What is Single Packet Authorization (SPA)?

SPA sends a single cryptographically signed UDP packet to a firewall to dynamically open a specific port for a specific source IP for a limited time. The firewall runs in default-deny mode — no ports are visible to scanners. fwknop is the primary open-source implementation. SPA prevents network scanners from discovering services and eliminates the reconnaissance phase of attacks against management interfaces.

What is domain isolation in Zero Trust?

Domain isolation uses IPsec policies to ensure that domain-joined Windows computers only accept network connections from other authenticated domain members. Computers must present a valid machine certificate or Kerberos ticket to communicate. This isolates domain hosts from unmanaged/guest/compromised devices even if they're on the same network segment.

What is credential rotation and why is it critical?

Credential rotation regularly replaces passwords and access keys to limit the window of exploitation if credentials are compromised. Static credentials that never rotate can be used indefinitely after theft. Modern approaches use password vaults (HashiCorp Vault, CyberArk) that automatically rotate credentials and provide just-in-time access — applications retrieve credentials at runtime, never store them statically.

How does deception technology (honeypot) differ from traditional IDS?

Traditional IDS generates many false positives from legitimate traffic. Deception technology (honeypots, honey credentials, canary tokens) generates near-zero false positives — any interaction with a decoy is inherently suspicious because legitimate users never access fake resources. This provides high-fidelity alerts for lateral movement and credential theft that behavioral detection might miss.

What is the most impactful single change to reduce endpoint attack surface?

Removing local administrator rights from standard users is the single highest-impact endpoint security improvement. The majority of malware, ransomware, and exploits require administrative privileges to install, persist, or spread. Without local admin, attackers must first perform privilege escalation before achieving persistence — adding a required step that EDR and monitoring can detect.

GIAC GDSA Certification: Zero Trust Architecture Study Guide (Domain 4 of 6)

Domain 4 Overview — Zero Trust Architecture

Zero Trust replaces the traditional "trust but verify" perimeter model with "never trust, always verify." Every access request is authenticated, authorized, and continuously validated regardless of network location. Domain 4 covers the ZT model, credential security, SPA, deception, and endpoint hardening.

NIST SP 800-207 ZTA Core Components

Policy Engine (PE)

Makes trust decisions based on all available signals: identity, device health, location, behavior, threat intelligence. The brain of ZTA — evaluates every access request.

Policy Administrator (PA)

Translates PE decisions into access control configurations. Signals PEP to allow/deny access. Creates per-session access tokens.

Policy Enforcement Point (PEP)

The gatekeeper that actually allows or denies network communication. All traffic passes through PEP. Examples: ZTNA gateway, micro-segmentation agent, identity-aware proxy.

ZTA vs Traditional VPN

VPN: Grants broad network access. Authenticated user can reach any resource on the network. Trust is implicit once connected. Hard perimeter.

ZTA: Grants access to specific applications/resources based on continuous verification. No implicit trust. Network location irrelevant. Micro-perimeters per resource.

ZTA Key Principles

Assume breach — act as if attackers are already inside
Verify explicitly — authenticate every user, device, request
Use least privilege access — minimum permissions
Inspect and log all traffic — no trusted zones
Continuous validation — re-verify per session or request

Domain 4 Topic Map

Credential Security

PtH, PtT, Golden Ticket, Kerberoasting, Credential Guard

SPA & Domain Isolation

fwknop, HMAC-signed UDP, IPsec policy, server isolation

Deception Technology

Honeypots, honey credentials, canary tokens, near-zero FP

Endpoint Hardening

Remove local admin, AppLocker, WDAC, CIS Benchmarks, patching SLAs

Host IDS/IPS & Logs

Wazuh, EDR, Sysmon, Event IDs, WEF, auditd

Key Concepts — Zero Trust Architecture

Expand each topic for comprehensive coverage of all Domain 4 exam objectives.

1. Zero Trust Architecture — NIST SP 800-207 and Credential Rotation +

NIST SP 800-207 Component Details:

Policy Engine: Trust algorithm that evaluates all signals — identity attributes (MFA status, role), device health (patch level, compliance), network context (location, IP reputation), behavioral signals (time of day, resource access patterns). Outputs: trust/deny/no-access.
Policy Administrator: Acts as control plane. Creates per-session tokens or credentials. Signals PEP whether to open/close communication path. No data plane role.
Policy Enforcement Point: Data plane enforcer. Splits into PE-facing (non-enterprise) and internal (enterprise resource-facing) sides. All resource requests flow through PEP.

