windows administrators and security architects.
- Anyone who must efficiently manage large numbers of computers.
- Anyone who needs to apply the SSLF or EC templates to their systems.
- Topics Covered
Security Templates
- What Are Security Templates?
- How To Get/Make Templates
- Security Configuration and Analysis MMC Snap-In
- SECEDIT.EXE
- Auditing With Templates
What is Group Policy?
- Group Policy Objects (GPOs)
- GPO Links to Domains, OUs and Sites
- Order of Precedence Processing: LSDOU
- The Group Policy Management Console (GPMC)
Fine-Tuning Group Policy
- Block Inheritance.
- No Override/Enforced
- Slow Link Detection
- WMI Filtering
- Custom ADM Templates
Updating Vulnerable Software
- Windows Installer Service
- Deployment through Group Policy
- Example: Pushing Out Service Packs
Pushing Out Scripts
- Automatic Deployment and Execution
- Startup, Shutdown, Logon and Logoff Scripts
- Languages Supported
Enforcing Critical Controls
- User Account Control (UAC)
- Software Restriction Policies
- Managing Internet Explorer Settings
- Replacing the Desktop interface
- Micro-Managing The User’s Applications
Public Key Infrastructure (PKI) is not an optional security infrastructure anymore. Windows Server includes a complete built-in PKI for managing certificates and making their use transparent to users. With Windows Certificate Services you can be your own private Certification Authority (CA) and generate as many certificates as you want at no extra charge.
Digital certificates play an essential role in Windows security: IPSec, EFS, secure e-mail, SSL/TLS, Kerberos authentication with smart cards, smart card authentication to IIS and VPN servers, script signing, etc., they all use digital certificates. Everything needed to roll out a smart card solution, for example, is included with Windows except for the cards and readers themselves, and generic cards are available in bulk for cheap.
You also have to encrypt your laptops and portable drives to stay in compliance, but why spend a fortune on third-party products when BitLocker and EFS are built into Windows already? Both EFS and BitLocker are manageable through Group Policy, both have automatic encryption key archival features for recovery, both require little or no user training, and both can be used to encrypt portable USB drives. If you have a TPM chip in your motherboard, it can help BitLocker to detect rootkits, but note that a TPM chip is definitely not required to use BitLocker.
Planning a PKI or data encryption project isn’t easy, and mistakes and redeployments can be costly, so this course in part is designed to assist in the planning process to help avoid these mistakes. If you’re not encrypting laptops and portable drives now, you will be soon, and BitLocker/EFS can save your organization money while making the deployment relatively easy. Using Group Policy, you can manage most features of BitLocker and EFS on all your machines without having to configure each of them by hand.
Who Should Take This Course?
- All Windows administrators and security architects.
- Anyone who is planning a PKI deployment.
- Anyone who is planning a data encryption deployment.
- Anyone new to PKI or practical cryptography.
- Topics Covered
Why Must I Have A PKI?
- Not Optional Anymore, You Don’t Have A Choice
- Windows Security Designed for PKI
- Examples: Smart Cards, IPSec, WPA Wireless, SSL, S/MIME, etc.
- Biometrics and PKI Were Made for Each Other
How To Install The Windows PKI
- Root vs. Subordinate Certification Authorities
- Should You Be Your Own Root CA?
- Custom Certificate Templates
- Controlling Certificate Enrollment
How To Manage Your PKI
- Group Policy Deployment of Certificates
- Group Policy PKI Settings
- How To Revoke Certificates
- Automatic Private Key Backup
- Delegation of Authority
Deploying Smart Cards
- Everything You Need Is Built-In
- Smart Card Enrollment Station
- Group Policy Deployment
Encrypting File System
- How to Encrypt and Recover Data
- EFS Insecurity Myths
- Sharing Encrypted Files
- CIPHER.EXE
BitLocker Drive Encryption
- TPM and USB Options
- Emergency Recovery
- Group Policy Management
- MANAGE-BDE.WSF
- Best Practices for EFS and BitLocker
Windows Firewall, IPSec, Wireless and VPNs, Security 505- Day 4
The Windows Firewall in Windows 7/2008 has been greatly enhanced over the crude firewall in XP. One of the best features of the new Windows Firewall is its easy-to-use integration with IPSec, and both IPSec and the Firewall are manageable through Group Policy. There really is no compelling reason to purchase third-party firewalls for Windows anymore, that money can be better spent elsewhere.
