The SANS Institute’s six-day Securing Windows course (SEC505) will be held again in Orlando, Florida from March 8-13, 2010. This course also prepares you for the GIAC Certified Windows Administrator (GCWN) certification exam. See you there!
Windows Security Course SEC505: Orlando, Florida March 8-13, 2010 (Conference)
0
Filed under Course SEC505
How To Use BitLocker With Attached VHD Drive Image Files And RAM Disks
You can mount a VHD image file as a drive letter and then encrypt the contents of that VHD with BitLocker. This allows multiple users to share a computer and use BitLocker to keep their files secret from each other. When a VHD file using BitLocker is backed up or copied to a plaintext USB drive, the VHD file stays encrypted, which is not not true of the files on a volume using whole drive encryption. If you copy the VHD file to a portable drive, the portable drive can stay in plaintext while the contents of the VHD file will be BitLocker-encrypted, which is nice when you need some regular plaintext portable storage too. You can conveniently mount/unmount VHD drives from within Windows Explorer or from the command line. The following will show you how to do it.
Requirements
To create a BitLocker VHD drive, you must have Windows 7 [...] Continue Reading…
WinDump Color Highlighting PowerShell Script
Filed under PowerShell, Windows 7
WinDump.exe is a free command-line packet sniffer and protocol analyzer for Windows (similar in command-line options to tcpdump for UNIX/Linux). Staring at the output of WinDump for hours can cause eye strain, especially when sniffing in verbose mode or when showing the output on a projector to an audience.
Sniff.ps1 is a PowerShell script which will colorize the fields of WinDump output and insert zero or more blank lines in between each line of output for readability. You can download the script free from here, it’s in the public domain.
To have the script simply guess which network adapter to listen on and start sniffing:
.\sniff.ps1
To have the script ask you which network adapter to use:
.\sniff.ps1 -ask
To add one or more blank lines in between each line of output (nice for teaching):
.\sniff.ps1 -spacing 1
To specify additional WinDump command-line options (-options parameter optional) just put the arguments inside double-quotes:
.\sniff.ps1 -options “-v -t -X [...] Continue Reading…
SANS Report: Top Security Risk for Windows
Filed under Anti-Malware, Course SEC505
A September 2009 report, which consolidates the data gathered by TippingPoint and Qualys from thousands of networks around the world, shows that the number one top cyber security risk today for Windows desktops are actually the client applications they run, not Windows itself. Client applications, such as Microsoft Word, Internet Explorer, Mozilla Firefox, Apple QuickTime and Adobe Acrobat, are now generally more vulnerable to attack than the operating system itself, mainly because these applications are patched less quickly than Windows. New zero-day exploits and known but unpatched exploits in applications are the main pathways through which attackers gain a foothold inside your network. But what can be done about it?
As we’ve talked about for years in the Securing Windows course at SANS (SEC505), most of the tools you need to reduce your client application risk can be downloaded for free or are built into Windows and Active Directory for free. You don’t have to spend a fortune to [...] Continue Reading…
How To Choose The Best Encryption Software For Your Organization
Filed under Misc, Project Management
These are the top 10 questions you should ask yourself and your vendor(s) before choosing a file encryption or whole drive encryption product.
Whole drive encryption is definitely not the security panacea the vendors make it out to be. It’s not even a silver bullet for Data Loss Prevention (DLP), the latest buzzword in this field. The vendors are often not very helpful in guiding you through these issues because they want to sell you something, and the free products might cost a lot more than you think when you include technical support and user training, so keep the following questions in mind as you search for a data encryption solution.
1.) Does The Solution Match Your Threats?
