Securing Windows and PowerShell Automation Training Course Hands-on
Securing Windows and PowerShell Automation Training; Hackers know how to use PowerShell for evil, do you know how to use it for good? In Securing Windows and PowerShell Automation Training you will learn PowerShell and Windows security hardening at the same time. SecOps requires automation, and Windows automation means PowerShell. You've run a vulnerability scanner and applied patches - now what?
A major theme of this Securing Windows and PowerShell Automation Training course is defensible design: we have to assume that there will be a breach, so we need to build in damage control from the beginning. Whack-a-mole incident response cannot be our only defensive strategy - we'll never win, and we'll never get ahead of the game. By the time your monitoring system tells you a Domain Admin account has been compromised, it's TOO LATE.
This Securing Windows and PowerShell Automation Training course is not a vendor show to convince you to buy another security appliance or to install yet another endpoint agent. The idea is to use built-in or free Windows and Active Directory security tools when we can (especially PowerShell and Group Policy) and then purchase commercial products only when absolutely necessary.
This Securing Windows and PowerShell Automation Training course is designed for systems engineers, security architects, and the Security Operations (SecOps) team. The focus of the Securing Windows and PowerShell Automation Training course is on how to automate the NSA Top 10 Mitigations and the CIS Critical Security Controls related to Windows, especially the ones that are difficult to implement in large environments.
Securing Windows and PowerShell Automation Training will also prepare you for the GIAC Certified Windows Security Administrator (GCWN) certification exam to prove your Windows security expertise. The GCWN certification counts towards a Master's Degree in Information Security from the SANS Technology Institute (www.sans.edu) and satisfies the Department of Defense 8570 computing environment requirement. The GCWN is also a foundational certification for soldiers in the U.S. Army's 255-S Information Protection Program, especially now that the DoD has standardized on Windows 10.
This is a fun Securing Windows and PowerShell Automation Training course and a real eye-opener, even for Windows administrators with years of experience. We don't cover patch management, share permissions, or other such basics - the aim is to go far beyond that. Come have fun learning PowerShell and Windows security at the same time!
Duration: 6 days
• We can adapt this Securing Windows and PowerShell Automation Training course to your group’s background and work requirements at little to no added cost.
• If you are familiar with some aspects of this Securing Windows and PowerShell Automation Training course, we can omit or shorten their discussion.
• We can adjust the emphasis placed on the various topics or build the Securing Windows and PowerShell Automation Training course around the mix of technologies of interest to you (including technologies other than those included in this outline).
• If your background is nontechnical, we can exclude the more technical topics, include the topics that may be of special interest to you (e.g., as a manager or policy-maker), and present the Securing Windows and PowerShell Automation Training course in manner understandable to lay audiences.
Audience / Target Group
• Security Operations (SecOps) engineers
• Windows endpoint and server administrators.
• Anyone who wants to learn PowerShell automation.
• Anyone implementing the NSA Top 10 Mitigations.
• Anyone implementing the CIS Critical Security Controls.
• Those deploying or managing a Public Key Infrastructure (PKI) or smart cards.
• Anyone who needs to reduce malware infections.
There are no prerequisites to attend the course, but a familiarity with basic Windows and Active Directory concepts is presumed. You do not need any prior scripting experience; we will learn PowerShell as we go along together.
After completing this Securing Windows and PowerShell Automation Training course, attendees will be able to:
• Configure mitigations against attacks such as pass-the-hash, Kerberos golden tickets, Remote Desktop Protocol (RDP) man-in-the-middle, Security Access Token abuse, and other attacks discussed in SEC504 and other SANS hacking courses.
• Execute PowerShell commands on remote systems and begin to write your own PowerShell scripts.
• Harden PowerShell itself against abuse, and enable transcription logging for your SIEM.
• Use Group Policy and PowerShell to grant administrative privileges in a way that reduces the harm if an attack succeeds (assume breach).
• Block hacker lateral movement and malware Command & Control channels using Windows Defender Firewall, IPsec, DNS sinkholes, admin credential protections, and more.