Credential Rotation Tools (Exam Priority):

HashiCorp Vault: Open-source secrets management. Dynamic secrets — generates unique credentials per request with automatic expiration. Lease management, revocation. Supports AWS, database, PKI, SSH secrets engines.
CyberArk: Enterprise PAM. Password vault for service accounts and privileged credentials. CPM (Central Policy Manager) rotates passwords automatically. Session Manager for jump box functionality.
AWS Secrets Manager / Azure Key Vault: Cloud-native secrets rotation. Automatic rotation for RDS passwords, API keys. Application retrieves credentials at runtime via API — never stored statically.
Just-in-Time (JIT) access: Privileged access granted only for specific work window, then revoked. Eliminates standing privileges that attackers can abuse.

Service Account Management: Service accounts should have unique passwords per system, rotated regularly. Never shared passwords. Constrained to specific source IPs/times. Monitored for out-of-baseline behavior.

Responding to Credential Compromise: When credentials are compromised: immediately revoke all sessions (invalidate tokens), rotate affected credentials, review all access logs for unauthorized use in review window, check for persistence (scheduled tasks, new accounts, SSH keys added).

2. Credential Attack Techniques — PtH, PtT, Golden Ticket, Kerberoasting +

Pass-the-Hash (PtH):

Mechanism: Attacker captures NTLM hash from LSASS memory (Mimikatz sekurlsa::logonpasswords). Uses hash directly in NTLM authentication — doesn't need plaintext password.
Detection: Unusual lateral movement patterns (workstation → workstation auth at unusual times), NTLM auth to many systems from single source.
Defense: Protected Users security group (prevents NTLM auth for group members), disable NTLM network authentication entirely, Credential Guard isolates LSASS in VBS hypervisor.

Pass-the-Ticket (PtT):

Mechanism: Steal Kerberos TGT or service tickets from memory (Mimikatz sekurlsa::tickets or kerberos::list). Import stolen ticket into current session (kerberos::ptt). Allows impersonation of legitimate users.
Defense: Short Kerberos ticket lifetime (4-10 hour TGT), monitoring for unusual Kerberos ticket requests, Credential Guard.

Golden Ticket Attack:

Mechanism: Attacker obtains krbtgt account's NTLM hash (full domain admin required). Forges TGTs offline (mimikatz kerberos::golden). Forged TGTs are valid for default 10 years and bypass normal authentication checks.
Impact: Unlimited domain access as any user. Persists even after password resets of other accounts.
Defense: Double-reset the krbtgt password (must reset twice — each ticket validation uses previous and current hash). Requires domain reconnection for all devices.

Silver Ticket: Forge service ticket (TGS) for specific service using service account hash. Doesn't require KDC interaction — harder to detect. Defense: service account password rotation, Privileged Account Management.

Kerberoasting:

Mechanism: Any domain user can request service tickets (TGS) for any SPN. Ticket encrypted with service account password hash. Attacker extracts ticket and cracks offline with Hashcat/John.
High-value targets: service accounts with weak passwords and SPNs (SQL Server, IIS, etc.).
Defense: Service accounts with strong (25+ char) random passwords, use Group Managed Service Accounts (gMSA) with auto-rotating 240-char passwords, monitor for unusual TGS requests.

Tiered Administration Model: Tier 0 (DC/PKI), Tier 1 (servers), Tier 2 (workstations). Admin accounts for each tier used only from dedicated PAWs (Privileged Access Workstations). Prevents credential theft across tiers.

3. Single Packet Authorization (SPA) and Domain/Server Isolation +

Single Packet Authorization Mechanism:

Client sends a single encrypted UDP packet containing: timestamp (prevents replay), HMAC using pre-shared key, source IP address, requested port/protocol.
Server-side: fwknop daemon processes UDP packet in userspace — never creates kernel state, invisible to port scanners.
If HMAC validates and timestamp is fresh (within ±120 seconds): iptables rule is dynamically added opening the requested port for the specific source IP for 30-60 seconds.
Client then connects within the window. After timeout, rule is removed. Default deny all other traffic.

SPA vs Port Knocking:

Port knocking: sequence of connection attempts to specific ports — easily observed and replayed by network sniffers. Weak security.
SPA: single encrypted packet with HMAC — cannot be replayed (timestamp), cannot be forged (HMAC without key), server-side processing is userspace (no state table exposure).