Perform a quick risk analysis and ask yourself exactly what you are trying to prevent. Disk encryption by itself won’t stop most malware infections, network worms, password sniffing, attacks against listening TCP/UDP ports, malicious [...] Continue Reading…
Blue Team Defender Guide (Capture The Flag Cheat Sheet)
Filed under Blue Team, Course SEC505, Misc
In cyber war games or netwars the Red Team attackers try to hack into (or just kill) the computers of the Blue Team defenders while an automated scorebot keeps track of who is winning. Sometimes the players also get to play a kind of capture the flag in (un)coordinated groups as they fight to keep or steal user accounts, secret files, listening ports, etc. These network wargames are great fun and good practice for real life, especially when the adrenaline starts pumping and the yelling starts — or especially when the beer starts pumping and the drinking starts, whichever comes first…
As the instructors of the Blue Team Courses at SANS for operating systems, Hal Pomeranz (UNIX/Linux) and myself (Windows) put together a one-page cheat sheet guide back in Oct’07 for new Blue Team players at conferences to help them survive the first ten minutes of gameplay without freaking out or immediately getting [...] Continue Reading…
Notepad++ PowerShell Script To Enable Syntax Highlighting and Auto-Completion
Filed under PowerShell
This PowerShell script (download here) will query your system and generate a Notepad++ user language definition file for PowerShell syntax highlighting (userDefineLang.xml) and make an auto-completion file too (PowerShell.xml). The XML files are built after the script queries your cmdlets, cmdlet parameters, aliases, WMI classes and other things, hence, the XML files are not static. Re-run the script as necessary to refresh your Notepad++ settings.
If you don’t have a user-defined language file, the script will create it for you. If you do have that file already with definitions for other languages, the script will not overwrite the file, it will simply add a new language definition section for PowerShell. And if you run the script again later, it will only update the PowerShell section of the file.
It’s possible to manually copy XML files to the correct locations on your system to get keyword highlighting and autocompletion, but this is a pain [...] Continue Reading…
Practical Risk Analysis and Threat Modeling Spreadsheet
Filed under Project Management
[Download the spreadsheet for this article here or from the Downloads page.]
Learning to see your network through the eyes of your adversaries is an important part of the risk analysis and hardening process. Risk analysis involves identifying what you care about and the threats to these assets, hardening is about how to protect your assets.
A risk analysis and hardening process can range in character from the highly formalized (acronym soup, pseudo-mathematical formulas) to the very casual and informal (just a group of techs talking about “cool hacks” over beers and how they should “do something” about it). Practical risk analysis and hardening lies somewhere in between these two extremes.
Something near the middle of these two extremes, but tending toward the formal side, might be Microsoft’s whitepaper “Improving Web Application Security: Threats and Countermeasures”, and something near the middle, but more on the informal apply-some-commonsense side, might be Bruce Schneier’s [...] Continue Reading…
Windows 7 and IE8 CIS Security Baselines
[From Blake Frantz at the Center for Internet Security (CIS)]
The Center for Internet Security (CIS) and Microsoft are collaborating on security baselines for Windows 7 and Internet Explorer 8. On July 13, 2009, beta versions of these baselines will be available for review from the Microsoft Connect site. On August 5, 2009, Microsoft will host a Live Meeting session to discuss these security baselines and gather feedback from the CIS Community – and you’re invited! This is a great opportunity to get answers to your Internet Explorer 8 and Windows 7 security questions, get a head start on defining your organization’s configuration standards for these technologies, and contribute your expertise to the community.
Here’s what you need to do to get involved:
1) Join the Microsoft Connect Beta program for the Windows 7 and Internet Explorer 8 security baseline project by following this invitation link. (Please note: You will need a [...] Continue Reading…
SANS Consensus Audit Guidelines (CAG) 20 Critical Security Controls for Windows
Filed under Course SEC505
The SANS Institute is a partner in the Consensus Audit Guidelines (CAG) project to define the 20 critical security controls most important for network security. The project defines high-level recommendations, but these recommendations cannot describe in detail, of course, how to implement them in every environment because every environment is different. But the fact of the matter is that most environments run Windows, and most of these Windows machines are joined to Active Directory domains, that’s just the way it is.
This blog is also about the Securing Windows course (SEC505) at SANS, so the questions for this article are: “How does the Securing Windows course map onto the 20 critical controls? How well does it prepare one to implement the 20 controls in a Microsoft shop?” You won’t be surprised to hear, of course, that the answer is “Very Nicely”, but there are gaps and I’ll point them out [...] Continue Reading…
