medusa/the_information_nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4945b9420c3163f414a1d4f58c538622324990f8
the_information_nexus/docs/tech_docs/cyber_lab.md

12 KiB
Raw Blame History

Certainly! Let's fine-tune the reference guide for setting up the homelab.local Active Directory domain by incorporating the updates and best practices we discussed earlier. Here's the refined version:

Reference Guide: Setting Up homelab.local AD Domain

Introduction

This guide provides a step-by-step process for creating the homelab.local Active Directory domain, designed for a home network with personal devices, a cybersecurity lab, network-attached storage (NAS), and various IT equipment. The guide focuses on security, management, and operational efficiency.

Domain Configuration

  1. PDC and SDC Configuration:

    • Primary Domain Controller (PDC):

      • Server Name: DC01
      • Operating System: Windows Server 2022 Standard
      • IP Address: 192.168.1.10
      • Hardware Specifications:
        • Dell PowerEdge R750 Rack Server
        • CPU: 2 x Intel Xeon Silver 4314 2.4GHz (16 cores each)
        • RAM: 64GB DDR4 ECC
        • Storage: 2 x 2TB NVMe SSDs (RAID 1)
      • Active Directory Forest Functional Level: Windows Server 2016
      • Active Directory Domain Functional Level: Windows Server 2016
      • DNS Server: Integrated with Active Directory
      • DHCP Server: Enabled for automatic IP assignment

    • Secondary Domain Controller (SDC):

      • Server Name: DC02
      • Operating System: Windows Server 2022 Standard
      • IP Address: 192.168.1.11
      • Hardware Specifications:
        • Dell PowerEdge R750 Rack Server
        • CPU: 2 x Intel Xeon Silver 4314 2.4GHz (16 cores each)
        • RAM: 32GB DDR4 ECC
        • Storage: 2 x 2TB NVMe SSDs (RAID 1)
      • Active Directory Replication: Enabled with PDC
      • DNS Server: Integrated with Active Directory (Secondary)
      • DHCP Server: Disabled (Provided by PDC)

    Additional Considerations:

    • Implement Active Directory Certificate Services (AD CS) for issuing and managing certificates.
    • Configure Active Directory Federation Services (AD FS) for secure identity federation and single sign-on (SSO).
    • Set up Active Directory Rights Management Services (AD RMS) for data protection and access control.
    • Implement Active Directory Recycle Bin for easy recovery of accidentally deleted AD objects.
    • Configure Active Directory Time Synchronization to ensure consistent time across the domain.

  2. Organizational Units (OUs) and Structure:

    • Top-level OUs:

      • CyberLab: Contains resources and sub-OUs related to cybersecurity research, testing, and tools.
      • HomeDevices: Includes sub-OUs for managing personal computers, laptops, smart devices, and IoT devices.
      • NAS: Organizes network-attached storage (NAS) resources and data storage sub-OUs.
      • Users: Manages user accounts, permissions, and group memberships.

    • Sub-OUs under CyberLab:

      • VulnerableEnvironments: Contains intentionally vulnerable systems and applications for testing and research.
      • SecureEnvironments: Includes hardened systems and secure configurations for reference and comparison.
      • ToolsRepository: Stores and manages cybersecurity tools, scripts, and utilities.

    • Sub-OUs under HomeDevices:

      • PersonalComputers: Contains objects representing personal desktop computers.
      • Laptops: Includes objects representing personal laptop devices.
      • SmartDevices: Contains objects representing smart home devices and appliances.
      • IoTDevices: Includes objects representing Internet of Things (IoT) devices.

    • Sub-OUs under NAS:

      • MediaLibrary: Organizes and manages media files, such as movies, music, and photos.
      • PersonalStorage: Contains individual user folders for personal data storage.
      • LabDataStore: Stores and manages data related to cybersecurity lab experiments and projects.
      • Backups: Contains backup data and configuration for the NAS and other critical systems.

    Additional Considerations:

    • Create additional sub-OUs based on specific requirements and granular management needs.
    • Implement Group Policy Objects (GPOs) at the OU level for targeted configuration and security settings.
    • Use Access Control Lists (ACLs) to control permissions and access to OUs and their objects.
    • Regularly review and update the OU structure to ensure it aligns with evolving organizational requirements.

  3. Security Groups and User Accounts:

    • Security Groups:

      • LabAdmins: Grants full administrative access to CyberLab resources and management.
      • LabUsers: Provides limited access to specific CyberLab environments and tools based on job roles and responsibilities.
      • FamilyMembers: Allows access to HomeDevices and personal storage on the NAS.
      • MediaUsers: Grants read-only access to the media library on the NAS.
      • GuestUsers: Offers restricted access to the guest network and resources.

    • Admin Accounts:

      • admin-john@homelab.local: Primary domain administrator account for managing the Active Directory environment and critical resources.
      • admin-jane@homelab.local: Secondary domain administrator account for backup and redundancy purposes.

    • Family User Accounts:

      • john.doe@homelab.local: Personal user account for John Doe.
      • jane.doe@homelab.local: Personal user account for Jane Doe.
      • alice.doe@homelab.local: Personal user account for Alice Doe.

    • Guest Account:

      • guest@homelab.local: Generic guest account with limited permissions for temporary or visitor access.

    Additional Considerations:

    • Implement principle of least privilege (PoLP) by granting users only the permissions necessary for their roles.
    • Use security group nesting to simplify permission management and reduce administrative overhead.
    • Implement fine-grained password policies for different security groups based on their sensitivity and criticality.
    • Enable account lockout policies to protect against brute-force attacks and unauthorized access attempts.
    • Regularly review and audit user accounts and group memberships to ensure they remain accurate and relevant.
    • Implement multi-factor authentication (MFA) for privileged accounts and sensitive resources.
    • Use privileged access management (PAM) solutions to securely manage and monitor privileged accounts.
    • Conduct regular security awareness training for users to promote best practices and reduce security risks.

