It's no surprise: security's a big concern. Management's
concerned. Heck, you're concerned — after all, worms and
viruses come thick and fast, anyone who's connected to the Internet but
isn't worried about attacks is in la-la land, any user inside your
network can cheaply buy books on how to hack the network from inside and
... well... yikes! Clearly security's important, but how many firms
have actually dug deep into their pockets and hired security
specialists? You know the answer — most haven't, or if they have,
then they've missed the most important point: security isn't a
specialty. It's like breathing, everyone's got to do it.
Unfortunately, though, while "we all" have to do security, in many firms
nobody's releasing us from our other duties, and so without a bit of help,
what used to be a 45 hour-a-week job could become a 60-hour-a-week
That's what this course is intended to address. The course
director, Mark Minasi, has been teaching people about LAN networking since
1984, and understands what's involved with keeping a network in one
piece. He often wryly comments that he hears the phrase "networking"
and "not working" in too many places, and shows how to add "secure
networking" to an admin's job without making him or her go home
late. (Well, not too late.)
And he'll show you how to do it in just two days.
But that's not the only reason that you'll find this course a good use
of your time. As with all of his other courses, Mark designed this
course so that you could accomplish most of your goal of securing your
network using the tools that you've already paid for, or with freely
downloadable tools like Microsoft's Windows Software Update Service. People
often comment that Windows isn't secure, but they're only partially
right. Think of it this way: suppose you bought a house with
four doors to the outside and 30 windows, all of which have
locks. Is this house secure? Well, that depends — are
the 34 window and door locks locked or not? Much of what makes
Windows "insecure" just stems from the fact that Microsoft has built a
fairly secure OS, but then left many of the locks unlocked so as to
present an easy-to-use face to the world. In this course, you'll
learn what locks to engage, and why. But you'll also learn that
engaging some of those locks may exact a price either in terms of ease of
use or of compatibility — you see, one of the reasons that Microsoft left
some of those locks open was so that 2000, XP and 2003 could interoperate
with Windows 9x!
Perhaps most important, however, is that all of the security education
in the world isn't worth a thing if it doesn't make sense or is
dull. But Mark keeps the class lively with examples, anecdotes,
analogies and clear explanations. That's right — unlike other
seminar companies, who hire one instructor to create a class and send
others to "play back" the seminar, Mark teaches every one of our
sessions. You'll never get a second stringer, so get ready for a
very packed day of security education!
Key Seminar Benefits
- Learn how even the newest, most modern Windows systems have
vulnerabilities, and how you can reduce or remove those vulnerabilities
- Discover how to secure your Windows servers and desktops using tools
already in the box — how to get the most out of what you've already
- Crack open passwords to discover how they work under the hood and,
most important, how to protect yours from prying eyes and the occasional
- Find out how to use Active Directory to configure your systems
- Know what security issues to worry about, and what ones not
to worry about
- See how to disable unnecessary legacy features that leave gaping
holes in your systems
- Develop an effective patch strategy
- Control XP and 2003's built-in firewall through both command lines
and group policies, or build custom firewalls with IPsec
- Prepare for the worst with a disaster recovery strategy
- Understand Windows login tools and methods — the options, their
vulnerabilities, and how to secure them
- See when to use Internet Connection Firewall and when not to, and
how to use IPsec to create firewalls when ICF isn't the right answer
- Get advice on what to audit and how to use that audit information
- Meet the anonymous user and the "null session" and learn what to do
- Protect yourself from possible Encrypting File System disasters
- Get the most out of XP SP2 and 2003 SP1's security tools
Most security courses seem to feel it necessary to make you sit through
the "this is an Active Directory domain, this is a forest, this is an
organizational unit" talk. But we're skipping all that to save time
and keep this course as short and information-dense as possible. If
you need to understand AD, we recommend our "Running a 2003/2000-Based
Active Directory" course — you can find its outline at www.minasi.com/2003outln.htm.
We typically offer these courses together — first the AD course, then
- Introduction: Security in the 21st Century
Computer security's always been important, but e-mail viruses and
bug-exploiting worms have upped the ante, creating the possibility of a
single worst-case piece of cyber-terrorism that could in just a few
hours bring down thousands of networks and perhaps the Internet
itself. But our increasing dependence on data stored in computers
means that we don't need an apocalyptic Net-killing scenario to produce
effects that could destroy the work of individual people, departments,
or firms. Security's a necessary evil, but it doesn't have to be a
- Getting Ready: Knowing When To Worry, And Not To Worry
As security hazards have grown, so have the legion of people
consulting on computer security. While their mantra seems to be
"you can never be secure enough," the fact is that there's no sense in
spending a million dollars protecting an asset that can be replaced for
a few thousand dollars. Sure, security's important, but so is the
bottom line. This section quickly lays out a commonsense method
for deciding how much to spend, when to spend it, and... sometimes ...
when not to spend it.