• Prevent exploitation using AppLocker and other Windows OS hardening techniques in a scalable way with PowerShell.
• Configure PowerShell remoting to use Just Enough Admin (JEA) policies to create a Windows version of Linux sudo and setuid root.
• Install and manage a full Windows Public Key Infrastructure (PKI), including smart cards, certificate auto-enrollment, Online Certificate Status Protocol (OCSP) web responders, and detection of spoofed root Certification Authorities (CAs).
• Harden must-have protocols against exploitation, such as SSL/TLS, RDP, DNS, DNSSEC, PowerShell Remoting, and SMB.
• Use PowerShell to access the WMI service for remote command execution, searching event logs, reconnaissance, and more.
Securing Windows and PowerShell Automation Training - Course Content:
1. Setting Up the BIG-IP System
Day 1: PowerShell Automation and Security
New to scripting? No problem!
Quick intro to scripting, such as ForEach loops
PowerShell remote command execution
Transcription logging for forensics
Parsing and mining nmap port scanner XML output
Searching event logs faster with XPath queries
Writing your own functions and scripts
Capturing command output for parsing
Preparing to pipe .NET objects, not text
Day 2: Continuous Secure Configuration Enforcement
PowerShell Desired State Configuration (DSC)
NSA's Secure Host Baseline GPOs
Using Group Policy to target PowerShell scripts
Scheduling elevated PowerShell tasks safely
Empowering the Hunt Team and incident responders
Server hardening automation for DevOps
Why Server Nano and Server Core?
Microsoft Security Compliance Manager (free tool)
Windows Operating System and application hardening tools
Customizing INF security template text
Group Policy continuous enforcement
Day 3: Windows PKI and Smart Cards
Windows Public Key Infrastructure (PKI) can be fun!
Installing and managing a PKI, a step-by-step walk through
Detecting malicious trusted root Certification Authorities with PowerShell
Hands-free Group Policy deployment of certificates
Private key archival and lost key recovery
How to quickly deploy smart cards for admins
Best practices for private key security
Installing an Online Certificate Status Protocol (OCSP) responder
Issuing a code signing certificate for PowerShell scripts
Scripting to compare file hashes, like a poor-man's Tripwire
Day 4: Administrative Compromise and Privilege Management
PowerShell Just Enough Admin (JEA)
Automate local Administrators group management
Limiting privileges, logon rights, and permissions
Privileged Access Workstations (PAWs)
LSASS memory protections against DLL injection
Token abuse and pass-the-hash attack mitigations
User Account Control (UAC) and smart cards
Safely delegating IT power for least privilege
Active Directory permissions for IT delegation
Designing Organizational Units for administrative least privilege
Active Directory administrative tier model
Active Directory logging and auditing
Windows 10 facial biometrics and Credential Guard
Day 5: Endpoint Protection and Pre-Forensics
Application whitelisting with AppLocker
Automating AppLocker with PowerShell
PowerShell constrained language mode
Microsoft's benevolent rootkit: EMET
IPSec is not just for VPNs!
IPSec is built into Windows for endpoint protection
IPSec share permissions for TCP/UDP ports
PowerShell scripting of Windows Firewall rules
Group Policy management of Windows Firewall
Pre-forensics for incident response preparation
Pre-forensics requires particular audit policies
System snapshot baselines to help the Hunt Team
Day 6: Defensible Networking and Blue Team WMI
Windows Management Instrumentation (WMI)
PowerShell for WMI scripting
Group Policy use of WMI filters
Securing PowerShell and Fan-Out Remoting
Remote Desktop Protocol (RDP) weaknesses
Hardening TLS and eliminating SSL
SSL/TLS cipher suites for perfect forward secrecy
Kerberos armoring and restricting NTLM
PowerShell management of DNS records
DNS sinkholes for malware and phishing sites
Implementing DNSSEC with PowerShell and Group Policy
DNS secure dynamic updates with Kerberos
SMBv3 encryption and downgrade attacks
How to disable IPv6 tunneling, but keep IPv6