These expanded sections provide more context, details, and relevant data for the PDC and SDC configuration, organizational units and structure, and security groups and user accounts. The additional considerations offer further guidance and best practices to enhance the overall security and management of the Active Directory environment.

Step 4: Network Configuration and Security

  1. VLANs and Subnets:

    • VLAN 10: CyberLab - 192.168.10.0/24
    • VLAN 20: HomeDevices - 192.168.20.0/24
    • VLAN 30: NAS - 192.168.30.0/24
    • VLAN 40: Management - 192.168.40.0/24
    • VLAN 50: Guest - 192.168.50.0/24

  2. Firewall Rules:

    • Allow inbound traffic on VLAN 10 for RDP (TCP/3389), SSH (TCP/22), and HTTP(S) (TCP/80, TCP/443)
    • Allow outbound traffic on VLAN 10 to VLAN 30 for NAS access (SMB, NFS)
    • Allow inbound traffic on VLAN 20 for RDP (TCP/3389) and HTTP(S) (TCP/80, TCP/443)
    • Allow outbound traffic on VLAN 20 to VLAN 30 for NAS access (SMB, NFS)
    • Restrict traffic between VLAN 50 (Guest) and other VLANs
    • Implement strict firewall rules for each sub-OU within the CyberLab based on specific requirements

Step 5: NAS Configuration and Access

  1. NAS Device:

    • Model: Synology DS3622xs+
    • IP Address: 192.168.30.10
    • Shares:
      • MediaLibrary: Read-only access for MediaUsers group
      • PersonalStorage: Individual user folders with read-write access for respective users
      • LabDataStore: Read-write access for LabAdmins and specific LabUsers
      • Backups: Read-write access for backup tasks and administrators

  2. NAS Backup Strategy:

    • Daily incremental backups to an external NAS or high-capacity storage device
    • Weekly full backups to a cloud storage provider (e.g., Amazon S3, Azure Blob Storage)
    • Monthly offline backups to a remote location for disaster recovery

Step 6: Group Policy Objects (GPOs)

  1. Password Policy:

    • Minimum password length: 14 characters
    • Password complexity: Enabled (require uppercase, lowercase, digits, and symbols)
    • Maximum password age: 60 days
    • Enforce password history: 24 passwords remembered
    • Account lockout threshold: 5 invalid attempts
    • Account lockout duration: 30 minutes
    • LabAdmins Group:
      • Minimum password length: 20 characters
      • Maximum password age: 45 days
      • Enforce multi-factor authentication (MFA)

  2. Windows Update Policy:

    • Automatic updates: Enabled
    • Schedule: Every Sunday at 3:00 AM
    • Configure deadlines for installing updates
    • Define maintenance windows for update installations

  3. Software Restriction Policy:

    • Whitelist: C:\Program Files, C:\Program Files (x86), C:\Windows
    • Blacklist: C:\Users\*\Downloads, C:\Users\*\AppData\Local\Temp, C:\Windows\Temp
    • Allow specific software installations based on business requirements
    • Block execution of unauthorized software and scripts

  4. NAS Access GPO:

    • Applied to NAS OU
    • Drive mappings:
      • M: for MediaLibrary share
      • P: for PersonalStorage share
      • L: for LabDataStore share
    • Restrict access to NAS shares based on security group membership
    • Implement access auditing and monitoring for sensitive data

  5. Security Baseline GPOs:

    • Implement security baselines for Windows 10 and Windows Server 2022
    • Configure advanced audit policies for critical events
    • Enable Windows Defender Exploit Guard and Application Control
    • Restrict administrative privileges and limit user access to system settings

Conclusion

This fine-tuned reference guide provides a comprehensive blueprint for setting up a secure and efficient Active Directory domain for your home network and cybersecurity lab. By following these steps and implementing the recommended best practices, you can create a well-structured, scalable, and manageable environment that supports your diverse needs while prioritizing security and data protection.

Remember to regularly review and update your Active Directory configuration, group policies, and security measures to align with evolving requirements and emerging threats. Continuous monitoring, auditing, and improvement are essential to maintaining a resilient and secure Active Directory environment.

Mermaid Diagram

graph TD;
A[PDC: DC01] -->|Manages| B[CyberLab]
A -->|Manages| C[HomeDevices]
A -->|Manages| D[NAS]
A -->|Manages| E[Users]

B --> F[VulnerableEnvironments]
B --> G[SecureEnvironments]
B --> H[ToolsRepository]

C --> I[PersonalComputers]
C --> J[Laptops]
C --> K[SmartDevices]
C --> L[IoTDevices]

D --> M[MediaLibrary]
D --> N[PersonalStorage]
D --> O[LabDataStore]
D --> P[Backups]

E --> Q[LabAdmins]
E --> R[LabUsers]
E --> S[FamilyMembers]
E --> T[MediaUsers]
E --> U[GuestUsers]

Q --> V[admin-john]
Q --> W[admin-jane]

S --> X[john.doe]
S --> Y[jane.doe]
S --> Z[alice.doe]

U --> AA[guest]

This diagram provides a visual representation of the refined Active Directory structure, highlighting the key organizational units, security groups, and user accounts. It serves as a reference for understanding the relationships and hierarchy within the homelab.local domain.

By following this fine-tuned guide and leveraging the provided diagram, you can establish a robust and secure Active Directory foundation for your home network and cybersecurity lab, enabling effective management, collaboration, and learning opportunities.