IPSec is not just for VPNs. IPSec can authenticate endpoints against Active Directory to implement something like IPSec-based VLANs defined by global group memberships, and IPSec can also encrypt packet payloads to keep data secure. Imagine configuring the Windows Firewall on all your servers and workstations to only permit access to RPC or File And Print Sharing ports if 1) the client has a local IP address, 2) the client is authenticated by IPSec to be a member of the domain, and 3) the packets are all encrypted with AES. This is not only possible, but is actually relatively easy to deploy with Group Policy. We will see exactly how to do this in seminar.
Windows Server includes a built-in RADIUS service that can be used to regulate access to VPN gateways, wireless access points, dial-up servers, and any other RADIUS-compliant access device. Everything you need for a full VPN solution on both the client-side and server-side is built into Windows for free. Everything you need for a WPA2 wireless network solution, including certificate-based PEAP authentication, is built into Windows for free. This week we will see step-by-step exactly how to set it all up, including the PKI.
Windows Server 2008 and later also natively supports SSL VPNs, so you don’t have to use IPSec or PPTP if you prefer not to. SSL VPNs operate on TCP port 443 and are easy to enable once the RADIUS policies are configured. You don’t need to purchase a new expensive SSL VPN appliance if you’ve already got the Windows Server license.
In short, this course is about how to use the Windows Firewall, IPSec, RADIUS, the RRAS VPN gateway service, and WPA2 for 802.11 wireless to secure the network layer in our Windows environments. Virtually all these client settings, including wireless settings, are manageable through Group Policy.
Who Should Attend This Course?
- All Windows administrators and security architects.
- Anyone who needs to secure network traffic in Windows LANs.
- Anyone who wants to use IPSec for more than just VPNs.
- Anyone who needs an SSL or IPSec VPN solution.
- Anyone who needs a secure 802.11 wireless solution.
- Anyone who needs to understand Windows RADIUS policies.
- Topics Covered
The New Windows Firewall
- Group Policy management
- Application awareness
- Location awareness
- IPSec integration
Why Use IPSec?
IPSec Is NOT Just For VPNs!
- Packet Encryption and Integrity
- User/Computer Authentication
- Transparent to Users
- Group Policy Management
- NETSH.EXE
Creating IPSec Policies
- Packet Filtering with IPSec
- Encryption Options
- Scripting IPSec Policies
- Require vs. Prefer IPSec
RADIUS for Network Security
- Smart Card Authentication
- EAP vs. PEAP
- PEAP-MS-CHAPv2
- Firewalling Options
- Require Strong Encryption and Authentication
- Limit Access To Chosen Global Groups
Virtual Private Networking
- SSTP = SSL VPN
- IPSec + L2TP
- Host-to-Router VPN Configuration Steps
- Router-to-Router VPN Configuration Steps
- VPN Best Practices
Securing Wireless Networks
- Wi-Fi Protected Access (WPA2)
- RADIUS Policy Enforcement
- Certificates For Laptops And Users
- PKI Integration
- Wireless Best Practices
Securing IIS 7.0, Security 505-day 5
IIS 7.0 in Windows Server 2008 is not an incremental upgrade, it’s a whole new beast. Both the management GUI and the underlying architecture are very different than before. IIS is highly modular, meaning that we can strip away what we don’t need, but we can also add modules to enhance security. For example, the URL Rewrite module can use regular expressions, just like Apache’s mod_rewrite, to block attacks or modify requests, making this module much more powerful than URLSCAN.
Something else new is FTP over SSL (FTPS) for secure file transfer. No matter where you go, you can always securely get to your files using FTPS or WebDAV over SSL. WebDAV can use SSL for file management too, hence, you can map a drive letter on Windows 7/2008 over SSL to a WebDAV share on IIS.
IIS is a magnet for hackers, so great care must be taken in planning how to deploy and configure Microsoft’s notorious web server. In this course, we will talk about how to harden the OS, how to strip IIS down to its essentials to reduce its attack surface, how to enforce authentication and authorization rules, how to implement application-layer HTTP filtering rules, and in general how to help keep your web site from becoming another victim statistic. During the day, the Code Red worm will be used as an example of an exploit which could have been easily blocked through proper configuration even if the patch for Code Red had not been applied prior to the attack. IIS security is much more than just setting up a firewall and applying patches, it’s about proactively anticipating tomorrow’s attacks and being ready for them.