Domain Isolation (Windows):

Uses Windows Group Policy to deploy IPsec policies: "Require inbound authentication for all connections."
Domain members authenticate using Kerberos (domain credentials) or machine certificate.
Unmanaged devices (non-domain, compromised, guest devices) that cannot present valid credentials are silently rejected — TCP connection refused at network layer, not application layer.
Isolation persists even if attacker gains access to same physical network segment (VLAN traversal, connected to same switch).

Server Isolation: Additional IPsec policy layer above domain isolation. Specific high-value servers only accept connections from specific client groups. Example: HR server only accepts connections from computers in the "HR-Workstations" group. Both groups need IPsec policy deployed. Uses IPsec authentication header (AH) for authentication without encryption overhead — or ESP for full encryption.

Implementation Notes: Domain isolation uses Connection Security Rules in Windows Firewall with Advanced Security (WFAS). No third-party software required. Integrates with existing AD infrastructure.

4. Deception Technology — Honeypots, Honey Credentials, and Canary Tokens +

Why Deception is High Value: Any interaction with a decoy is inherently malicious — legitimate users/systems never access fake resources. This produces near-zero false positives, unlike behavioral analytics or anomaly detection that struggles with legitimate traffic patterns. Single interaction = high-confidence alert.

Honeypot Types:

Low-interaction honeypot: Emulates services (SSH, HTTP, Telnet) via software. Low risk — attacker can't escalate on a real OS. Lower intel — only captures initial exploitation attempts. Easy to deploy at scale (one per VLAN).
High-interaction honeypot: Full real systems (VM or dedicated hardware). Attacker interacts with real OS. Rich intelligence on attacker TTPs. Higher risk — attacker may pivot to other systems if honeypot isn't isolated. Requires careful network segmentation.
Honeynets: Full network of interconnected honeypots simulating production environment. Maximum intel. Requires significant operational investment.

Honey Credentials (Exam Favorite):

Fake username/password combinations seeded in: password files (/etc/passwd look-alikes), memory (set in LSASS via logon), network shares, document files, backup configs.
Credentials are monitored — any authentication attempt using them triggers high-confidence alert.
Detects credential dumping and lateral movement: attacker runs Mimikatz, finds "admin123" credential, uses it — immediately triggers alert.

Canary Tokens (canarytokens.org):

Fake files, URLs, API keys, DNS names, Word documents that "call home" when accessed.
Examples: fake Word document with embedded tracking URL, fake AWS access key that triggers CloudTrail alert when used, fake SSH private key, honey email addresses.
Place in: network shares (\\server\finance\Q4-Budget.docx), email archives, source code repos, desktops.
Any access triggers alert: "Who opened the fake budget file at 2 AM?"

Deception Products: Attivo Networks (now SentinelOne Identity), Illusive Networks, TrapX, Cymmetria. Integrate with SIEM for centralized alerting.

Strategic Effect: Even if attacker evades deception initially, knowing decoys exist causes attacker uncertainty — slows them down, increases likelihood of error. Every system might be a honeypot. This psychological pressure is a defensive value beyond the technical alerts.

5. Zero Trust Endpoint Hardening — Privilege Reduction and Configuration +

Remove Local Administrator Rights (Highest Impact):

Majority of malware requires local admin to install, persist, or spread to other systems. Without local admin: attacker must perform privilege escalation (additional detectable step) before persistence.
Implementation: Group Policy → Restricted Groups (remove all from local Administrators except BUILTIN\Administrators). Deploy just-in-time elevation for legitimate admin needs (CyberArk EPM, BeyondTrust Endpoint Privilege Management).
User Account Control (UAC) is NOT a substitute for removing local admin — UAC can be bypassed by numerous published techniques.

Application Control:

AppLocker: Windows application whitelisting by hash, publisher certificate, or path. Policy types: executable rules, script rules, packaged app rules. Default deny — only approved executables can run. Limitation: only available on Enterprise/Education editions.
Windows Defender Application Control (WDAC): Kernel-level enforcement. Stronger than AppLocker — cannot be bypassed by local admins. Recommended for new deployments. Policy in XML, deployed via MDM/GPO/SCCM.
Both support audit mode (log violations without blocking) for policy tuning before enforcement.

