medusa/the_information_nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2fcdf196bc7f94222c8c5806706107d9938a7cb1
the_information_nexus/docs/tech_docs/cyber_lab.md

7.6 KiB
Raw Blame History

Certainly! Let's fine-tune the reference guide for setting up the homelab.local Active Directory domain by incorporating the updates and best practices we discussed earlier. Here's the refined version:

Reference Guide: Setting Up homelab.local AD Domain

Introduction

This guide provides a step-by-step process for creating the homelab.local Active Directory domain, designed for a home network with personal devices, a cybersecurity lab, network-attached storage (NAS), and various IT equipment. The guide focuses on security, management, and operational efficiency.

Domain Configuration

Step 1: Domain and Controller Setup

  1. Primary Domain Controller (PDC):

    • Server Name: DC01
    • OS: Windows Server 2022 Standard
    • IP Address: 192.168.1.10
    • Hardware: Dell PowerEdge R750, 64GB RAM, 2x2TB NVMe SSD (RAID 1)

  2. Secondary Domain Controller (SDC):

    • Server Name: DC02
    • OS: Windows Server 2022 Standard
    • IP Address: 192.168.1.11
    • Hardware: Dell PowerEdge R750, 32GB RAM, 2x2TB NVMe SSD (RAID 1)

Step 2: Organizational Units (OUs) and Structure

  1. Create OUs for Major Areas:

    • CyberLab: For cybersecurity research, testing, and tools
    • HomeDevices: For personal computers, laptops, and smart devices
    • NAS: For network-attached storage management and data organization
    • Users: For managing user accounts, permissions, and group memberships

  2. Define Sub-OUs:

    • Under CyberLab: VulnerableEnvironments, SecureEnvironments, ToolsRepository
    • Under HomeDevices: PersonalComputers, Laptops, SmartDevices, IoTDevices
    • Under NAS: MediaLibrary, PersonalStorage, LabDataStore, Backups

Step 3: Security Groups and User Accounts

  1. Establish Security Groups:

    • LabAdmins: Full access to CyberLab resources and management
    • LabUsers: Limited access to specific CyberLab environments and tools
    • FamilyMembers: Access to HomeDevices and personal storage on NAS
    • MediaUsers: Read-only access to the media library on NAS
    • GuestUsers: Restricted access to guest network and resources

  2. Create User Accounts:

    • Admin Accounts:
      • admin-john@homelab.local: Primary administrator account
      • admin-jane@homelab.local: Secondary administrator account
    • Family User Accounts:
      • john.doe@homelab.local: John Doe's personal account
      • jane.doe@homelab.local: Jane Doe's personal account
      • alice.doe@homelab.local: Alice Doe's personal account
    • Guest Account:
      • guest@homelab.local: Generic guest account with limited permissions

Step 4: Network Configuration and Security

  1. VLANs and Subnets:

    • VLAN 10: CyberLab - 192.168.10.0/24
    • VLAN 20: HomeDevices - 192.168.20.0/24
    • VLAN 30: NAS - 192.168.30.0/24
    • VLAN 40: Management - 192.168.40.0/24
    • VLAN 50: Guest - 192.168.50.0/24

  2. Firewall Rules:

    • Allow inbound traffic on VLAN 10 for RDP (TCP/3389), SSH (TCP/22), and HTTP(S) (TCP/80, TCP/443)
    • Allow outbound traffic on VLAN 10 to VLAN 30 for NAS access (SMB, NFS)
    • Allow inbound traffic on VLAN 20 for RDP (TCP/3389) and HTTP(S) (TCP/80, TCP/443)
    • Allow outbound traffic on VLAN 20 to VLAN 30 for NAS access (SMB, NFS)
    • Restrict traffic between VLAN 50 (Guest) and other VLANs
    • Implement strict firewall rules for each sub-OU within the CyberLab based on specific requirements

