From 45f81309824e0067f648129e387fcb95e0bd7379 Mon Sep 17 00:00:00 2001 From: medusa Date: Wed, 10 Apr 2024 07:50:40 +0000 Subject: [PATCH] Update docs/tech_docs/cyber_lab.md --- docs/tech_docs/cyber_lab.md | 362 +++++++++++------------------------- 1 file changed, 113 insertions(+), 249 deletions(-) diff --git a/docs/tech_docs/cyber_lab.md b/docs/tech_docs/cyber_lab.md index 0f6ce41..810858a 100644 --- a/docs/tech_docs/cyber_lab.md +++ b/docs/tech_docs/cyber_lab.md @@ -1,259 +1,123 @@ -Certainly! Let's fine-tune the reference guide for setting up the `homelab.local` Active Directory domain by incorporating the updates and best practices we discussed earlier. Here's the refined version: +# Comprehensive Cybersecurity Lab Guide with Docker and Active Directory Integration -# Reference Guide: Setting Up `homelab.local` AD Domain +## I. Introduction + A. Purpose and objectives of the cybersecurity lab + B. Benefits of using Docker and Active Directory integration + C. Overview of the lab architecture and components -## Introduction -This guide provides a step-by-step process for creating the `homelab.local` Active Directory domain, designed for a home network with personal devices, a cybersecurity lab, network-attached storage (NAS), and various IT equipment. The guide focuses on security, management, and operational efficiency. +## II. Lab Architecture + A. Learning Paths + 1. Focused skill development and experimentation + 2. Specific cybersecurity domains (e.g., network security, web application security, incident response, malware analysis) + B. Docker Containers + 1. Isolated and reproducible environments + 2. Efficient resource utilization and management + C. Docker Compose + 1. Orchestration and management of containers + 2. Simplified deployment and configuration of complex security environments + D. Active Directory Integration + 1. Centralized user and resource management + 2. Realistic enterprise network simulation + 3. Controlled security scenarios within an Active Directory environment -## Domain Configuration +## III. Lab Setup + A. Prerequisites + 1. Host machine or dedicated server requirements + 2. Docker and Docker Compose installation + 3. Access to the `homelab.local` Active Directory domain + B. Active Directory Integration + 1. Ensuring proper setup and accessibility + 2. Creating necessary user accounts, security groups, and organizational units (OUs) + C. Docker and Docker Compose Setup + 1. Installation and verification + D. Learning Paths Structure + 1. Creating dedicated directories for each learning path + 2. Defining container environments with Dockerfiles + 3. Configuring services, networks, and volumes with docker-compose.yml files + E. Configuration and Deployment + 1. Customizing Dockerfiles for each learning path + 2. Modifying docker-compose.yml files for specific security scenarios or tools + 3. Building and deploying containers using Docker Compose + F. Central Management + 1. Creating a central docker-compose.yml file for collective management + 2. Utilizing web-based GUI tools (e.g., Portainer, Rancher) for container management and monitoring -1. **PDC and SDC Configuration:** - - Primary Domain Controller (PDC): - - Server Name: `DC01` - - Operating System: Windows Server 2022 Standard - - IP Address: `192.168.1.10` - - Hardware Specifications: - - Dell PowerEdge R750 Rack Server - - CPU: 2 x Intel Xeon Silver 4314 2.4GHz (16 cores each) - - RAM: 64GB DDR4 ECC - - Storage: 2 x 2TB NVMe SSDs (RAID 1) - - Active Directory Forest Functional Level: Windows Server 2016 - - Active Directory Domain Functional Level: Windows Server 2016 - - DNS Server: Integrated with Active Directory - - DHCP Server: Enabled for automatic IP assignment +## IV. Cybersecurity Learning Paths + A. Network Security + 1. Packet Analysis + 2. Firewall Configuration + 3. Intrusion Detection and Prevention + 4. VPN and Secure Communication + B. Web Application Security + 1. Vulnerability Assessment + 2. Penetration Testing + 3. Web Application Firewall (WAF) + 4. API Security + C. Incident Response and Forensics + 1. Incident Response Planning + 2. Log Analysis + 3. Memory Forensics + 4. Network Forensics + D. Malware Analysis + 1. Static Analysis + 2. Dynamic Analysis + 3. Reverse Engineering + 4. Malware Dissection - - Secondary Domain Controller (SDC): - - Server Name: `DC02` - - Operating System: Windows Server 2022 Standard - - IP Address: `192.168.1.11` - - Hardware Specifications: - - Dell