- Who are the bad guys?
- What could they damage
- Where are the vulnerabilities?
- What would it cost you if the
bad guys succeeded?
- How can you keep that from happening with the least expense in
time and money?
- If it does happen, how can you most quickly recover?
- What policies must you have in place beforehand to minimize the
risk and recover at top speed?
- Authentication and Authorization
Perhaps the most fundamental part of any secure system is this pair
of questions: "who are you?" and "what are you allowed to do?"
This section quickly takes up these questions from a Windows
point of view so that we can always remember to ask when examining a
security technology "why are we doing this, anyway?"
- Why authenticate?
- Standard authentication approaches, and which ones Windows uses
- Authentication's output: tokens
- Why you (strangely enough) never "log onto a domain"
- Why authorize?
- How Windows authorizes: objects, actors, and permissions
- Talkin' authentication: ACLs, DACLs, SACLs, ACEs, and more
- The types of things Windows gives ACLs
- Windows' awful user interface to permissions
- Dueling authentication
- Owners and ownership
- Inheritance: When Good Permissions Get Propagated
As with any system with layers and layers, the Windows world wants to
save you trouble by letting you just touch one thing and have that touch
affect everything under it. But such a notion — "inheritance" —
costs valuable time no matter how you implement it. Here's how
Windows' inheritance compromise does it, both the good and the bad —
and, of course, how to do it most simply.
- Why inherit?
- How Windows implements inheritance
- Replace and Allow: the check boxes that aren't check boxes
- When denies don't beat allows
- Crypto Concepts: Encryption, Hashing, Signing, Shared
Secrets, Public Key and Certificates
Authenticating and authorizing are great, but we do them over leaky,
easy-to-eavesdrop-upon networks. So all good networks need a way
of protecting their secrets. That's where cryptographic tools come
in. This quick overview of the crypto technologies in Windows is
the key — no pun intended! — to understanding how Windows logons work
and to evaluating their strengths and weaknesses. We can't stress
this strongly enough: there's a lot of baloney to be found in the
security world about whether X or Y technology is "cracked" or "broken"
and without a basic knowledge of crypto, then all you can do is just
shrug your shoulders and go with the most paranoid-sounding expert
around, who often strangely has the most expensive solutions. This
section will make you a better security consumer!
- Why networks need cryptography, and why you're using it now,
whether you realize it or not
- Parts: algorithm, cleartext, key, ciphertext
- Symmetric and asymmetric keys
- Big keys are long; why not always use them?
- Common encryption algorithms used in Windows
- Fake encryption algorithms
- Asymmetric encryption basics
- What hashes do
- Hashing versus encryption
- Hashing algorithms used in Windows
- Message signing with hashes and encryption
- How hashes are attacked: the "birthday attack"
- Public Key Infrastructure (PKI)
- Public and private keys
- Signing certificates: the web of trust
- PKI examples: SSL and e-mail certificates
- Certificate revocation
- The bad news about Windows and certificate revocation
- Practical Talk About Passwords
Passwords ... those things we'd love to forget about — but can't.
Like it or not, the fact is that the best-crafted security in the world
can always be beaten by lousy passwords. But
everyone wants to pick passwords that are easy to remember and,
well, "easy to remember" is usually equivalent to "easy to guess."
In this section, we introduce the topic of passwords and get ready in
the following sections to see how they're stored and ultimately how to
make them as secure in a practical sense as is possible.
- Complex or simple?
- Passwords as a carbon-based rather than a silicon-based problem
- Common sense about how often passwords should be changed
- Using — or not using — account lockouts
- Passwords II: How They Get Attacked
We're going to work on picking the best passwords soon. But no
matter how good your passwords are, the
bad guys can still get to your passwords in other ways — but only if you let
them. A bit of backward compatibility built into every version of
Windows, even 2003, makes it easy for the insider criminals to figure
out passwords. Learn in this section to separate the reality from
the hysteria about password crackers and what to do about them.
