🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
GCWN
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
GCWN GIAC Certifications Coming Soon

GCWN

The GCWN certification validates expertise in Windows security architecture, AD hardening, Group Policy, credential protection, and PowerShell security, enabling administrators to safeguard enterprise Windows environments.

120
Minutes
75
Questions
68/100
Passing Score
$979
Exam Cost

Who Should Take This

System administrators and security engineers with at least two years of Windows administration experience, familiar with networking and basic security concepts, who manage Active Directory and aim to deepen their ability to implement robust hardening and credential defenses, should pursue GCWN.

What's Covered

1 Windows Security Architecture
2 Active Directory Security
3 Group Policy Security Hardening
4 Windows Credential Protection
5 PowerShell Security
6 Windows Patch Management
7 Windows Logging and Monitoring

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

63 learning goals
1 Windows Security Architecture
2 topics

Windows Security Subsystems

  • Identify the core Windows security subsystem components including the Security Reference Monitor, Local Security Authority, Security Accounts Manager, and Security Support Providers, and describe their roles in authentication and authorization.
  • Describe the Windows access token architecture including security identifiers, privileges, integrity levels, and mandatory integrity control, and explain how they enforce access decisions across processes and objects.
  • Implement Windows service account hardening by configuring managed service accounts, group managed service accounts, and service account permissions following the principle of least privilege for enterprise services.
  • Analyze Windows security descriptor configurations on files, registry keys, and services to identify overly permissive access control entries and assess the risk of privilege escalation through insecure object permissions.

Windows Network Security

  • Describe the Windows Filtering Platform and Windows Firewall with Advanced Security architecture, and identify how inbound rules, outbound rules, connection security rules, and firewall profiles control network traffic.
  • Configure Windows Firewall rules using Group Policy to enforce network segmentation, restrict lateral movement between workstation subnets, and allow only required service communications on domain-joined endpoints.
  • Implement IPsec connection security rules to authenticate and encrypt server-to-server communications, enforce domain isolation policies, and protect sensitive administrative traffic within the enterprise network.
  • Evaluate the effectiveness of Windows host-based firewall policies by analyzing blocked connection logs, identifying unnecessary open ports, and assessing the security impact of firewall exceptions on endpoint attack surface.
2 Active Directory Security
3 topics

Active Directory Architecture and Trusts

  • Describe Active Directory logical and physical architecture including forests, domains, organizational units, sites, and trust relationships, and explain how each component affects security boundary enforcement.
  • Identify the security implications of different Active Directory trust types including forest trusts, external trusts, and shortcut trusts, and describe how SID filtering and selective authentication control cross-trust access.
  • Implement organizational unit design and delegation of administration that separates privileged account containers, enforces administrative boundaries, and supports tiered access model deployment across the Active Directory forest.
  • Analyze Active Directory trust configurations to identify excessive trust relationships, evaluate SID history abuse risks, and assess whether trust architectures align with the organization's security boundary requirements.

Active Directory Hardening

  • Describe the tiered administration model with Tier 0 for domain controllers, Tier 1 for servers, and Tier 2 for workstations, and explain how administrative credential isolation between tiers prevents lateral movement.
  • Implement privileged access workstation deployment with hardware security requirements, restricted network access, and dedicated administrative jump servers for Tier 0 management tasks.
  • Configure Protected Users security group membership, authentication policy silos, and authentication policies to restrict where and how privileged accounts can authenticate within the domain.
  • Implement AdminSDHolder and Security Descriptor Propagation monitoring to detect unauthorized modifications to protected group permissions and establish alerting for changes to critical Active Directory objects.
  • Evaluate an Active Directory environment's adherence to the tiered administration model by auditing administrative group memberships, logon restrictions, and credential exposure to identify tier violation risks.

Domain Controller Security

  • List the critical domain controller security configurations including LDAP signing, LDAP channel binding, SMB signing, and secure LDAP, and describe their role in preventing man-in-the-middle and relay attacks.
  • Configure domain controller hardening settings including NTDS.dit protection, DSRM password management, DC firewall rules, and Read-Only Domain Controller deployment for branch office scenarios.
  • Assess domain controller security posture by evaluating replication topology security, DNS server hardening, and physical security controls, and identify configuration weaknesses that could enable domain compromise.
3 Group Policy Security Hardening
3 topics

Group Policy Architecture and Management

  • Describe Group Policy processing order including local, site, domain, and organizational unit policies, and explain how inheritance, enforcement, blocking, and security filtering determine effective policy application.
  • Implement Group Policy Object design that separates security baseline settings, application-specific configurations, and user environment policies into distinct GPOs with appropriate OU targeting and WMI filtering.
  • Evaluate Group Policy effective settings on target computers using resultant set of policy tools to identify conflicting policies, unintended overrides, and gaps between intended and applied security configurations.