PowerEdge R750 Rack Server - - CPU: 2 x Intel Xeon Silver 4314 2.4GHz (16 cores each) - - RAM: 32GB DDR4 ECC - - Storage: 2 x 2TB NVMe SSDs (RAID 1) - - Active Directory Replication: Enabled with PDC - - DNS Server: Integrated with Active Directory (Secondary) - - DHCP Server: Disabled (Provided by PDC) +## V. Example Scenarios + A. Ransomware Attack Simulation + 1. Objective and steps + 2. Mermaid diagram illustrating the scenario flow + B. Web Application Penetration Testing + 1. Objective and steps + 2. Mermaid diagram illustrating the scenario flow + C. Malware Analysis and Reverse Engineering + 1. Objective and steps + 2. Mermaid diagram illustrating the scenario flow - Additional Considerations: - - Implement Active Directory Certificate Services (AD CS) for issuing and managing certificates. - - Configure Active Directory Federation Services (AD FS) for secure identity federation and single sign-on (SSO). - - Set up Active Directory Rights Management Services (AD RMS) for data protection and access control. - - Implement Active Directory Recycle Bin for easy recovery of accidentally deleted AD objects. - - Configure Active Directory Time Synchronization to ensure consistent time across the domain. +## VI. Best Practices and Recommendations + A. Security Configurations + 1. Implementing security best practices for Docker and Active Directory + 2. Managing container access and permissions + B. Regular Updates and Maintenance + 1. Keeping Docker images and containers up to date + 2. Applying security patches and updates regularly + C. Data Persistence and Backup + 1. Utilizing Docker volumes for data persistence + 2. Implementing backup strategies for critical data and configurations + D. Resource Optimization and Monitoring + 1. Monitoring and optimizing resource utilization + 2. Implementing logging and monitoring solutions for containers and Active Directory + E. Collaboration and Knowledge Sharing + 1. Encouraging a culture of sharing and collaboration among team members + 2. Utilizing version control and documentation for effective knowledge management -2. **Organizational Units (OUs) and Structure:** - - Design the OU structure based on functional roles and business requirements: - - Create top-level OUs for major areas, such as `CyberLab`, `HomeDevices`, `NAS`, and `Users`. - - Organize sub-OUs within each top-level OU to reflect specific functions or device types, such as `VulnerableEnvironments`, `SecureEnvironments`, and `ToolsRepository` under `CyberLab`. - - Use descriptive and meaningful names for OUs and sub-OUs to ensure clarity and understanding. +## VII. Advanced Concepts and Considerations + A. Integration with Cloud Platforms + 1. Exploring options for integrating the lab with cloud platforms (e.g., AWS, Azure, Google Cloud) + 2. Leveraging cloud-based services for scalability, high availability, and cost-efficiency + B. Automated Provisioning and Deployment + 1. Implementing Infrastructure as Code (IaC) practices + 2. Utilizing configuration management tools (e.g., Ansible, Puppet) for automated lab provisioning + C. Continuous Integration and Continuous Deployment (CI/CD) + 1. Integrating the lab with CI/CD pipelines + 2. Automating the build, testing, and deployment processes for lab environments + D. Security Orchestration, Automation, and Response (SOAR) + 1. Implementing SOAR capabilities within the lab + 2. Automating incident response and security workflows + E. Compliance and Regulatory Considerations + 1. Aligning the lab with relevant security standards and regulations + 2. Implementing compliance monitoring and reporting mechanisms - - Implement a hierarchical OU structure for efficient management: - - Place objects with similar management and security requirements in the same OU or sub-OU. - - Use a hierarchical structure to inherit policies and permissions from parent OUs to child OUs. - - Avoid creating a flat OU structure, as it can lead to management and security challenges. +## VIII. Conclusion + A. Recap of the key points and benefits of the cybersecurity lab + B. Importance of continuous learning and staying updated with the latest security trends and techniques + C. Encouragement to explore, experiment, and collaborate within the lab environment - - Use OUs for Group Policy Object (GPO) application: - - Link GPOs at the appropriate OU level to apply specific configurations and security settings to objects within that OU. - - Create separate GPOs for