SANS SEC505 GCWN Securing Windows PowerShell Automation
 
The GIAC Certified Windows System Administrator (GCWN) certification validates professionals' proficiency in securing Microsoft Windows clients and servers. GCWN-certified individuals possess the knowledge and expertise to configure and manage the security of Microsoft operating systems and applications. This includes skills in PKI, IPSec, Group Policy, AppLocker, PowerShell, and fortifying Windows against malware and persistent adversaries.

Key Areas Covered in GCWN Certification:

- Securing PowerShell
- Implementing Zero Trust multifactor authentication
- Enhancing Windows endpoint protection
- Hardening operating systems and applications
- Managing PKI
- Mitigating administrative compromise risks

In SEC505, participants will acquire skills to:

- Develop PowerShell scripts for Windows and Active Directory security automation
- Execute PowerShell scripts safely across numerous network hosts
- Defend against PowerShell-based malware like ransomware
- Fortify Windows Server and Windows 10/11 against sophisticated attacks

The course focuses on leveraging PowerShell to secure Windows against threats outlined in the MITRE ATT&CK matrix. It notably addresses issues like compromised administrative credentials, ransomware, lateral movement within LAN, and vulnerabilities in Windows protocols like RDP and SMB.

Upon completion, participants will be equipped to create PowerShell scripts to enhance the security posture of their Windows environments. The course emphasizes the practical automation of security measures across large-scale deployments and remote systems.

Learning PowerShell adds value to one's skill set and enhances job security as organizations increasingly seek IT professionals with PowerShell proficiency. The course provides a comprehensive understanding of PowerShell's role in managing security and its significance as a career booster in the Windows IT domain.

Key Highlights of the Course Topics:

- PowerShell scripting for Windows Management Instrumentation (WMI)
- Remote command execution using PowerShell
- Integration of PowerShell Core with OpenSSH
- Implementing PowerShell Just Enough Admin (JEA)
- Active Directory management through PowerShell scripts
- Configuring certificate authentication with PowerShell (e.g., YubiKeys)
- Strengthening TLS, RDP, and SMB protocols with PowerShell
- Addressing PowerShell malware and LAN lateral movement

After completing the course, participants will be able to:

- Develop PowerShell scripts for security automation tasks
- Execute PowerShell scripts remotely
- Enhance PowerShell security and enable transcription logging
- Utilize PowerShell for WMI-based remote command execution and event log surveillance
- Implement administrative privilege management strategies using Group Policy and PowerShell
- Employ Windows Firewall, IPsec, and other measures to thwart lateral movement by attackers and ransomware
- Implement AppLocker and other Windows OS hardening techniques at scale using PowerShell
- Configure PowerShell remoting with JEA policies to establish privilege control akin to Linux sudo and setuid root
- Mitigate pass-the-hash attacks, Kerberos Golden Tickets, RDP man-in-the-middle attacks, and other threats using PowerShell-driven countermeasures
- Establish and manage a comprehensive Windows PKI, including smart cards, certificate auto-enrollment, OCSP web responders, and detection of spoofed root CAs
- Strengthen critical protocols against exploitation, such as SSL, RDP, DNS, PowerShell Remoting, and SMB

Course Components:

- SEC505 Securing Windows and PowerShell Automation, GCWN Course
- Courseware

PDF Guides:

- Windows PowerShell Action
- Learn Windows PowerShell In A Month Of Lunches