Disable LLMNR and NetBIOS (Critical):

LLMNR (Link-Local Multicast Name Resolution) and NetBIOS are legacy Windows name resolution protocols. When DNS fails, Windows broadcasts LLMNR queries.
Attack (Responder): attacker responds to LLMNR/NetBIOS broadcasts with malicious responses, capturing NTLMv2 hashes for offline cracking.
Disable via GPO: Computer Configuration → Administrative Templates → Network → DNS Client → "Turn off multicast name resolution" = Enabled. Disable NetBIOS via DHCP option 001 or NIC properties.

Patch SLAs: Critical (CVSS 9.0+): 72 hours. High (CVSS 7.0-8.9): 7 days. Medium (CVSS 4.0-6.9): 30 days. These are exam-tested values. Automation via WSUS, SCCM, Intune, Ansible is required for large environments.

CIS Benchmarks: Industry-standard hardening baselines for Windows, Linux, macOS, browsers, cloud. Level 1 = practical security improvements. Level 2 = highly secure but potentially impacts usability. Use as baseline before additional custom hardening. Available free from cisecurity.org.

Secure Boot and TPM: Secure Boot prevents boot-level malware (bootkits) by verifying bootloader signatures. TPM stores encryption keys (BitLocker), provides platform attestation for device health checks in ZTA conditional access.

6. Host IDS/IPS, EDR, and Endpoint Log Collection +

HIDS vs HIPS vs EDR:

HIDS (Host Intrusion Detection): Monitors host state — file integrity monitoring (detects unauthorized changes to system files, rootkit installation), log monitoring, rootkit detection. Tools: OSSEC, Wazuh, Tripwire. Generates alerts, does not block.
HIPS (Host Intrusion Prevention): Behavioral blocking before execution. Blocks suspicious actions (process injection, API calls indicative of shellcode). Can stop malware before it executes. Higher FP risk than HIDS.
EDR (Endpoint Detection and Response): Next-generation endpoint security. Continuous telemetry collection (process creation, network connections, registry changes, file operations), cloud-based threat hunting, behavioral detection engines, automated response (process kill, isolation). Products: CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint (MDE), Carbon Black.

Critical Windows Event IDs (Memorize for Exam):

4624: Successful logon — logon type matters (2=interactive, 3=network, 10=remote interactive)
4625: Failed logon — multiple failures = brute force indicator
4688: Process creation — with command line logging enabled, reveals attacker commands
4698: Scheduled task created — common persistence mechanism
4720: User account created — new account = possible persistence
7045: New service installed — service installation = common persistence/escalation
4776: NTLM authentication attempt — lateral movement via PtH
4771: Kerberos pre-authentication failed — brute force or AS-REP roasting

Sysmon (System Monitor): Free Microsoft Sysinternals tool. Adds detailed process creation logging (parent PID, full command line, image hashes), DNS query logging, file creation time changes, network connections with PID attribution, driver loading, process injection detection. Config file controls what is logged (SwiftOnSecurity sysmon config is recommended baseline).

Windows Event Forwarding (WEF): Push Windows event logs from endpoints to a centralized Windows Event Collector (WEC) server. Uses WinRM (HTTP/S). No agent required — native Windows feature. Subscriptions define which events to forward. Centralized logs prevent local modification. Forward to SIEM from WEC.

Linux Logging: auditd monitors system calls, file access, user commands. /var/log/auth.log for SSH logins and sudo usage. /var/log/syslog for system events. Rsyslog or syslog-ng for centralized log forwarding.

Exam Readiness Checklist

Track your Domain 4 preparation progress.

Progress 0 / 17

✓

ConceptKnow NIST SP 800-207 ZTA components: Policy Engine, Policy Administrator, Policy Enforcement Point

✓

ExamDistinguish ZTA from VPN: ZTA=application-level access with continuous verification, VPN=network-level access

✓

ExamKnow credential rotation tools: HashiCorp Vault (dynamic secrets), CyberArk, JIT access

✓

ConceptUnderstand Pass-the-Hash vs Pass-the-Ticket — mechanism, what is captured, detection approach

✓

ExamUnderstand Golden Ticket attack — requires krbtgt hash, forges TGTs, persists after password resets

✓

ConceptKnow SPA mechanism: HMAC-signed UDP packet, default-deny firewall, fwknop, anti-replay via timestamp

✓

ExamDistinguish domain isolation vs server isolation — domain-wide IPsec vs server-specific group policy

✓

ConceptUnderstand honeypot types: low vs high interaction — intel richness vs operational risk

✓

ExamKnow honey credentials and canary tokens — why they produce near-zero false positives

✓

ExamUnderstand privilege reduction — remove local admin as highest-impact single change