Security Baseline Configuration

  • Identify the Microsoft Security Compliance Toolkit components and CIS Benchmark categories, and describe how security baselines provide prescriptive hardening guidance for Windows endpoints and servers.
  • Configure account policies through Group Policy including password complexity requirements, account lockout thresholds, Kerberos ticket lifetime settings, and fine-grained password policies for privileged account groups.
  • Implement user rights assignment and security options hardening via Group Policy to restrict interactive logon, remote desktop access, debug privileges, and anonymous enumeration on servers and workstations.
  • Compare Microsoft Security Baseline and CIS Benchmark recommendations for the same Windows settings, assess the security-usability tradeoffs of each approach, and determine which baseline is most appropriate for specific organizational roles.

Application Control Policies

  • Describe the differences between AppLocker and Windows Defender Application Control policy engines, including rule types, enforcement modes, and the scenarios where each technology provides the strongest application whitelisting protection.
  • Implement AppLocker policies using publisher, path, and hash rules to restrict executable, script, installer, and DLL execution on workstations, with audit mode testing before enforcement deployment.
  • Configure Windows Defender Application Control code integrity policies with managed installer rules, intelligent security graph authorization, and supplemental policies for line-of-business application exceptions.
  • Evaluate application control policy effectiveness by analyzing blocked execution events, identifying bypass attempts through DLL side-loading or script interpreters, and recommending rule refinements to close policy gaps.
4 Windows Credential Protection
2 topics

Authentication Protocols

  • Describe Kerberos authentication protocol flow including AS-REQ, AS-REP, TGS-REQ, TGS-REP, and AP-REQ exchanges, and identify the security properties that distinguish Kerberos from NTLM authentication.
  • Identify common Kerberos attack techniques including Kerberoasting, AS-REP roasting, Golden Ticket, Silver Ticket, and delegation abuse, and describe the conditions that make each attack possible.
  • Configure Kerberos hardening settings including AES encryption enforcement, disabling RC4 cipher suites, constraining delegation types, and implementing Kerberos armoring (FAST) to mitigate protocol-level attacks.
  • Analyze authentication traffic patterns and event logs to detect Kerberoasting attempts, pass-the-ticket activity, and anomalous ticket granting service requests that indicate active credential theft campaigns.

Credential Theft Mitigation

  • Describe how credential theft tools extract passwords and hashes from LSASS process memory, SAM database, NTDS.dit, and cached credentials, and identify the Windows security features that mitigate each extraction vector.
  • Implement Credential Guard using virtualization-based security to isolate LSASS secrets in a protected container, preventing credential harvesting even when the operating system kernel is compromised.
  • Deploy Local Administrator Password Solution to automatically rotate and centrally manage unique local administrator passwords across domain-joined endpoints, eliminating pass-the-hash lateral movement using shared local credentials.
  • Configure Remote Credential Guard for Remote Desktop sessions to prevent credential delegation to remote hosts, and implement Restricted Admin mode as an alternative for scenarios where Remote Credential Guard is unsupported.
  • Assess an organization's credential theft exposure by mapping credential caching locations, evaluating Credential Guard deployment coverage, reviewing LAPS compliance rates, and identifying residual pass-the-hash attack paths.
5 PowerShell Security
2 topics

PowerShell Logging and Auditing

  • Describe the PowerShell security logging capabilities including Module Logging, Script Block Logging, and PowerShell Transcription, and explain the event IDs and log channels where each logging type records activity.
  • Configure PowerShell Script Block Logging and Module Logging via Group Policy to capture all executed code blocks including de-obfuscated content, and route PowerShell operational logs to central collection infrastructure.
  • Implement PowerShell Transcription to a protected network share with appropriate access controls, creating a tamper-resistant audit trail of all PowerShell console sessions for forensic investigation and compliance.
  • Analyze PowerShell Script Block Logs to detect obfuscated commands, encoded payloads, AMSI bypass attempts, and suspicious module imports that indicate adversary use of PowerShell for post-exploitation activities.

PowerShell Execution Controls

  • Describe PowerShell Constrained Language Mode, execution policies, and the Antimalware Scan Interface, and explain how each mechanism restricts malicious PowerShell usage while permitting legitimate administrative scripting.
  • Implement PowerShell Constrained Language Mode enforcement using WDAC policies to restrict access to .NET types, COM objects, and Add-Type functionality on standard user workstations while maintaining Full Language Mode for administrators.
  • Configure Just Enough Administration endpoints with role capability files and session configuration files to provide delegated administration with minimal PowerShell surface area for specific administrative tasks.
  • Evaluate the effectiveness of PowerShell security controls by testing bypass techniques, assessing AMSI provider coverage, and determining whether Constrained Language Mode enforcement prevents common attack framework execution.
6 Windows Patch Management
1 topic