each major area or function, such as CyberLab, HomeDevices, NAS, and Users. - - Use security filtering and item-level targeting to refine GPO application based on specific criteria, such as security group membership or device type. +## IX. References and Resources + A. Official documentation for Docker, Docker Compose, and Active Directory + B. Recommended security tools and frameworks + C. Relevant online communities and forums for cybersecurity professionals + D. Additional reading materials and tutorials for advanced topics and concepts - - Implement access control and delegation: - - Use Access Control Lists (ACLs) to control permissions and access to OUs and their objects. - - Delegate administrative control over specific OUs or sub-OUs to trusted individuals or teams based on their roles and responsibilities. - - Use the principle of least privilege when delegating control, granting only the necessary permissions to perform required tasks. - - - Regularly review and maintain the OU structure: - - Conduct periodic reviews of the OU structure to ensure it remains aligned with organizational requirements and security best practices. - - Remove unnecessary or obsolete OUs and sub-OUs to maintain a clean and efficient structure. - - Monitor and audit changes to the OU structure to detect and prevent unauthorized modifications. - - - Implement OU-level security policies: - - Configure OU-level security policies to enforce specific security settings and restrictions for objects within each OU. - - Use OU-level policies to implement security baselines, such as password complexity requirements, account lockout settings, and user rights assignments. - - Regularly review and update OU-level security policies to align with evolving security best practices and organizational requirements. - - - Use OUs for reporting and auditing: - - Leverage OUs to generate targeted reports and audits based on specific areas or functions. - - Use OU-based reporting to monitor and track object modifications, group membership changes, and other relevant events. - - Implement auditing at the OU level to capture and log critical activities and changes for security and compliance purposes. - - - Implement OU-based backup and recovery: - - Configure backup and recovery processes at the OU level to ensure granular and efficient restoration of objects and settings. - - Use OU-based backup and recovery to minimize the impact of accidental deletions or modifications. - - Regularly test and validate the effectiveness of OU-based backup and recovery processes to ensure data integrity and availability. - -Thank you for your feedback. Let's refactor items 3 and 4 to provide more specific recommendations based on best practices while leveraging the existing information in the document. - -3. **Security Groups and User Accounts:** - - Implement Role-Based Access Control (RBAC) using security groups: - - Create separate security groups for each role or function, such as `LabAdmins`, `LabUsers`, `FamilyMembers`, `MediaUsers`, and `GuestUsers`. - - Assign users to the appropriate security groups based on their job roles and access requirements. - - Use group nesting to simplify permission management, where applicable. For example, nest `LabUsers` within `LabAdmins` to inherit permissions. - - - Follow the Principle of Least Privilege (PoLP): - - Grant users and security groups only the permissions necessary to perform their tasks. - - Regularly review and audit user permissions to ensure they align with their current roles and responsibilities. - - Remove unnecessary permissions and group memberships promptly when no longer needed. - - - Implement strong password policies: - - Enforce a minimum password length of 14 characters. - - Require the use of complex passwords that include a combination of uppercase and lowercase letters, numbers, and special characters. - - Enable password history to prevent the reuse of recent passwords. - - Set a maximum password age of 60 days to ensure regular password changes. - - Configure account lockout policies to protect against brute-force attacks, such as locking an account after 5 failed attempts for 30 minutes. - - - Secure privileged accounts: - - Use separate admin accounts (`admin-john@homelab.local` and `admin-jane@homelab.local`) for administrative tasks. - - Enable multi-factor authentication (MFA) for all privileged accounts. - - Implement privileged access management (PAM) solutions to