✓

ConceptKnow patch SLAs: Critical ≤72h, High ≤7d, Medium ≤30d — and why automation is required at scale

✓

ExamKnow application whitelisting tools: AppLocker (Enterprise only) vs WDAC (kernel-level, stronger)

✓

ConceptUnderstand why LLMNR/NetBIOS should be disabled — Responder tool attack surface

✓

ExamKnow critical Windows Event IDs: 4624, 4625, 4688, 4698, 4720, 7045 — and what each indicates

✓

ConceptUnderstand Sysmon — what extra telemetry it provides vs native Windows logging (parent PID, hashes, DNS)

✓

PracticeLab: Deploy Wazuh HIDS on a test system and trigger file integrity monitoring alerts

✓

ExamKnow EDR capabilities vs HIDS vs HIPS — telemetry collection, threat hunting, automated response

Quick Reference

Tables and comparisons for rapid Domain 4 review.

ZTA Components: PE / PA / PEP

Component	Role	Data/Control Plane	Example Implementation
Policy Engine (PE)	Makes trust decisions — allow/deny/no-access	Control plane	Azure AD Conditional Access, Okta, Google BeyondCorp
Policy Administrator (PA)	Translates PE decisions to PEP configurations; creates session tokens	Control plane	Identity provider signaling gateway
Policy Enforcement Point (PEP)	Enforces allow/deny on actual network communications	Data plane	ZTNA gateway, micro-seg agent, identity-aware proxy

Credential Attack Reference Table

Attack	What is Captured	How Exploited	Primary Defense
Pass-the-Hash	NTLM hash from LSASS	Used directly in NTLM auth — no plaintext needed	Credential Guard, disable NTLM, Protected Users group
Pass-the-Ticket	Kerberos TGT or TGS from memory	Ticket imported and used for service access	Short ticket lifetimes, Credential Guard, monitoring
Golden Ticket	krbtgt account hash (requires DA)	Forges unlimited TGTs offline	Double-rotate krbtgt password, detect anomalous TGT lifetimes
Silver Ticket	Service account NTLM hash	Forges TGS for specific service	Service account password rotation, gMSA
Kerberoasting	TGS encrypted with service acct hash	Offline crack weak service account passwords	Strong service account passwords (25+ chars), gMSA
AS-REP Roasting	Kerberos AS-REP for accounts without preauth	Offline crack — no credentials needed to request	Enable Kerberos pre-authentication for all accounts

SPA vs Port Knocking Comparison

Attribute	SPA (fwknop)	Port Knocking
Packet count	Single UDP packet	Multiple TCP connection attempts
Authentication	HMAC cryptographic signature	Sequence only — no crypto
Replay resistance	Yes — timestamp in payload	No — sequence can be replayed
Sniffing resistance	High — encrypted payload	None — sequence visible on network
Server state exposure	Zero — userspace processing	Creates connection attempts visible to scanners
Recommended for GDSA	Yes	No — insufficient for production

Critical Windows Event IDs for Security Monitoring

Event ID	Event	Security Relevance	Logon Types (if applicable)
4624	Successful logon	Baseline all logons; anomalous times/sources indicate compromise	2=console, 3=network, 10=RDP
4625	Failed logon	Multiple failures = brute force; failures then success = credential spray	Same as 4624
4688	Process created	Enable command line logging — reveals attacker tools	—
4698	Scheduled task created	Common malware persistence mechanism	—
4720	User account created	New local accounts = backdoor; new domain accounts = persistence	—
7045	Service installed	Malware/persistence via service registration	—
4776	NTLM auth attempt	PtH detection — unexpected source computer	—

Endpoint Security Tool Comparison

Tool Type	Detection Method	Blocking	Telemetry	Examples
HIDS	File integrity, log monitoring, rootkit detection	No — alerts only	File changes, system events	Wazuh, OSSEC, Tripwire
HIPS	Behavioral, API call monitoring	Yes — blocks suspicious behavior	Process behavior, API calls	Cylance (legacy), McAfee HIPS
EDR	Behavioral, ML, cloud intelligence	Yes — kill process, isolate host	Full endpoint telemetry (process, network, registry, file)	CrowdStrike, SentinelOne, MDE
AV/EPP	Signature + heuristic	Yes — quarantine files	File scan events	Windows Defender, Sophos, ESET

Sysmon Configuration and Key Log Fields

# Sysmon Event IDs
# Event 1:  Process Create — Image, CommandLine, ParentImage, Hashes, User
# Event 3:  Network Connection — Image, DestinationIp, DestinationPort, Protocol
# Event 7:  Image Loaded — Image, ImageLoaded, Signed, Signature
# Event 8:  CreateRemoteThread — detect process injection
# Event 10: ProcessAccess — detect LSASS memory access (Mimikatz)
# Event 11: FileCreate — CommandLine, TargetFilename
# Event 13: Registry Value Set — common persistence detection
# Event 22: DNS Query — QueryName, QueryResults (requires Sysmon v7+)

# Example Sysmon config snippet (detect LSASS access):
<RuleGroup name="MimikatzDetection">
  <ProcessAccess onmatch="include">
    <TargetImage condition="is">C:\Windows\system32\lsass.exe</TargetImage>
  </ProcessAccess>
</RuleGroup>

# Windows Event Forwarding (WEF) Subscription Query
# Select * from Security where EventID=4624 or EventID=4625 or EventID=4688
# Subscribe: Computer → Subscriptions → Create Subscription
# Collector-Initiated: WEC pushes to endpoints (domain-joined)
# Source-Initiated: Endpoints push to WEC (configure via GPO)

Practice Quiz — Zero Trust Architecture

Scenario-based questions covering all Domain 4 concepts.

Q1. An attacker uses Mimikatz to extract NTLM hashes from LSASS memory and uses them to authenticate to other servers. Which control most directly prevents hash extraction from LSASS?

Credential Guard uses Windows Virtualization-Based Security (VBS) to run LSASS in a Hyper-V protected container (VSM - Virtual Secure Mode). Mimikatz cannot extract credentials because it cannot access the isolated LSASS process from the normal OS context. AppLocker can block Mimikatz execution but not all variants and bypasses. Micro-segmentation limits movement but doesn't prevent the hash extraction itself.

Q2. A company wants SSH management access to jump boxes to be completely invisible to port scanners while remaining accessible to authorized administrators. Which control achieves this?

SPA with fwknop keeps the firewall in default-deny mode — no ports are open or visible to scanners. The firewall dynamically opens SSH only for the specific source IP that sent a cryptographically valid SPA packet. Port obfuscation (option A) is security through obscurity — scanners discover non-standard ports quickly. VPN (option C) still exposes the VPN port and adds a traversal requirement. SSH keys improve authentication but don't hide the port.

Q3. Security team places fake local admin credentials in a text file on workstations. The credentials are monitored — any authentication attempt triggers an alert. What technique is this?

Honey credentials are fake username/password combinations intentionally seeded in locations attackers look (password files, memory, shared drives). Since legitimate users never use these credentials, any authentication attempt using them is guaranteed malicious — near-zero false positive rate. This is distinct from a honeypot (which is a fake system/service) and from HIDS (which monitors file changes, not credential use).

Q4. A domain-joined workstation receives an inbound SMB connection from an unmanaged guest laptop on the same network segment. Domain isolation prevents this connection. What technology enforces the rejection?

Domain isolation uses IPsec Connection Security Rules deployed via Group Policy. Domain-joined computers require inbound connections to present valid Kerberos authentication or machine certificates. The guest laptop has neither — it's not domain-joined and lacks a machine certificate — so the IPsec negotiation fails and the connection is rejected. Critically, this works even when both devices are on the SAME network segment or VLAN, which VLANs alone cannot achieve.

Q5. Which combination of Windows security features most effectively prevents standard users from installing malware even after clicking a phishing attachment?

Three independent layers: (1) No local admin prevents persistent installation and spreading to other systems. (2) AppLocker/WDAC application control blocks execution of unauthorized programs — even if file is written, it can't run. (3) EDR detects behavioral anomalies even if the malware somehow bypasses the first two layers. BitLocker/Secure Boot protect against physical attacks, not malware execution. Password complexity doesn't prevent malware execution.

Q6. An organization has 10,000 endpoints with a patch SLA requiring critical vulnerabilities be remediated within 72 hours. Which approach ensures compliance at scale?

10,000 endpoints and a 72-hour SLA is mathematically impossible without automation. SCCM/Intune/Ansible push patches automatically with forced installation windows. Manual processes (email, user-initiated) cannot achieve consistent compliance at scale. Quarterly cycles violate the 72-hour SLA. Workstations are high-value lateral movement targets — they require the same patch urgency as servers.

15-Day Study Plan — Domain 4

Structured daily plan with hands-on labs for Zero Trust Architecture.

