Masterclass AD Security Base SADDD-L1

Masterclass Active Directory Security (AD3) - SADDD-L1 - Review of best practices for installing domain controllers from 20 years of experience as an ADDS senior consultant - Homegrown security issues in Active Directory (Understanding Kerberos, NTLM vs. Kerberos, SMB: SMB versions/attack scenarios/secure use of SMB, PAC_Validation and the problems with Microsoft's implementation of Kerberos - in detail, PTH - Pass the Hash - including live attack with all participants, Silver Ticket, Golden Ticket, Skeleton Key - Kerberos Ticket Service (Understanding Kerberos, Changing Kerberos passwords: Why and how..., changing Kerberos passwords: The silver bullet) - Preventing credential theft - A deep dive: Attack Scenario (Pass-the-Hash, Silver-Ticket, GoldenTicket, Skeleton-Key) and Prevent Credential Thefting (Configure Windows Defender Credential Guard, Deploy Windows Defender Remote Credential Guard Bitlocker, Deploy Windows Defender Device Guard, Deploy AppLocker, Deploy Windows Defender Application Guard). - Understand concepts: Run tier models, Red Forest/Golden Forest/Bastion Forests, highly secure single-domain model - Clean installation source (Hash values that verify *.iso files, Fciv.exe, Powershell, 7zip and IgorHasher) - Setting up the first domain controller: understanding ms-ds-machineaccountquota, using redircmp for new computer systems, using redirusr for new users, Bitlocker and TPM 1.2 vs 2. 0, Bitlocker and PreBoot authentication, AppLocker, monitoring (AD-Audit-Plus, CyberArk), secure backup and recovery of Bitlocker-protected backup volumes, firewalling on domain controllers, configuring IPSEC with RDP, hardening domain controllers according to Center of Internet Security, gpPack& PaT, SIM, LDA, Microsoft tools - Setting up other domain controllers - Secure deployment of domain controllers, member servers and clients via MDT (installation and configuration of highly secure MDT, hardening of MDT servers, rollout of highly secure member servers and clients) - Operating domain controllers securely via IPSEC (configuring and using IPSEC, IPSEC monitoring via MMC) - Set up a PKI server as an internal trusted ROOT CA, configure PKI, activate automatic certificate deployment via group policies, enrolment of non-standard certificates, harden the PKI according to Center of Internet Security, gpPack & PaT, SIM, LDA, Microsoft tools - Jump server and Privileged Access Workstation (PAW) - understanding and implementing concepts, set up and configure jump servers (RSAT installation, install ADMIN Center with a valid Trusted-Root-PKI certificate, Bitlocker and TPM 1.2 vs 2.0, Bitlocker and preboot authentication, AppLocker, configure IPSEC with RDP, backup jump server on Bitlocker-protected volumes, firewalling on jump servers, jump server hardening according to Center of Internet Security, gpPack& PaT, SIM, LDA, Microsoft tools, set up and configure PAW (Bitlocker, Bitlocker and TPM 1.2 vs 2.0, Bitlocker and preboot authentication, AppLocker, configure IPSEC and RDP, backup PAW on Bitlocker-protected volumes, firewalling on PAWs); Domain controller hardening according to Center of Internet Security/gpPack& PaT/SIM/LDA/Microsoft tools - Security in domain networks (802.1X with (MAC addresses, certificates), MAC flooding on switches (disable hubbing mode, IPSEC with Kerberos and certificates), Windows Defender Advanced Threat Protection (WDATP): Understanding the concept of WDATP, rolling out and monitoring WDATP, WDATP on domain controllers..., WDATP on jump servers and PAWs, WDATP on Windows 10 clients.