Patch Infrastructure and Deployment

  • Describe the Windows Update architecture including Windows Server Update Services, Windows Update for Business, delivery optimization, and update rings, and explain how each component supports enterprise patch management.
  • Configure WSUS infrastructure with computer targeting groups, automatic approval rules, and update classifications to manage security patch deployment across workstations and servers with staged rollout scheduling.
  • Implement Windows Update for Business policies using Group Policy or Intune to configure feature update deferrals, quality update deadlines, and driver update management for modern patch management scenarios.
  • Assess patch management program effectiveness by analyzing patch compliance rates, time-to-patch metrics, deployment failure patterns, and vulnerability exposure windows to identify process improvements for critical security updates.
7 Windows Logging and Monitoring
3 topics

Windows Event Log Architecture

  • Identify the critical Windows Security event IDs for monitoring including logon events (4624, 4625, 4648), privilege use (4672, 4673), account management (4720, 4732), and policy changes (4719, 4739) and describe their forensic significance.
  • Configure advanced audit policy settings via Group Policy to enable granular auditing of logon/logoff, object access, privilege use, account management, DS access, and policy change subcategories on domain controllers and member servers.
  • Implement Windows Event Forwarding with source-initiated subscriptions using HTTPS transport and certificate authentication to centrally collect security events from thousands of endpoints for SIEM ingestion.
  • Analyze Windows Security event log patterns to reconstruct attack timelines including initial access, credential harvesting, lateral movement, and data staging by correlating events across multiple endpoints and domain controllers.

Sysmon and Enhanced Endpoint Telemetry

  • Describe Sysmon event types including process creation, network connections, file creation time changes, registry modifications, WMI events, DNS queries, and file stream creation, and explain their detection value for each ATT&CK tactic.
  • Deploy Sysmon with a modular XML configuration that balances detection coverage against log volume by filtering high-noise events while preserving visibility into process creation chains, network connections, and file system modifications.
  • Evaluate Sysmon configuration effectiveness by testing detection coverage against common attack tools, measuring event volume impact on collection infrastructure, and tuning exclusion filters to reduce noise without creating blind spots.

Windows Defender and Endpoint Protection

  • Describe Microsoft Defender Antivirus capabilities including real-time protection, cloud-delivered protection, automatic sample submission, controlled folder access, and attack surface reduction rules.
  • Configure attack surface reduction rules via Group Policy or Intune to block Office macro code execution, executable content from email, credential stealing from LSASS, and process creation from PSExec and WMI commands.
  • Implement BitLocker drive encryption with TPM-based key protectors, network unlock for servers, and recovery key escrow to Active Directory to protect data at rest on Windows endpoints and servers.
  • Assess Windows endpoint protection posture by reviewing Defender Antivirus detection rates, ASR rule audit events, BitLocker compliance status, and endpoint health attestation data to identify gaps in endpoint hardening coverage.

Scope

Included Topics

  • All domains covered by the GIAC Certified Windows Security Administrator (GCWN) certification: Windows Security Architecture, Active Directory Security, Group Policy Hardening, Windows Credential Protection, PowerShell Security, Windows Logging and Monitoring, and Windows Patch Management.
  • Intermediate-level Windows enterprise security administration including Active Directory design and hardening, Group Policy Object configuration, credential theft mitigation, PowerShell constrained language mode enforcement, Windows Defender features, and centralized event log collection.
  • Key technologies and tools: Active Directory Domain Services, Group Policy Management Console, LAPS (Local Administrator Password Solution), Credential Guard, Windows Defender Application Control (WDAC), AppLocker, BitLocker, Windows Event Forwarding, Sysmon, PowerShell logging and transcription, WSUS, Microsoft Defender for Endpoint, Kerberos protocol, NTLM authentication, and tiered administration models.
  • Scenario-driven Windows security decisions requiring balancing security hardening, user productivity, operational complexity, and backward compatibility across enterprise Active Directory environments.

Not Covered

  • Linux, macOS, and non-Windows operating system administration and security except where cross-platform interoperability affects Windows security posture.
  • Cloud-only Azure Active Directory and Microsoft Entra ID administration unless directly relevant to hybrid on-premises Active Directory security.
  • Advanced malware analysis and reverse engineering beyond what is needed for understanding Windows endpoint defense mechanisms.
  • Network infrastructure device configuration including routers, switches, and firewalls unless directly related to Windows network security features.
  • Software development practices and secure coding principles outside the scope of PowerShell scripting and Windows automation security.

Official Exam Page

Learn more at GIAC Certifications

Visit

GCWN is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

GIAC® is a registered trademark of Global Information Assurance Certification (a subsidiary of the SANS Institute). GIAC does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.