Project Fur-Tress: Building a Home SOC Lab (Part 4)

Introduction

In part 3, I set up Kali Linux in the Fake Internet VLAN to simulate external threats, and configured Windows Server 2019 as the domain controller for the Corporate LAN, handling DNS and DHCP services.

I realized that jumping into the RemoteAccess and VPN setup wasn't the best move just yet. I need to have my network and devices set up, configured, and all VLANs locked down correctly first. So, I've decided to start by setting up a few different Group Policies, creating some users, and assigning them to different groups before setting up shared resources.

In this part of the project, I’ll be setting up user groups, creating users, and assigning them to those groups. I’ll also be creating several Group Policies to cover reducing password requirements, local administrator access, and deploying software.

Password Requirements GPO

In Active Directory, there’s a baseline set of password requirements for users. For my lab, I wanted to allow weak passwords to simulate password compromise attacks. This helps me gain knowledge in setting up monitoring and alerts for such scenarios.

The two main changes I wanted to make were reducing the minimum password length and disabling the complexity requirements. The complexity requirements include:

• The password must not contain the user’s account name or display name.
• It must include characters from at least three of these categories: uppercase letters, lowercase letters, base 10 digits, or special characters like $ or %.

In the Group Policy Management tool, I found my domain, right-clicked to create a GPO, and linked it. I named the policy 'Simple Password Policy' for easy reference and selected no Source Starter GPO. With the policy created, I needed to edit it. The settings are under Policies > Windows Settings > Security Settings > Account Policies > Password Policy. Here, I changed the minimum password length to 3 and disabled the complexity requirements.

Now, when I create users for the environment, I can set some with very weak passwords.

Creating User Groups

The next for me was to create an Organisational Unit, so that all of my corporate groups could be assigned here. In Active Directory Users and Computers, I created a new Organisational Unit and named it 'Groups'.

Inside this unit, I wanted to now create the groups that might be found in a small business, or start-up, environment. I decided on the following groups:

• HR
• Finance
• Marketing & Sales
• Legal
• Customer Support
• Executive Team

I have very little, to no experience, with PowerShell. So I thought that this might be a good time to dig in to some resources, and see if I could get a basic script together that would create groups in the Organisational Unit. This way, I didn't have to type them out manually, it gives some experience, and something I can re-use, and expand on later, when I need to create all of my users, and have them assigned to different groups.

After some time, I got together the following script:

# Array of the groups and their definitions
$groups = @(
    @{ Name = "HR"; SamAccountName = "HR"; DisplayName = "Human Resources"; Description = "Members of this group are the HR team" },
    @{ Name = "Finance"; SamAccountName = "Finance"; DisplayName = "Finance Team"; Description = "Members of this group are the Finance team" },
    @{ Name = "SalesMarketing"; SamAccountName = "SalesMarketing"; DisplayName = "Sales and Marketing"; Description = "Members of this group are the Sales and Marketing team" },
    @{ Name = "Legal"; SamAccountName = "Legal"; DisplayName = "Legal Team"; Description = "Members of this group are the Legal team" },
    @{ Name = "CustomerSupport"; SamAccountName = "CustomerSupport"; DisplayName = "Customer Support"; Description = "Members of this group are the Customer Support team" },
    @{ Name = "ExecutiveTeam"; SamAccountName = "ExecutiveTeam"; DisplayName = "Executive Team"; Description = "Members of this group are the Executive team" }
)

# The Organizational Unit path
$ouPath = "OU=Groups,DC=fur-tress,DC=soc"

# Loop through each group and create it
foreach ($group in $groups) {
    New-ADGroup -Name $group.Name -SamAccountName $group.SamAccountName -GroupCategory Security -GroupScope Global -DisplayName $group.DisplayName -Path $ouPath -Description $group.Description
}

I opened up PowerShell ISE as Administrator, pasted my script, and then ran it. It completed, and I did not see any errors.

Now to check the groups, and something wasn't right. My groups were not showing. Something appeared to have gone wrong, or I got something wrong with my script.

After I restarted Windows, I checked the groups again, and all the groups were there, and exactly where I wanted them.