Week 1 — ZT Fundamentals and Credential Security

Days 1–3

ZTA fundamentals — read NIST SP 800-207 (free download), map PE/PA/PEP to real products (Azure AD Conditional Access, ZTNA gateways), research HashiCorp Vault and CyberArk architecture, understand JIT access workflows

Days 4–5

Credential attacks lab — set up isolated Windows domain VM, demonstrate PtH with Mimikatz (controlled lab only), configure Credential Guard, observe Protected Users group effect on NTLM auth, understand krbtgt double-reset procedure

Week 2 — SPA, Deception, and Endpoint Hardening

Days 6–8

SPA lab — install fwknop on Linux, configure default-deny iptables rules, test SPA from client, verify port is invisible to nmap before and visible after SPA; configure domain isolation via WFAS Connection Security Rules on Windows test domain

Days 9–11

Deception deployment — deploy canary tokens (canarytokens.org) on test file shares, configure honey credentials in AD, set up Cowrie SSH honeypot on isolated VM, review alert generation quality vs NIDS alerts

Days 12–14

Endpoint hardening — remove local admin via GPO, configure AppLocker in audit mode then enforcement, deploy Sysmon with SwiftOnSecurity config, deploy Wazuh HIDS, configure WEF subscriptions to central collector

Final Review

Day 15+

Review all critical Windows Event IDs with practical examples, complete 40+ practice questions from GDSA question banks, build personal reference sheet for ZTA components and credential attack defenses

Common Exam Mistakes

Misconceptions that frequently cost points on Domain 4 questions.

1

Thinking VPN = Zero Trust. VPN grants broad network-level access — once authenticated, the user can reach any network resource. ZTA grants access to specific applications with continuous per-session verification. These are architecturally different. A VPN is the opposite of Zero Trust — it creates implicit trust based on network location.

2

Confusing Pass-the-Hash with credential stuffing. PtH uses the captured NTLM hash directly in authentication — the attacker never needs the plaintext password. Credential stuffing uses known plaintext username/password pairs. Different attack, different defense. PtH requires Credential Guard and NTLM restrictions; credential stuffing requires MFA and breach password monitoring.

3

Underestimating deception technology as a "nice to have." Near-zero false positives make deception alerts extremely high confidence — every alert is actionable. A single canary token alert on a file share provides more reliable signal than thousands of behavioral analytics alerts. Deception is cost-effective and should be deployed broadly (one honeypot per VLAN, canary tokens on every critical share).

4

Forgetting LLMNR/NetBIOS as a credential theft attack surface. The Responder tool exploits LLMNR/NetBIOS fallback name resolution to capture NTLMv2 hashes automatically when any DNS lookup fails. This is a trivial attack requiring no special access. Disabling LLMNR and NetBIOS via GPO is a quick, high-value hardening step that many organizations skip.

5

Confusing domain isolation with VLANs. Domain isolation uses IPsec to authenticate connections cryptographically — it works within a single VLAN (devices on the same switch). VLANs separate network segments but provide no authentication. An attacker who gains access to the same VLAN can still communicate with endpoints unless domain isolation's IPsec requirement is in place.

Frequently Asked Questions — Domain 4

Common questions about Zero Trust Architecture concepts.

What is the krbtgt account and why is it critical to Kerberos security?+

The krbtgt (Key Distribution Center service account) is used by the KDC to encrypt and sign all Kerberos Ticket-Granting Tickets. If an attacker obtains the krbtgt NTLM hash (requires domain admin compromise), they can forge TGTs offline — this is the Golden Ticket attack. Forged TGTs: are valid for the default 10-year lifetime, grant access as any domain user, and persist even after other password resets. Remediation: double-reset the krbtgt password (required twice because each validation checks both current and previous hash). First reset invalidates Golden Tickets after ticket expiration; second reset ensures previous hash is also rotated. This forces all existing Kerberos sessions to re-authenticate — brief disruption but necessary after domain admin compromise.

How does HashiCorp Vault differ from a traditional password manager?+

Traditional password managers (1Password, LastPass) store static credentials that humans retrieve manually. HashiCorp Vault provides: (1) Dynamic secrets — generates unique credentials (database passwords, AWS access keys) per request with automatic expiration. No static credential exists. (2) Leases — all credentials have time-bounded leases, auto-revoked when lease expires. (3) Audit logging — every credential access is logged with identity, time, and purpose. (4) API-first — applications retrieve credentials programmatically at runtime, never storing them in config files or environment variables. (5) Secret engines — native support for AWS, GCP, databases, PKI certificates, SSH certificates. Use Vault when applications need credentials; use password managers for human-to-system credentials.

