medusa/the_information_nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update docs/tech_docs/cyber_lab.md

Browse Source
This commit is contained in:
medusa
2024-04-10 07:32:07 +00:00
parent 5e6724e284
commit 2fcdf196bc
1 changed files with 100 additions and 159 deletions
Download Patch File Download Diff File Expand all files Collapse all files

259
docs/tech_docs/cyber_lab.md
View File

@@ -1,229 +1,170 @@
Certainly! Here's a detailed reference guide with specific information and synthetic data for setting up your `homelab.local` Active Directory domain:
Certainly! Let's fine-tune the reference guide for setting up the `homelab.local` Active Directory domain by incorporating the updates and best practices we discussed earlier. Here's the refined version:
# Reference Guide: Setting Up `homelab.local` AD Domain
## Introduction
This guide provides a step-by-step process for creating the `homelab.local` Active Directory domain, designed for a home network with personal devices, a cybersecurity lab, network-attached storage (NAS), and various IT equipment. The guide focuses on security, management, and operational efficiency.
## Domain Configuration
### Step 1: Domain and Controller Setup
1. **Primary Domain Controller (PDC):**
- Server Name: `DC01`
- OS: Windows Server 2019 Standard
- OS: Windows Server 2022 Standard
- IP Address: `192.168.1.10`
- Hardware: Dell PowerEdge R440, 32GB RAM, 2x1TB SSD (RAID 1)
- Hardware: Dell PowerEdge R750, 64GB RAM, 2x2TB NVMe SSD (RAID 1)
2. **Secondary Domain Controller (SDC):**
- Server Name: `DC02`
- OS: Windows Server 2019 Standard
- OS: Windows Server 2022 Standard
- IP Address: `192.168.1.11`
- Hardware: Dell PowerEdge R440, 16GB RAM, 2x1TB SSD (RAID 1)
- Hardware: Dell PowerEdge R750, 32GB RAM, 2x2TB NVMe SSD (RAID 1)
### Step 2: Organizational Units (OUs) and Structure
1. **Create OUs for Major Areas:**
- `CyberLab`
- `HomeDevices`
- `NAS`
- `Users`
- `CyberLab`: For cybersecurity research, testing, and tools
- `HomeDevices`: For personal computers, laptops, and smart devices
- `NAS`: For network-attached storage management and data organization
- `Users`: For managing user accounts, permissions, and group memberships
2. **Define Sub-OUs:**
- Under `CyberLab`: `Testing Environments`, `Research`, `Tools`
- Under `NAS`: `Media`, `Personal Storage`, `Lab Data`
- Under `CyberLab`: `VulnerableEnvironments`, `SecureEnvironments`, `ToolsRepository`
- Under `HomeDevices`: `PersonalComputers`, `Laptops`, `SmartDevices`, `IoTDevices`
- Under `NAS`: `MediaLibrary`, `PersonalStorage`, `LabDataStore`, `Backups`
### Step 3: Security Groups and User Accounts
1. **Establish Security Groups:**
- `LabAdmins`: Full access to CyberLab resources
- `FamilyMembers`: Access to HomeDevices and Media shares
- `MediaAccess`: Read-only access to Media shares
- `Guests`: Limited access to guest network and resources
- `LabAdmins`: Full access to CyberLab resources and management
- `LabUsers`: Limited access to specific CyberLab environments and tools
- `FamilyMembers`: Access to HomeDevices and personal storage on NAS
- `MediaUsers`: Read-only access to the media library on NAS
- `GuestUsers`: Restricted access to guest network and resources
2. **Create User Accounts:**
- Admin Account: `admin@homelab.local`
- Admin Accounts:
- `admin-john@homelab.local`: Primary administrator account
- `admin-jane@homelab.local`: Secondary administrator account
- Family User Accounts:
- `john.doe@homelab.local`
- `jane.doe@homelab.local`
- `alice.doe@homelab.local`
- Guest Account: `guest@homelab.local`
- `john.doe@homelab.local`: John Doe's personal account
- `jane.doe@homelab.local`: Jane Doe's personal account
- `alice.doe@homelab.local`: Alice Doe's personal account
- Guest Account:
- `guest@homelab.local`: Generic guest account with limited permissions
### Step 4: Network Configuration and Security
1. **VLANs and Subnets:**
- `VLAN 10`: CyberLab - `192.168.10.0/24`
- `VLAN 20`: HomeDevices - `192.168.20.0/24`
- `VLAN 30`: NAS - `192.168.30.0/24`
- `VLAN 40`: Management - `192.168.40.0/24`
- `VLAN 50`: Guest - `192.168.50.0/24`
2. **Firewall Rules:**
- Allow inbound traffic on `VLAN 10` for RDP (TCP/3389), SSH (TCP/22), and HTTP(S) (TCP/80, TCP/443)
- Allow outbound traffic on `VLAN 10` to `VLAN 30` for NAS access (SMB, NFS)
- Allow inbound traffic on `VLAN 20` for RDP (TCP/3389) and HTTP(S) (TCP/80, TCP/443)
- Allow outbound traffic on `VLAN 20` to `VLAN 30` for NAS access (SMB, NFS)
- Deny all other traffic between VLANs
- Restrict traffic between `VLAN 50` (Guest) and other VLANs
- Implement strict firewall rules for each sub-OU within the `CyberLab` based on specific requirements
### Step 5: NAS Configuration and Access
1. **NAS Device:**
- Model: Synology DS1819+
- Model: Synology DS3622xs+
- IP Address: `192.168.30.10`
- Shares:
- `Media`: Read-only access for `MediaAccess` group, read-write for `FamilyMembers` group
- `Personal Storage`: Individual user folders with read-write access for respective users
- `Lab Data`: Read-write access for `LabAdmins` group
- `MediaLibrary`: Read-only access for `MediaUsers` group
- `PersonalStorage`: Individual user folders with read-write access for respective users
- `LabDataStore`: Read-write access for `LabAdmins` and specific `LabUsers`
- `Backups`: Read-write access for backup tasks and administrators
2. **NAS Backup:**
- Daily incremental backup to external USB drive
- Weekly full backup to cloud storage (e.g., Backblaze B2)
2. **NAS Backup Strategy:**
- Daily incremental backups to an external NAS or high-capacity storage device
- Weekly full backups to a cloud storage provider (e.g., Amazon S3, Azure Blob Storage)
- Monthly offline backups to a remote location for disaster recovery
### Step 6: Group Policy Objects (GPOs)
1. **Password Policy:**
- Minimum password length: 12 characters
- Password complexity: Enabled
- Maximum password age: 90 days
- Minimum password length: 14 characters
- Password complexity: Enabled (require uppercase, lowercase, digits, and symbols)
- Maximum password age: 60 days
- Enforce password history: 24 passwords remembered
- Account lockout threshold: 5 invalid attempts
- Account lockout duration: 30 minutes
- LabAdmins Group:
- Minimum password length: 16 characters
- Maximum password age: 60 days
- Minimum password length: 20 characters
- Maximum password age: 45 days
- Enforce multi-factor authentication (MFA)
2. **Windows Update Policy:**
- Automatic updates: Enabled
- Schedule: Every Sunday at 2:00 AM
- Schedule: Every Sunday at 3:00 AM
- Configure deadlines for installing updates
- Define maintenance windows for update installations
3. **Software Restriction Policy:**
- Whitelist: `C:\Program Files`, `C:\Program Files (x86)`
- Blacklist: `C:\Users\*\AppData\Local\Temp`, `C:\Windows\Temp`
- Whitelist: `C:\Program Files`, `C:\Program Files (x86)`, `C:\Windows`
- Blacklist: `C:\Users\*\Downloads`, `C:\Users\*\AppData\Local\Temp`, `C:\Windows\Temp`
- Allow specific software installations based on business requirements
- Block execution of unauthorized software and scripts
4. **NAS Access GPO:**
- Applied to `NAS` OU
- Drive mappings:
- `M:` for `Media` share
- `P:` for `Personal Storage` share
- `L:` for `Lab Data` share
- `M:` for `MediaLibrary` share
- `P:` for `PersonalStorage` share
- `L:` for `LabDataStore` share
- Restrict access to NAS shares based on security group membership
- Implement access auditing and monitoring for sensitive data
5. **Security Baseline GPOs:**
- Implement security baselines for Windows 10 and Windows Server 2022
- Configure advanced audit policies for critical events
- Enable Windows Defender Exploit Guard and Application Control
- Restrict administrative privileges and limit user access to system settings
## Conclusion
This fine-tuned reference guide provides a comprehensive blueprint for setting up a secure and efficient Active Directory domain for your home network and cybersecurity lab. By following these steps and implementing the recommended best practices, you can create a well-structured, scalable, and manageable environment that supports your diverse needs while prioritizing security and data protection.
Remember to regularly review and update your Active Directory configuration, group policies, and security measures to align with evolving requirements and emerging threats. Continuous monitoring, auditing, and improvement are essential to maintaining a resilient and secure Active Directory environment.
## Mermaid Diagram
```mermaid
graph TD;
A[PDC: DC01] -->|Manages| B[CyberLab]
A -->|Manages| C[HomeDevices]
A -->|Manages| D[NAS]
A -->|Manages| E[Users]
B --> F[Testing Environments]
B --> G[Research]
B --> H[Tools]
C --> I[john.doe Laptop]
C --> J[jane.doe Laptop]
C --> K[alice.doe Laptop]
C --> L[Smart TV]
D --> M[Media]
D --> N[Personal Storage]
D --> O[Lab Data]
E --> P[admin]
E --> Q[john.doe]
E --> R[jane.doe]
E --> S[alice.doe]
E --> T[guest]
B --> F[VulnerableEnvironments]
B --> G[SecureEnvironments]
B --> H[ToolsRepository]
C --> I[PersonalComputers]
C --> J[Laptops]
C --> K[SmartDevices]
C --> L[IoTDevices]
D --> M[MediaLibrary]
D --> N[PersonalStorage]
D --> O[LabDataStore]
D --> P[Backups]
E --> Q[LabAdmins]
E --> R[LabUsers]
E --> S[FamilyMembers]
E --> T[MediaUsers]
E --> U[GuestUsers]
Q --> V[admin-john]
Q --> W[admin-jane]
S --> X[john.doe]
S --> Y[jane.doe]
S --> Z[alice.doe]
U --> AA[guest]
```
## Conclusion
This diagram provides a visual representation of the refined Active Directory structure, highlighting the key organizational units, security groups, and user accounts. It serves as a reference for understanding the relationships and hierarchy within the `homelab.local` domain.
