Update docs/tech_docs/cyber_lab.md
This commit is contained in:
@@ -7,49 +7,102 @@ This guide provides a step-by-step process for creating the `homelab.local` Acti
|
||||
|
||||
## Domain Configuration
|
||||
|
||||
### Step 1: Domain and Controller Setup
|
||||
1. **Primary Domain Controller (PDC):**
|
||||
- Server Name: `DC01`
|
||||
- OS: Windows Server 2022 Standard
|
||||
- IP Address: `192.168.1.10`
|
||||
- Hardware: Dell PowerEdge R750, 64GB RAM, 2x2TB NVMe SSD (RAID 1)
|
||||
1. **PDC and SDC Configuration:**
|
||||
- Primary Domain Controller (PDC):
|
||||
- Server Name: `DC01`
|
||||
- Operating System: Windows Server 2022 Standard
|
||||
- IP Address: `192.168.1.10`
|
||||
- Hardware Specifications:
|
||||
- Dell PowerEdge R750 Rack Server
|
||||
- CPU: 2 x Intel Xeon Silver 4314 2.4GHz (16 cores each)
|
||||
- RAM: 64GB DDR4 ECC
|
||||
- Storage: 2 x 2TB NVMe SSDs (RAID 1)
|
||||
- Active Directory Forest Functional Level: Windows Server 2016
|
||||
- Active Directory Domain Functional Level: Windows Server 2016
|
||||
- DNS Server: Integrated with Active Directory
|
||||
- DHCP Server: Enabled for automatic IP assignment
|
||||
|
||||
2. **Secondary Domain Controller (SDC):**
|
||||
- Server Name: `DC02`
|
||||
- OS: Windows Server 2022 Standard
|
||||
- IP Address: `192.168.1.11`
|
||||
- Hardware: Dell PowerEdge R750, 32GB RAM, 2x2TB NVMe SSD (RAID 1)
|
||||
- Secondary Domain Controller (SDC):
|
||||
- Server Name: `DC02`
|
||||
- Operating System: Windows Server 2022 Standard
|
||||
- IP Address: `192.168.1.11`
|
||||
- Hardware Specifications:
|
||||
- Dell PowerEdge R750 Rack Server
|
||||
- CPU: 2 x Intel Xeon Silver 4314 2.4GHz (16 cores each)
|
||||
- RAM: 32GB DDR4 ECC
|
||||
- Storage: 2 x 2TB NVMe SSDs (RAID 1)
|
||||
- Active Directory Replication: Enabled with PDC
|
||||
- DNS Server: Integrated with Active Directory (Secondary)
|
||||
- DHCP Server: Disabled (Provided by PDC)
|
||||
|
||||
### Step 2: Organizational Units (OUs) and Structure
|
||||
1. **Create OUs for Major Areas:**
|
||||
- `CyberLab`: For cybersecurity research, testing, and tools
|
||||
- `HomeDevices`: For personal computers, laptops, and smart devices
|
||||
- `NAS`: For network-attached storage management and data organization
|
||||
- `Users`: For managing user accounts, permissions, and group memberships
|
||||
Additional Considerations:
|
||||
- Implement Active Directory Certificate Services (AD CS) for issuing and managing certificates.
|
||||
- Configure Active Directory Federation Services (AD FS) for secure identity federation and single sign-on (SSO).
|
||||
- Set up Active Directory Rights Management Services (AD RMS) for data protection and access control.
|
||||
- Implement Active Directory Recycle Bin for easy recovery of accidentally deleted AD objects.
|
||||
- Configure Active Directory Time Synchronization to ensure consistent time across the domain.
|
||||
|
||||
2. **Define Sub-OUs:**
|
||||
- Under `CyberLab`: `VulnerableEnvironments`, `SecureEnvironments`, `ToolsRepository`
|
||||
- Under `HomeDevices`: `PersonalComputers`, `Laptops`, `SmartDevices`, `IoTDevices`
|
||||
- Under `NAS`: `MediaLibrary`, `PersonalStorage`, `LabDataStore`, `Backups`
|
||||
2. **Organizational Units (OUs) and Structure:**
|
||||
- Top-level OUs:
|
||||
- `CyberLab`: Contains resources and sub-OUs related to cybersecurity research, testing, and tools.
|
||||
- `HomeDevices`: Includes sub-OUs for managing personal computers, laptops, smart devices, and IoT devices.
|
||||
- `NAS`: Organizes network-attached storage (NAS) resources and data storage sub-OUs.
|
||||
- `Users`: Manages user accounts, permissions, and group memberships.
