Windows Incident Handling
RCCE students will learn Windows endpoint security including OS hardening, Group Policy configuration, Windows Defender features, registry security, PowerShell security, and Windows logging architecture. RCCE students will learn to harden Windows operating systems following CIS Benchmarks and STIG guidelines, configure Group Policy for security enforcement, manage Windows Defender Antivirus, Firewall, and Exploit Guard, secure PowerShell execution environments, implement Windows event log collection for security monitoring, detect and investigate Windows-based attacks including credential theft, lateral movement, and persistence techniques, and manage Windows security updates and patch deployment. This incident response course prepares students to act decisively during security incidents with structured workflows and clear decision frameworks. Building on core knowledge, RCCE students will learn containment, evidence collection, eradication, and recovery procedures specific to this domain. Students practice incident scenarios that build the composure, coordination, and documentation skills essential for effective incident handling.
- Endpoint Security Engineers and EDR Analysts
- Windows and macOS Administrators managing privileges
- Identity and Access Management Engineers
- IT Security Operations Leads reducing attack surface
- Professionals implementing Windows Incident Handling
- Execute hands-on tasks for windows incident handling
- Explain Course Overview fundamentals
- Execute hands-on tasks for group policy & defender — covering Containment & evidence, Harden endpoints to.
- Design a scalable privilege management architecture with policy and enforcement
- Execute hands-on tasks for kernel layer
- Execute hands-on tasks for user-mode layer
- Execute hands-on tasks for network layer — covering Secure Boot & UEFI integrity, LSA protection & Credential.
- Execute hands-on tasks for security subsystem components — covering Local.
- Execute hands-on tasks for level 1 — baseline
- Execute hands-on tasks for stig viewer & scap — covering DoD mandatory.
- Execute hands-on tasks for .net framework stig — covering STIG Viewer for checklist.
- Execute hands-on tasks for windows hardening workflow
| Module 01 | Windows Incident Handling |
| Module 02 | Course Overview |
| Module 03 | Group Policy & Defender |
| Module 04 | Windows Security Architecture |
| Module 05 | Kernel Layer |
| Module 06 | User-Mode Layer |
| Module 07 | Network Layer |
| Module 08 | Security Subsystem Components |
| Module 09 | Level 1 — Baseline |
| Module 10 | STIG Viewer & SCAP |
| Module 11 | .NET Framework STIG |
| Module 12 | Windows Hardening Workflow |
| Module 13 | 1 Baseline Scan |
| Module 14 | 2 Gap Analysis |
All hands-on labs run on Rocheston Rose X OS. Students practice windows incident handling by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Execute hands-on tasks for windows incident handling
- Lab 2: Explain Course Overview fundamentals
- Lab 3: Execute hands-on tasks for group policy & defender
- Lab 4: Design a scalable privilege management architecture with policy and enforcement
- Lab 5: Execute hands-on tasks for kernel layer
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Windows Incident Handling, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI