Windows Internals - Security and Infrastructure Management

Kursmaterialet är på engelska, med detta innehåll:

Windows Internals & System Architecture

• Introduction to the Windows Client and Server security concepts
• Architecture overview and terms
• Key System Components
• Advanced Local Procedure Call
• Information gathering techniques

Process and Thread Management

• Process and thread internals
• Protected processes
• Process priority management
• Examining Thread Activity
• Process and thread monitoring and troubleshooting techniques (advanced usage of Process Explorer, Process Monitor, and other tools)

System Security Mechanisms

• Integrity Levels
• Session Zero
• Privileges, permissions and rights
• Passwords security (techniques for getting and cracking passwords)
• Registry Internals
• Monitoring Registry Activity
• Driver signing (Windows Driver Foundation)
• User Account Control Virtualization
• System Accounts and their functions
• Boot configuration
• Services architecture
• Access tokens
• Biometric framework for user authentication

Debugging & Auditing

• Available debuggers
• Working with symbols
• Windows Global Flags
• Process debugging
• Kernel-mode debugging
• User-mode debugging
• Setting up kernel debugging with a virtual machine as the target
• Debugging the boot process
• Crash dump analysis
• Direct Kernel Object Manipulation
• Finding hidden processes
• Rootkit Detection

Memory Analysis

• Memory acquisition techniques
• Finding data and activities in memory
• Step-by-step memory analysis techniques
• Tools and techniques to perform memory forensic

Storage Management

• Securing and monitoring Files and Folders
• Protecting Shared Files and Folders by Using Shadow Copies
• Implementing Storage Spaces
• Implementing iSCSI
• Implementing FSRM, managing Quotas, File Screens, and Storage Reports
• Implementing Classification and File Management Tasks, Dynamic Access Control
• Configuring and troubleshooting Distributed File System

Startup and Shutdown

• Boot Process overview
• BIOS Boot Sector and Bootmgr vs. the UEFI Boot Process
• Booting from iSCSI
• Smss, Csrss, and Wininit
• Last Known Good configuration
• Safe Mode capabilities
• Windows Recovery Environment (WinRE)
• Troubleshooting Boot and Startup Problems

Infrastructure Security Solutions

• Windows Server Core Improvements in later Windows Server versions
• AppLocker implementation scenarios
• Advanced BitLocker implementation techniques (provisioning, Standard User Rights and Network Unlock﴿
• Advanced Security Configuration Wizard
• IPSec
• Advanced GPO Management
• Practicing Diagnostic and Recovery Toolkit
• Tools

Layered Network Services

• Network sniffing techniques
• Fingerprinting techniques
• Enumeration techniques
• Networking Services Security (DNS, DHCP, SNMP, SMTP and other)
• Direct Access
• High Availability features: cluster improvements and SMB ﴾Scale – Out
• File Server)
• Network Load Balancing

Monitoring and Event Tracing

• Windows Diagnostic Infrastructure
• Building auditing
• Expression‐based audit policies
• Logging Activity for Accounts and processes
• Auditing tools, techniques and improvements
• Auditing removable storage devices

Points of Entry Analysis

• Offline access
• Kali Linux /other tools vs. Windows Security
• Unpatched Windows and assigned attacks
• Domain Controller attacks
• Man‐in‐the Middle attacks
• Services security