- The four ways to steal a password — and technology can only
help with two of them
- How Windows has stored passwords over the years
- Windows' greatest "security hole:" backward compatibility
- Storage internals: LM hashes and NTLM hashes
- Getting to the hash
- System keys, machine keys and syskey
- Un-hashing the hash to get your passwords
- LM's special weakness
- Attacking NTLM hashes
- Brute force on modern PCs
- Pre-computing: the "rainbow attack"
- Why are these lame technologies in Windows today?
- Passwords III: Protecting Them
Armed with what we've learned in the past two sections and with a bit of
common sense, we can see how to keep the weasels from getting our passwords.
- Kill LM hashes
- Making NTLM hashes harder to un-hash
- Passphrases instead of passwords
- Passphrases versus the bad guys: are they really less secure?
- Getting Windows to allow a 15+ character minimum
- Advice on choosing passwords
- Logins Revealed... and Secured
Every day we log onto our Windows machines. But what really happens
when we do? How do our workstations and domain controllers exchange logon
information without revealing our passwords? And why are they so gosh-darn
many kinds of logins in the Windows world — LM, NTLM, NTLMv2, Kerberos?
Building on what we've learned so far, you'll see what happens under the ol'
logon hood... and why you need to bolt down some of those options.
- The basic problem: passing passwords without actually passing
- Challenge mechanisms
- Session keys
- LM and NTLM authentication methods
- LM and NTLM problems and NTLMv2 answers
- How NTLMv2 logons work
- Configuring your systems for NTLMv2... even if you have Active Directory
- How your system chooses between the methods (you'll be surprised)
- Kerberos in Active Directory
- Goal: hook up users and services in a "session"
- Kerberos terminology: UPNs, SPNs, KDCs, TGS, TGT, AS and more
- Using the AS (Authentication Service) for initial logon
- How Kerberos tickets work
- Using the TGS (Ticket Granting Service) to connect to resources
- Kerberos theory and Microsoft practice
- When Kerberos is and isn't used in AD
- Configuring Kerberos with group policy settings
- Troubleshooting Kerberos failures
- Kerberos tools
- Securing the "secure channel" — signing and optionally encrypting DC/client
- Limiting Strangers: Understanding Anonymous Logins or the "Null Session"
Anonymous? Isn't that just an FTP thing? No, believe it
or not, the "secure" NT family has a back door — the null
session. Just about anyone can walk up to your system and,
provided port 139's available, that person can discover a fair amount of
things about that system. But you don't have to welcome the
anonymous. This section explains what null sessions are, why they
exist, and when you can disable or limit them.
- How anonymous or null sessions happen
- What the anonymous can see
- Disabling anonymous (it's not just a Registry entry!)
- Demonstrating a null session
- Securing File Sharing: De-hacking SMB/CIFS
Modern Windows supports dozens of network services, but the very first one
was file and print sharing. It's so old that it's woven into the operating
system unlike any other service. (Try disabling the Server service; you'll
lose most of your remote administration tools.) Its ubiquitous nature has
made SMB/CIFS, the techie name for the file server service, a favorite point of
attack for hackers. Learn how to defend your systems from these attacks in
- Introducing SMB and CIFS
- Hacking SMB with a "reflection attack"
- Other man-in-the-middle vulnerabilities
- The answer: SMB signing
- SMB signing as an "alcoholic's anonymous" protocol: how negotiation
- Enabling SMB signing on Win 9x, NT, 2000, XP Pro, 2003
- Protecting Laptop Files: the Encrypting File System (EFS) Without Tears
One way to keep the bad guys from getting to your data is by
encrypting it, as Windows' Encrypting File System can do. But
without a bit of preparation, EFS can ensure that not only do the bad
guys not get to your data — you can't get to it either! In
this section, you'll learn how EFS works and what to do to ensure that
you'll be able to snatch back your data in the event of memory failure
on either your part or the computer's.
- How EFS works: its keys, how they're encrypted, and where
- How EFS might not work: possible failure modes
- EFS problems and solutions
- Protecting yourself from EFS: four methods
- Installing data recovery agents or using domain-based recovery
- Backing up an EFS certificate and restoring it
- Disabling EFS with group policies or Registry settings
- Re-installing an old password
- E-Spackle: Sealing The Cracks
Is your system secure today? Great — but what about
tomorrow? Many times the way that the bad guys get you is through
a loose end, some bit of maintenance that doesn't get done. This
section shows you how to take the "scissors" to those loose ends.
And we start with one of Windows' biggest loose ends — the
- Getting rid of "Administrator"
- What to do with local Administrator accounts on
workstations: maybe setting the local Administrator account's
password to the same value on 300 workstations isn't such a good idea!