securely manage and monitor privileged account activities. - - Regularly rotate and update passwords for privileged accounts. - - - Implement user account lifecycle management: - - Establish a formal process for user account creation, modification, and deletion. - - Automate user account provisioning and deprovisioning processes to ensure consistency and reduce errors. - - Regularly review and audit user accounts to identify and remove inactive, stale, or unnecessary accounts. - - - Conduct security awareness training: - - Educate users about password best practices, such as not sharing passwords, using strong and unique passwords, and avoiding phishing attempts. - - Provide training on identifying and reporting suspicious activities or security incidents. - - Regularly update and reinforce security awareness training to keep users informed about the latest threats and best practices. - -4. **Network Configuration and Security:** - - Implement network segmentation using VLANs: - - Create separate VLANs for different purposes, such as `VLAN 10` for CyberLab, `VLAN 20` for HomeDevices, `VLAN 30` for NAS, `VLAN 40` for Management, and `VLAN 50` for Guest. - - Use Layer 3 switching or routing to enable inter-VLAN communication where necessary. - - Implement access control lists (ACLs) or firewall rules to restrict traffic between VLANs based on the principle of least privilege. - - - Secure the management VLAN: - - Restrict access to the management VLAN (`VLAN 40`) to authorized administrators only. - - Use strong authentication methods, such as multi-factor authentication (MFA), for accessing management interfaces. - - Implement logging and monitoring for all management activities. - - - Configure granular firewall rules: - - Implement firewall rules to allow specific inbound traffic on each VLAN as necessary, such as RDP (TCP/3389), SSH (TCP/22), and HTTP(S) (TCP/80, TCP/443) on `VLAN 10` and `VLAN 20`. - - Restrict outbound traffic from each VLAN to only the necessary destinations and ports, such as allowing `VLAN 10` and `VLAN 20` to access `VLAN 30` for NAS access (SMB, NFS). - - Implement strict firewall rules for the CyberLab sub-OUs (`VulnerableEnvironments`, `SecureEnvironments`, and `ToolsRepository`) based on their specific access requirements. - - - Secure wireless networks: - - Implement strong wireless security protocols, such as WPA3-Enterprise, to protect wireless communication. - - Use separate SSIDs and VLANs for different purposes, such as guest access and corporate access. - - Implement MAC address filtering to allow only authorized devices to connect to the wireless network. - - Regularly update wireless access points and client devices to the latest firmware and security patches. - - - Monitor and log network activities: - - Implement a centralized logging solution, such as a SIEM (Security Information and Event Management) system, to collect and analyze network logs. - - Configure logging for critical events, such as failed login attempts, unauthorized access attempts, and configuration changes. - - Regularly review and monitor network logs to identify potential security incidents or anomalies. - - - Conduct regular network security assessments: - - Perform periodic vulnerability scans and penetration tests to identify and address potential security weaknesses. - - Use automated tools and manual testing techniques to assess the security posture of the network infrastructure. - - Remediate identified vulnerabilities promptly and validate the effectiveness of the remediation measures. - - - Implement network access control (NAC): - - Deploy a NAC solution to enforce security policies and ensure that only authorized and compliant devices can access the network. - - Configure NAC policies to check for device health, patch levels, and security configurations before granting network access. - - Regularly update and refine NAC policies to align with changing security requirements and best practices. - -### Step 5: NAS Configuration and Access -1. **NAS Device:** - - Model: Synology DS3622xs+ - - IP Address: `192.168.30.10` - - Shares: - - `MediaLibrary`: Read-only access for `MediaUsers` group - - `PersonalStorage`: Individual user folders with read-write access for respective users - - `LabDataStore`: Read-write access for `LabAdmins` and specific `LabUsers` - - `Backups`: Read-write access for backup tasks and administrators - -2. **NAS Backup Strategy:** - - Daily incremental backups