What is Virtualization-Based Security (VBS) and how does Credential Guard use it?+

VBS uses the Windows hypervisor (Hyper-V) to create an isolated execution environment (Virtual Secure Mode / VSM) separate from the main Windows OS. Even if the OS kernel is compromised, code running in VSM is protected. Credential Guard runs the LSASS process inside VSM. From the normal Windows kernel's perspective, LSASS credentials are protected by hardware virtualization — even a kernel-level exploit cannot access the credential material. Mimikatz targets LSASS process memory — with Credential Guard, LSASS secrets are in VSM and cannot be read from the normal OS context. Requirements: UEFI 2.3.1+, Secure Boot, 64-bit Windows 10/11 Enterprise or Windows Server 2016+, compatible hardware. Enabled via GPO or Intune Device Configuration policy.

Why should LLMNR and NetBIOS be disabled on Windows networks?+

When a Windows computer fails to resolve a name via DNS, it falls back to broadcast-based resolution: LLMNR (UDP 5355) and NetBIOS (UDP 137). The Responder tool (commonly used by attackers) listens for these broadcasts and responds with a malicious host — the Windows machine automatically authenticates to the fake host using NTLMv2. The attacker captures the NTLMv2 hash for offline cracking (Hashcat can crack common passwords in seconds on GPU). This attack requires no credentials and no special access — just network presence. Disable via GPO: LLMNR = Computer Configuration → Administrative Templates → Network → DNS Client → "Turn off multicast name resolution." NetBIOS = DHCP scope option 001 = 2, or via NIC advanced properties. This is a quick, high-value hardening step with minimal operational impact (ensure DNS is reliable first).

What is the difference between a canary token and a traditional honeypot?+

A honeypot is a fake system or service that attracts attackers through network interaction (fake SSH server, fake web app). When an attacker connects, the honeypot logs their actions. Requires network exposure and ongoing maintenance. A canary token is a file, URL, or credential that generates an alert when accessed/used — no network service required. Examples: a Word document with a tracking URL that fires when opened, a fake AWS access key that triggers CloudTrail when used, a fake database connection string in a config file. Canary tokens are simpler to deploy at scale (one per share folder, one in every Git repo), require no infrastructure, and generate extremely high-confidence alerts (nobody accidentally opens "Confidential-Passwords.txt"). Traditional honeypots provide richer attacker intelligence (full session capture) but require more resources. Both are complementary.

What is the tiered administrative model and why does it matter?+

The tiered admin model (Microsoft PAW model) prevents credential theft from cascading across trust tiers. Tier 0: Domain controllers, PKI, ADFS — highest value targets. Tier 1: Servers. Tier 2: Workstations and devices. Rules: Tier 0 admin accounts only used from Tier 0 PAWs (Privileged Access Workstations). Tier 1 admin accounts only used from Tier 1+ PAWs. Regular user accounts never used on admin workstations. PAWs are hardened — no internet browsing, no email, minimal software, dedicated hardware or strict Hyper-V isolation. Why it matters: if an attacker compromises a Tier 2 workstation and captures credentials, those credentials only have Tier 2 access — they cannot be used to access Tier 1 servers or Tier 0 domain controllers. Without tiering, a compromised workstation that a domain admin has logged into holds Tier 0 credentials accessible via PtH/PtT.

How does Windows Event Forwarding (WEF) work and why is it preferred over syslog for Windows?+

WEF is native Windows technology using WinRM (Windows Remote Management) over HTTP/S (port 5985/5986). No third-party agent required. Two modes: (1) Collector-Initiated: WEC (Windows Event Collector) server pulls events from source computers (requires credentials/GPO). (2) Source-Initiated: Source computers push events to WEC (configured via GPO — recommended for scale). Subscription queries define which events to forward (XPath queries). Why prefer over syslog for Windows: (1) Native — no agent deployment or maintenance. (2) Kerberos/HTTPS authenticated — log integrity and transport security. (3) Handles Unicode and structured Windows event data natively — syslog agents often mangle Windows event field names. (4) Buffering and retry — WEF caches events locally if WEC is unavailable. Typically deploy WEC → forward to SIEM. Scale: one WEC can handle ~4000 endpoints.

GIAC GDSA — Zero Trust Architecture