- Reducing Administrator's power
- XP and 2003: eliminating Administrator
- Spending most of your day as a user: Runas review and
tricks... and limitations
- Cleaning up dead accounts
- Policing share permissions
- Auditing logon scripts
- Watching The Store: Using Auditing
The Bad Thing happens and someone's attacked your system. How'd
it happen? Whodunnit? What can we do to ensure that it
doesn't happen again? Ever since NT 3.1, NT's had the ability to
record audit trails that let you watch who's trying to get at your
protected stuff. Imagine a thief was rattling your doorknobs
looking for an open door; it's a frightening scenario, but consider
how much more frightening it'd be if you couldn't hear! Audit
tools are your "hearing aids," this section shows you how to make them a
good fit. And if you've been wise enough to install 2003 SP1 or XP Pro
SP2 then you'll be able to employ a nice tool to keep the Security log
slim called "per-user auditing."
- How auditing works
- What to audit and what not to audit
- Now that you've got 'em, what to do with 'em? Time-efficient
methods for managing and using audit logs
- Microsoft's Audit Control Service (ACS), a security log
- The foxes and the henhouse: auditing audit logs
- Figuring out logs — event IDs
- Keeping the security log smaller: per-user auditing
- Largely undocumented SP2/SP1 feature
- Command-line syntax
- Sample output
- Hardening Ports In XP and 2003: Understanding Windows Firewall
When XP and 2003 first appeared, they included a firewall that seemed kind of
lame but innocuous, as it was disabled by default. But when you
install XP's service pack 2 then you'll
discover that the Windows Firewall (WF) is enabled, whether you
like it or not. While it takes a little getting used to, it can be
a real security enhancement; it may even make sense to run it on some
Windows 2003 servers (after installing SP1). This section shows
you how to get the most out of WF, with the least effort.
- How Windows Firewall works
- Inbound traffic only
- Stateful packet inspection
- Enabled before the stack starts
- Two personalities: the domain profile and the mobile profile
- Enabling WF: pro and con
- Firewalls and mobile computers
- Firewalls inside an intranet?
- Considerations for those leaving WF on inside a firewall
- Configuring WF nuts and bolts: the command line
- Configuring WF nuts and bolts: group policies
- Opening ports the minimalist way
- Using WF's IPsec bypass
- Getting WF to behave differently inside and outside the company buildings
Hardening Ports Under 2000: IPsec
If you've got 2000 systems in your network, then you might wish that
you had a software firewall like WF... but unfortunately WF doesn't
come with 2000 and there's no way to add it. You could, of
course, spend money on a third-party personal firewall, but you might
alternatively want to exploit a less-understood gem built into 2000,
IPsec. This section acquaints you with IPsec's port blocking
features and suggests how you might create your own software firewall
with nothing more expensive than a batch file!
- What is IPsec?
- Policies = one or more rules
- Rules = Filters + Actions + Authentication
- Authentication = shared password, Kerberos, PKI
- Filters explained
- Actions = block, pass, sign, encrypt
- How to configure IPsec
- With group policies
- From the command line
- Suggestions for using IPsec
- Examples: see how to do it, step by step
Go Forth and SYN No More: Hardening TCP/IP
The Internet's lingua franca, TCP/IP, is a pretty good way of
getting data from here to there reliably. But TCP/IP's protocols
assume a certain amount of rational cooperation on both sides.
Unfortunately criminals can exploit that assumption to attack
workstations and servers and render them incapable of networking or even
functioning. See how to avert this in this section.
- The three-way handshake
- Exploiting good will with a SYN attack
- SYN floods, Smurf attacks and the like
- Spoofing IPs: what to worry about and what not to worry
- Fixes to ward off SYN/Smurf attacks
Hardening Programs I: Blocking Bad Programs With Software Restrictions
Next, we move to a series of sections about hardening particular programs,
and we'll start by seeing how to "harden" some programs by keeping them from
running on our systems altogether! The first technology to help with that
is XP and 2003's built-in Software Restrictions Policy feature.
- How Software Restrictions works
- Specifying particular applications
- Making the new SR policy take effect
- What to do when you've locked yourself out
- Suggestions for using SR to help secure your system
Hardening Programs II: Blocking Those Evil ActiveX Controls
While it may not be an actual operating system, Internet Explorer
sure acts like one, as it hosts its own special kinds of programs
(ActiveX controls, in-browser client-side scripts, and Browser Helper Objects —
BHOs, those irritating spyware things) and even has a way to automatically start
them up at run-time. (Surely when we say "Gator," you don't always think
of large reptiles.) Want to learn how to use a neat SP1/SP2 feature to
block these guys through group policies? You will in this section.