to an external NAS or high-capacity storage device - - Weekly full backups to a cloud storage provider (e.g., Amazon S3, Azure Blob Storage) - - Monthly offline backups to a remote location for disaster recovery - -### Step 6: Group Policy Objects (GPOs) -1. **Password Policy:** - - Minimum password length: 14 characters - - Password complexity: Enabled (require uppercase, lowercase, digits, and symbols) - - Maximum password age: 60 days - - Enforce password history: 24 passwords remembered - - Account lockout threshold: 5 invalid attempts - - Account lockout duration: 30 minutes - - LabAdmins Group: - - Minimum password length: 20 characters - - Maximum password age: 45 days - - Enforce multi-factor authentication (MFA) - -2. **Windows Update Policy:** - - Automatic updates: Enabled - - Schedule: Every Sunday at 3:00 AM - - Configure deadlines for installing updates - - Define maintenance windows for update installations - -3. **Software Restriction Policy:** - - Whitelist: `C:\Program Files`, `C:\Program Files (x86)`, `C:\Windows` - - Blacklist: `C:\Users\*\Downloads`, `C:\Users\*\AppData\Local\Temp`, `C:\Windows\Temp` - - Allow specific software installations based on business requirements - - Block execution of unauthorized software and scripts - -4. **NAS Access GPO:** - - Applied to `NAS` OU - - Drive mappings: - - `M:` for `MediaLibrary` share - - `P:` for `PersonalStorage` share - - `L:` for `LabDataStore` share - - Restrict access to NAS shares based on security group membership - - Implement access auditing and monitoring for sensitive data - -5. **Security Baseline GPOs:** - - Implement security baselines for Windows 10 and Windows Server 2022 - - Configure advanced audit policies for critical events - - Enable Windows Defender Exploit Guard and Application Control - - Restrict administrative privileges and limit user access to system settings - -## Conclusion -This fine-tuned reference guide provides a comprehensive blueprint for setting up a secure and efficient Active Directory domain for your home network and cybersecurity lab. By following these steps and implementing the recommended best practices, you can create a well-structured, scalable, and manageable environment that supports your diverse needs while prioritizing security and data protection. - -Remember to regularly review and update your Active Directory configuration, group policies, and security measures to align with evolving requirements and emerging threats. Continuous monitoring, auditing, and improvement are essential to maintaining a resilient and secure Active Directory environment. - -## Mermaid Diagram -```mermaid -graph TD; -A[PDC: DC01] -->|Manages| B[CyberLab] -A -->|Manages| C[HomeDevices] -A -->|Manages| D[NAS] -A -->|Manages| E[Users] - -B --> F[VulnerableEnvironments] -B --> G[SecureEnvironments] -B --> H[ToolsRepository] - -C --> I[PersonalComputers] -C --> J[Laptops] -C --> K[SmartDevices] -C --> L[IoTDevices] - -D --> M[MediaLibrary] -D --> N[PersonalStorage] -D --> O[LabDataStore] -D --> P[Backups] - -E --> Q[LabAdmins] -E --> R[LabUsers] -E --> S[FamilyMembers] -E --> T[MediaUsers] -E --> U[GuestUsers] - -Q --> V[admin-john] -Q --> W[admin-jane] - -S --> X[john.doe] -S --> Y[jane.doe] -S --> Z[alice.doe] - -U --> AA[guest] -``` - -This diagram provides a visual representation of the refined Active Directory structure, highlighting the key organizational units, security groups, and user accounts. It serves as a reference for understanding the relationships and hierarchy within the `homelab.local` domain. - -By following this fine-tuned guide and leveraging the provided diagram, you can establish a robust and secure Active Directory foundation for your home network and cybersecurity lab, enabling effective management, collaboration, and learning opportunities. \ No newline at end of file +This outline provides a comprehensive structure for the cybersecurity lab guide, covering all the essential aspects from lab architecture and setup to learning paths, example scenarios, best practices, and advanced considerations. The guide aims to empower readers with the knowledge and tools necessary to build a robust and flexible cybersecurity lab environment using Docker and Active Directory integration. By following the outlined steps and recommendations, readers can develop practical skills, explore various security domains, and stay ahead of the ever-evolving cybersecurity landscape. \ No newline at end of file