This detailed reference guide provides specific information and examples for setting up the `homelab.local` Active Directory domain. By following these steps and configurations, you can create a secure, organized, and efficient environment for your home network and cybersecurity lab.
---
Certainly! Here's the updated reference guide for setting up your `homelab.local` Active Directory domain:
# Reference Guide: Setting Up `homelab.local` AD Domain
## Introduction
This guide outlines the process for creating an Active Directory (AD) domain, `homelab.local`, tailored for a comprehensive home network that includes personal devices, a cybersecurity lab, network-attached storage (NAS), and various IT and server equipment. It focuses on security, management, and operational efficiency.
## Domain Configuration
### Step 1: Domain and Controller Setup
1. **Primary Domain Controller (PDC):** Choose a dedicated or virtual server with sufficient resources to run Windows Server. This server will manage the `homelab.local` domain.
2. **Secondary Domain Controller (SDC):** Optional but recommended for redundancy. Can be less resource-intensive and also runs Windows Server.
### Step 2: Organizational Units (OUs) and Structure
1. **Create OUs for Major Areas:**
- `CyberLab`: For cybersecurity research and testing.
- `HomeDevices`: For personal and home devices.
- `NAS`: For network-attached storage access and management.
- `Users`: For managing user accounts and permissions.
2. **Define Sub-OUs:**
- Under `CyberLab`: Create `Testing Environments`, `Research`, `Tools`.
- Under `NAS`: Create `Media`, `Personal Storage`, `Lab Data`.
### Step 3: Security Groups and User Accounts
1. **Establish Security Groups:**
- `LabAdmins`, `FamilyMembers`, `MediaAccess`, `Guests`, with permissions tailored to their needs.
2. **Create User Accounts:**
- Setup `Admin Account(s)` for AD and resource management.
- Create individual `Family User Accounts` and `Guest Accounts` as needed.
- Use a clear naming convention for user accounts, e.g., `john.doe_001`.
### Step 4: Network Configuration and Security
1. **Segment LAN/WLAN:**
- Differentiate between `CyberLab` and `HomeDevices` networks for security and traffic isolation.
2. **Implement Firewall Rules:**
- Control traffic between network segments, especially protecting `CyberLab` resources.
- Create specific firewall rules for each sub-OU within the `CyberLab`.
### Step 5: NAS Configuration and Access
1. **Set Up Storage Areas:**
- Allocate `Media`, `Personal Storage`, and `Lab Data` areas within the NAS, setting appropriate access permissions for each user or group.
2. **NAS Backup Strategy:**
- Implement a separate backup strategy for the NAS, including regular incremental backups to an external drive or cloud storage service.
### Step 6: Group Policy Objects (GPOs)
1. **Define Key Policies:**
- Enforce a strong `Password Policy`, with a stricter policy for the `LabAdmins` group.
- Set an `Update Policy` for automatic Windows updates.
- Apply `Software Restrictions` to limit installations on personal and home devices, using a whitelist of approved software.
2. **GPO for NAS Access:**
- Create a dedicated GPO for NAS access, defining user and group permissions for specific shares.
## Mermaid Diagram
```mermaid
graph TD;
A[PDC: homelab.local] -->|Manages| B[CyberLab]
A -->|Manages| C[HomeDevices]
A -->|Manages| D[NAS]
A -->|Manages| E[Users]
B --> F[Testing Environments]
B --> G[Research]
B --> H[Tools]
C --> I[Personal Laptops]
C --> J[Smart Home Devices]
D --> K[Media]
D --> L[Personal Storage]
D --> M[Lab Data]
E --> N[Admins]
E --> O[Family]
E --> P[Guests]
N --> Q[Admin Account]
O --> R[Family User Accounts]
P --> S[Guest Accounts]
```
## Conclusion
This updated reference guide provides a comprehensive blueprint for setting up a secure and efficient Active Directory domain for your home network and cybersecurity lab. By following these steps and considering the additional recommendations, you can create a well-organized, manageable environment that supports both your professional and personal digital activities.
By following this fine-tuned guide and leveraging the provided diagram, you can establish a robust and secure Active Directory foundation for your home network and cybersecurity lab, enabling effective management, collaboration, and learning opportunities.