- How the SP1/SP2 "add-on control" feature works
- Creating a "whitelist" of approved ActiveX/BHO apps
- Creating a "blacklist" of forbidden ActiveX/BHO apps
Hardening Programs III: Securing Services
One of Windows' most wondered-about and least understood aspects
are its services, those programs that run either with or without you and
that seem to provide so much angst for a network's defenders. This
section outlines a three-step process to shore up your services,
offering clear advice on how to reduce the chance that a bad guy will
crawl into your system through one of your services.
- Eliminating unnecessary services: what can you turn off to make your system faster, less RAM-intensive, and a smaller target?
- Restricting the power of existing services: if you have to have them, limit the damage they could do
- Using permissions to further restrict a service's power
- Tips on securing IIS
Windows Server 2003's Security Expert: Security Configuration Wizard
2003 SP1 shipped with a powerful security advisor called the Security Configuration Wizard. While simple to run, it's an expert program hardening tool. It's got a lot of power and deserves a place in your toolbelt. This section explains what it does and how to get the most out of it.
Hardening Programs IV: Securing Programs Against SQL
Many of our organizations build and run Web-based
applications built atop SQL database engines, as it's become so easy to
do it. But many SQL-based Web apps are ticking time bombs because
of a class of attacks called "SQL injection" attacks, which can quite
easily give an attacker complete control of a Web server. There is
not, nor will there ever be, a patch for this — this is something
you've got to check into on your own systems. Preferably before an
- What is SQL injection?
- Example SQL injection attack
- Hardening systems against SQL injection
Hardening Programs V: Patch Management With SUS
The SUS client — Windows Update
- The role of patching in securing your network, and the role of testing patches in securing your network
- Software Update Services
- What SUS does and what it requires
- Getting the SUS code
- Installing SUS
- Setting up the server
- Maintaining the server
- Watching client updates
- Do you need an updated SUS client?
- Configuring the SUS client via the Registry and group policies
- Understanding detection, download, installation and reboot phases
- Tracking the SUS client's behavior
- SUS limitations and workarounds
- SUS troubleshooting
- WSUS changes to SUS
The Ultimate User Protection: Training
Finally, we move into our final sections, on hardening people, with some simple training and processes. Yes, everyone talks as if users were untrainable, but that's not a
useful strategy, and here's why: apathetic or antagonistic users can always, always, always beat really, really, really good security. Here are a few simple, logical, and proven ways to make
users your first line of defense, instead of your fifth column.
Okay, you've done a good job keeping the moats full (of both water and alligators), the portcullis shiny and deployed, and the boiling oil vats full and ... well ... boiling. But then
something happens anyway. Perhaps a particularly clever enemy sneaks by your defenses in the guise of a friend, or random fate deals you an earthquake. Once we're past the "omigod, this is a mess!"
phase — and we have to get past it quickly, as people depend on us and what we do — then it's time to rebuild. And that's easier with a blueprint. Disaster recovery (DR) plans are those
blueprints. No one likes to talk about the scenario wherein the mail servers have gone quiet and provide nothing more than smoke, but
those scenarios can happen. This section discusses the genesis,care and feeding of DR plans.
- What a DR plan can do
- What DR plans look like
- Testing your DR plan
- The DR plan that works under stress: scripts
We techies tend to think of problems and solutions as virtual in
nature. Someone might attack us on port X at address Y via a bug
in program Z — all virtual notions — and we defend ourselves with
better passwords, good patching practices, or perhaps a firewall:
more virtual notions. But if I can get into the room where you
keep your domain controllers — that is, get physically close to
those systems — then I don't need a password to attack your systems,
just a screwdriver or a pry bar. This section offers some very
simple common sense on protecting your systems from physical
Course Materials and Course Format
The class works from PowerPoint presentations. Every attendee
gets a printed copy of the PowerPoints. To make it possible to run
this course in just two days, this runs in mainly lecture format.
Arranging a Course At Your
We offer this class as a public seminar about a half-dozen times a
year; you can view the current schedule www.minasi.com/pubsems.htm.
But you needn't wait — Mark can come to your organization to teach it
on-site. On-site classes offer you the flexibility to lengthen or shorten
the class, add hands-on labs, modify the course's focus and zero in on
your group's specific needs.
Please contact our office at (757) 426-1431 between 12 Noon-5 Eastern
time or email Assistant@Minasi.com to discuss
scheduling and fees.