|
||||
|
||||
### Step 3: Security Groups and User Accounts
|
||||
1. **Establish Security Groups:**
|
||||
- `LabAdmins`: Full access to CyberLab resources and management
|
||||
- `LabUsers`: Limited access to specific CyberLab environments and tools
|
||||
- `FamilyMembers`: Access to HomeDevices and personal storage on NAS
|
||||
- `MediaUsers`: Read-only access to the media library on NAS
|
||||
- `GuestUsers`: Restricted access to guest network and resources
|
||||
- Sub-OUs under `CyberLab`:
|
||||
- `VulnerableEnvironments`: Contains intentionally vulnerable systems and applications for testing and research.
|
||||
- `SecureEnvironments`: Includes hardened systems and secure configurations for reference and comparison.
|
||||
- `ToolsRepository`: Stores and manages cybersecurity tools, scripts, and utilities.
|
||||
|
||||
- Sub-OUs under `HomeDevices`:
|
||||
- `PersonalComputers`: Contains objects representing personal desktop computers.
|
||||
- `Laptops`: Includes objects representing personal laptop devices.
|
||||
- `SmartDevices`: Contains objects representing smart home devices and appliances.
|
||||
- `IoTDevices`: Includes objects representing Internet of Things (IoT) devices.
|
||||
|
||||
- Sub-OUs under `NAS`:
|
||||
- `MediaLibrary`: Organizes and manages media files, such as movies, music, and photos.
|
||||
- `PersonalStorage`: Contains individual user folders for personal data storage.
|
||||
- `LabDataStore`: Stores and manages data related to cybersecurity lab experiments and projects.
|
||||
- `Backups`: Contains backup data and configuration for the NAS and other critical systems.
|
||||
|
||||
Additional Considerations:
|
||||
- Create additional sub-OUs based on specific requirements and granular management needs.
|
||||
- Implement Group Policy Objects (GPOs) at the OU level for targeted configuration and security settings.
|
||||
- Use Access Control Lists (ACLs) to control permissions and access to OUs and their objects.
|
||||
- Regularly review and update the OU structure to ensure it aligns with evolving organizational requirements.
|
||||
|
||||
3. **Security Groups and User Accounts:**
|
||||
- Security Groups:
|
||||
- `LabAdmins`: Grants full administrative access to CyberLab resources and management.
|
||||
- `LabUsers`: Provides limited access to specific CyberLab environments and tools based on job roles and responsibilities.
|
||||
- `FamilyMembers`: Allows access to HomeDevices and personal storage on the NAS.
|
||||
- `MediaUsers`: Grants read-only access to the media library on the NAS.
|
||||
- `GuestUsers`: Offers restricted access to the guest network and resources.
|
||||
|
||||
2. **Create User Accounts:**
|
||||
- Admin Accounts:
|
||||
- `admin-john@homelab.local`: Primary administrator account
|
||||
- `admin-jane@homelab.local`: Secondary administrator account
|
||||
- `admin-john@homelab.local`: Primary domain administrator account for managing the Active Directory environment and critical resources.
|
||||
- `admin-jane@homelab.local`: Secondary domain administrator account for backup and redundancy purposes.
|
||||
|
||||
- Family User Accounts:
|
||||
- `john.doe@homelab.local`: John Doe's personal account
|
||||
- `jane.doe@homelab.local`: Jane Doe's personal account
|
||||
- `alice.doe@homelab.local`: Alice Doe's personal account
|
||||
- `john.doe@homelab.local`: Personal user account for John Doe.
|
||||
- `jane.doe@homelab.local`: Personal user account for Jane Doe.
|
||||
- `alice.doe@homelab.local`: Personal user account for Alice Doe.
|
||||
|
||||
- Guest Account:
|
||||
- `guest@homelab.local`: Generic guest account with limited permissions
|
||||
- `guest@homelab.local`: Generic guest account with limited permissions for temporary or visitor access.
|
||||
|
||||
Additional Considerations:
|
||||
- Implement principle of least privilege (PoLP) by granting users only the permissions necessary for their roles.
|
||||
- Use security group nesting to simplify permission management and reduce administrative overhead.
|
||||
- Implement fine-grained password policies for different security groups based on their sensitivity and criticality.
|
||||
- Enable account lockout policies to protect against brute-force attacks and unauthorized access attempts.
|
||||
- Regularly review and audit user accounts and group memberships to ensure they remain accurate and relevant.
|
||||
- Implement multi-factor authentication (MFA) for privileged accounts and sensitive resources.
|
||||
- Use privileged access management (PAM) solutions to securely manage and monitor privileged accounts.
|
||||
- Conduct regular security awareness training for users to promote best practices and reduce security risks.
|
||||
|
||||
These expanded sections provide more context, details, and relevant data for the PDC and SDC configuration, organizational units and structure, and security groups and user accounts. The additional considerations offer further guidance and best practices to enhance the overall security and management of the Active Directory environment.
|
||||
|
||||
### Step 4: Network Configuration and Security
|
||||
1. **VLANs and Subnets:**
|
||||
|
||||
Reference in New Issue
Block a user