The demand for IIS security personnel is great because IIS is so widely deployed. This course focuses on IIS 7.0 in Windows Server 2008, but many of the principles discussed will apply to IIS 6.0 as well. You won’t be left out if you’re still running IIS 6.0. If you’re new to IIS 7.0, this course will get you up to speed.
Who Should Attend This Course:
- All Windows administrators and security architects.
- Anyone who is responsible for IIS servers.
- Anyone who needs secure remote access to files without a VPN.
- IIS web application developers.
- Topics Covered
Server Hardening
- Security Templates and Group Policy
- Service Packs and Hotfixes
- Website Location
- Dangerous Files
- Dangerous Services
- WebDAV
- Protocols and Bindings
- TCP/IP Parameters
- IPSec Filtering and Authentication
XML Configuration System
- The metabase is gone
- How the XML configuration files work
- The new GUI management interface
IIS Authentication and Authorization
- Anonymous, Basic, Digest, Kerberos, and NTLM Authentication
- Smart Card Certificate Authentication to IIS
- IIS/HTTP Permissions
- NTFS Permissions and Auditing
- Running Scripts and Binaries on IIS
- How to configure SSL/TLS
Web-Based Applications
- Worker Processes
- Application Pools
- HTTP.SYS
- Buffer Overflow Attacks
- URL Rewrite Module
- Request Filtering
- Process Isolation Techniques
Logging and Auditing
- Event Viewer Logs
- IIS Logs and Accounting
- Hacking Signatures in Logs
- SSL Connection Logging
- Securing Log Files
FTP Over SSL (FTPS)
- How to configure FTPS
- FTPS clients and issues
Windows PowerShell, Security 505-day 6
Finally! We’ve been waiting for years!
PowerShell is Microsoft’s upgrade for the old CMD.EXE shell and a Perl-like scripting language for it too. PowerShell is available as a free download for Windows XP/2003/Vista and is built into Windows 7/2008 and later operating systems by default (http://www.microsoft.com/powershell/).
PowerShell takes the best features of UNIX shells, like ksh and bash, and then blows them out of the water. What’s the big deal? PowerShell rides on top of the .NET Framework, hence, the entire .NET class library is available at the command prompt. And, when PowerShell scripts and tools pipe data into other PowerShell scripts and tools, it’s not plain text that gets piped, but entire .NET objects, including all their properties and methods.
PowerShell is the future of administrative scripting on Windows. For example, Exchange Server 2007 and Operations Manager 2007 have graphical management tools, but these tools are really just GUI wrappers for PowerShell commands. Microsoft has promised that other products will be PowerShell-ized too, and the long-term trend is clear: almost everything in Windows will eventually be built on top of the .NET Framework, and now that also includes the command shell.
What about managing older systems and software? PowerShell can access scriptable COM objects just like VBScript and JavaScript. This means you can use PowerShell with Windows Management Instrumentation (WMI), Active Directory Services Interface (ADSI), ActiveX Data Objects (ADO), and other COM interfaces. So while VBScript gives you COM, PowerShell gives you both .NET and COM.
And just like the old CMD shell, PowerShell is also designed to run built-in binaries like WMIC.EXE, NETSH.EXE, SC.EXE, etc., but with a scripting language that’s far more flexible than CMD batch scripting. What does the PowerShell scripting language look like? It looks a little bit like Perl or C#, but it’s not half as difficult for new coders to learn.
To attend the course, you don’t have to bring a laptop, but if you do, get the latest version of PowerShell from Microsoft (http://www.microsoft.com/powershell/). A CD-ROM will be handed out by the instructor with sample scripts and other files with which to experiment.
During the course we will walk through all the essentials of PowerShell together. The course presumes nothing, you don’t have to have any prior scripting experience to attend. And, most importantly, be prepared to have fun: PowerShell is just plain cooooooool…
Who Should Attend This Course:
- Windows administrators and security architects
- Exchange Server 2007 administrators
- Batch file coders looking to upgrade
- UNIX admins who want to feel more at home on Windows
- Anyone who writes scripts for Windows: PowerShell is the future!
Topics Covered:
- What is PowerShell?
- Cmdlets
- Running Scripts
- Namespace Providers
- Piping Objects
- Parameter Binding
- Regular Expressions
- Functions and Filters
- The .NET Class Library
- Using Properties and Methods at the Command Line
- Accessing COM Objects: WMI, ADSI, ADO, etc.
- Security and Execution Policy
- And lots and lots of sample scripts to walk through…