SANS – SEC401 Security Essentials Day – 5

Security 401.5 – Windows Security

magnumCan’t help but notice the ice cream bar on my post? Well day 5 is ice cream day! Instead of your usual sugary snacks, you get to line up for ice cream during one of their breaks. And yes, you get a choice of a magnum and a few other not so memorable flavours.

Day 5 also happens to be one of the sweeter days in which we go through Windows Security a topic that most of us should have some exposure to. The class starts off with a bit of background and introduction to the different Windows OSes and it’s evolution up to Windows Server 2012.


SIDS are unique IDS assigned to users, computers and groups. SATs are security access tokens that contains a bunch of SIDS specific to your processes that you launch. And AD is just a big database full of SIDS. This is basically the framework for enforcing permissions in Windows.

Another important topic discussed is NTLM and Kerberos – Windows Authentication protocols and how NTLM is susceptible to sniff and crack attacks using Cain. Trusts and forests were also briefly discussed in this module.

Patch Tuesday and Exploit Wednesday

The importance of patching is once again the key to success in any organizations security policy. Especially for Windows – Windows update, WSUS and SCCM, hotfixes, service packs should be no stranger to any IT pro. Windows Backups are also a no brainer for any organization who’s serious about disaster recover and security. So what’s up with patch Tuesdays? Well Microsoft use to schedule Tuesdays to be the day where they release the accumulation of fixes in their OSes. These fixes gets reverse engineered and in some cases new exploits appear as soon as the following Wednesday, coining the term Exploit Wednesday. With zero days and how security has evolved over the years, Microsoft now release critical updates as soon as they appear making it patch “anyday”.

Shares vs NTFS permissions

Next, we talk about shares and NTFS permissions. This has long been one of the areas I have not really figured out until today. Permissions on shares are separate from the NTFS permissions. Because of it’s limited control, people often open up the shares entirely and rely on NTFS permissions to secure the contents.


One of the key areas this module covers on is Windows infamous User Access Control (UAC) – that annoying popup asking for elevated privileges and why you should NOT disable it. Little do you know that MIC labeling is also implemented in IE’s protected mode.

Windows network security, GPOs, IPSec, IIS and RDP are also touched on in this section as well as SCA and MSAT – Microsoft Security Assessment Tool, used in assessing your Windows Security posture.

The last section of this class covers forensics and automation tools which gives some us an idea on how to perform forensics on a Windows systems after a security incident and how to prepare yourself for an eventual security event.


Lab 5 covers two of Microsoft’s own security tool the SCA – Security Configuration assessment tool and the BSA – Baseline security Analyzer. A third tool the CIS scoring tool created by CIS – Center of Internet Security is also introduced as a third party tool that’s popular for assessing how secure your Windows installation is.

Related Posts with Thumbnails

About the Author

Alfred Tong
Author and owner of this blog. A Networking enthusiast, full time networking and systems Engineer. Generally curious about all things IT. Certifications: GIAC GSEC, CCNP-S, CCNP, CCSP, CCDP, CCNA, RHCE, JNCIA - FWV