Step 5: NAS Configuration and Access

  1. NAS Device:

    • Model: Synology DS3622xs+
    • IP Address: 192.168.30.10
    • Shares:
      • MediaLibrary: Read-only access for MediaUsers group
      • PersonalStorage: Individual user folders with read-write access for respective users
      • LabDataStore: Read-write access for LabAdmins and specific LabUsers
      • Backups: Read-write access for backup tasks and administrators

  2. NAS Backup Strategy:

    • Daily incremental backups to an external NAS or high-capacity storage device
    • Weekly full backups to a cloud storage provider (e.g., Amazon S3, Azure Blob Storage)
    • Monthly offline backups to a remote location for disaster recovery

Step 6: Group Policy Objects (GPOs)

  1. Password Policy:

    • Minimum password length: 14 characters
    • Password complexity: Enabled (require uppercase, lowercase, digits, and symbols)
    • Maximum password age: 60 days
    • Enforce password history: 24 passwords remembered
    • Account lockout threshold: 5 invalid attempts
    • Account lockout duration: 30 minutes
    • LabAdmins Group:
      • Minimum password length: 20 characters
      • Maximum password age: 45 days
      • Enforce multi-factor authentication (MFA)

  2. Windows Update Policy:

    • Automatic updates: Enabled
    • Schedule: Every Sunday at 3:00 AM
    • Configure deadlines for installing updates
    • Define maintenance windows for update installations

  3. Software Restriction Policy:

    • Whitelist: C:\Program Files, C:\Program Files (x86), C:\Windows
    • Blacklist: C:\Users\*\Downloads, C:\Users\*\AppData\Local\Temp, C:\Windows\Temp
    • Allow specific software installations based on business requirements
    • Block execution of unauthorized software and scripts

  4. NAS Access GPO:

    • Applied to NAS OU
    • Drive mappings:
      • M: for MediaLibrary share
      • P: for PersonalStorage share
      • L: for LabDataStore share
    • Restrict access to NAS shares based on security group membership
    • Implement access auditing and monitoring for sensitive data

  5. Security Baseline GPOs:

    • Implement security baselines for Windows 10 and Windows Server 2022
    • Configure advanced audit policies for critical events
    • Enable Windows Defender Exploit Guard and Application Control
    • Restrict administrative privileges and limit user access to system settings

Conclusion

This fine-tuned reference guide provides a comprehensive blueprint for setting up a secure and efficient Active Directory domain for your home network and cybersecurity lab. By following these steps and implementing the recommended best practices, you can create a well-structured, scalable, and manageable environment that supports your diverse needs while prioritizing security and data protection.

Remember to regularly review and update your Active Directory configuration, group policies, and security measures to align with evolving requirements and emerging threats. Continuous monitoring, auditing, and improvement are essential to maintaining a resilient and secure Active Directory environment.

Mermaid Diagram

graph TD;
A[PDC: DC01] -->|Manages| B[CyberLab]
A -->|Manages| C[HomeDevices]
A -->|Manages| D[NAS]
A -->|Manages| E[Users]

B --> F[VulnerableEnvironments]
B --> G[SecureEnvironments]
B --> H[ToolsRepository]

C --> I[PersonalComputers]
C --> J[Laptops]
C --> K[SmartDevices]
C --> L[IoTDevices]

D --> M[MediaLibrary]
D --> N[PersonalStorage]
D --> O[LabDataStore]
D --> P[Backups]

E --> Q[LabAdmins]
E --> R[LabUsers]
E --> S[FamilyMembers]
E --> T[MediaUsers]
E --> U[GuestUsers]

Q --> V[admin-john]
Q --> W[admin-jane]

S --> X[john.doe]
S --> Y[jane.doe]
S --> Z[alice.doe]

U --> AA[guest]

This diagram provides a visual representation of the refined Active Directory structure, highlighting the key organizational units, security groups, and user accounts. It serves as a reference for understanding the relationships and hierarchy within the homelab.local domain.

By following this fine-tuned guide and leveraging the provided diagram, you can establish a robust and secure Active Directory foundation for your home network and cybersecurity lab, enabling effective management, collaboration, and learning opportunities.