Setting Shared Folders

Now that I had the user groups sorted, it was time to create a shared folder location. I wanted one main folder accessible to all domain users, plus individual folders for each group that only their members could access. I also needed an applications folder for resources to install on every Windows device connected to the domain.

I created a directory called fur-tress_shares on the C: drive, with subdirectories for each group and one for applications. To share them, I started with the parent directory fur-tress_shares. In Properties > Sharing > Advanced Sharing, I checked the option to share the directory, left the share name as default, then clicked Permissions.

In the Permissions dialog, I removed 'Everyone' and added 'Domain Users' and 'Domain Computers', giving them read access.

Then, On the Security Tab, I made sure 'Everyone' was removed, and added 'Domain Users' and 'Domain Computers', with Read & execute, read, and list permissions.

I repeated the same steps for the Applications directory. For each group directory, I had to disable inheritance so that the parent directory permissions wouldn’t be applied. Once inheritance was disabled, I removed all the existing group permissions and set access to only 'SYSTEM' and the specific group for the directory.

To keep things simple, I left Administrators with access too. This isn’t a problem in my lab, but it wouldn’t be ideal in a real-world scenario. Once the first directory was confirmed as shared with no inheritance, I went through all the remaining directories.

Creating AD Users

With the user groups created, group folders set up and shared, now it was time to start creating some “employees” for my corporate entity within my lab. Using the PowerShell script for creating the groups, I used this as a base, then looked through some resources, to what would be needed to convert this to a script to generate multiple users.

Eventually, I got this script together:

# Array of the users and their details
$users = @(
    @{ givenName = "Annie"; Surname = "Wagner"; AccountPassword = "*****"; },
    @{ givenName = "Camila"; Surname = "Richards"; AccountPassword = "*****"; },
    @{ givenName = "Steven"; Surname = "Montgomery"; AAccountPassword = "*****"; },
    @{ givenName = "Greg"; Surname = "Herrera"; AccountPassword = "*****"; },
    @{ givenName = "Tina"; Surname = "Fleming"; AccountPassword = "*****"; },
    @{ givenName = "Randall"; Surname = "Curtis"; AccountPassword = "*****"; },
    @{ givenName = "April"; Surname = "Wells"; AccountPassword = "*****"; },
    @{ givenName = "Ivan"; Surname = "Evans"; AccountPassword = "*****"; },
    @{ givenName = "Marcus"; Surname = "Silva"; AccountPassword = "*****"; },
    @{ givenName = "Lewis"; Surname = "Day"; AccountPassword = "*****"; },
    @{ givenName = "Zoe"; Surname = "Pearson"; AccountPassword = "*****"; },
    @{ givenName = "Bryan"; Surname = "Hunter"; AccountPassword = "*****"; },
    @{ givenName = "Dylan"; Surname = "Garrett"; AccountPassword = "*****"; },
    @{ givenName = "Mary"; Surname = "Scott"; AccountPassword = "*****"; }
)

$userPath = "OU=Users,DC=fur-tress,DC=soc"


# Loop through each user and create them
foreach ($user in $users) {
    New-ADUser `
        -SamAccountName ($user.givenName + "." + $user.Surname) `
        -Name ($user.givenName + " " + $user.Surname) `
        -GivenName $user.givenName `
        -Surname $user.Surname `
        -UserPrincipalName ($user.givenName + "." + $user.Surname + "@fur-tress.soc") `
        -AccountPassword (ConvertTo-SecureString $user.AccountPassword -AsPlainText -Force) `
        -Enabled $true `
        -Path $userPath `
        -CannotChangePassword $false `
        -ChangePasswordAtLogon $false `
        -PasswordNeverExpires $true}

For the passwords, I would be generating some complex passwords, and the rest would be simple ones taken from the rockyou.txt common passwords file, available in Kali Linux.

Now it was time to go back in to PowerShell ISE, import the script, run it, and see what occurs. Now something did go wrong, and I got the following error:

New-ADUser : Directory object not found
At line:24 char:5
+     New-ADUser `
+     ~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (CN=Mary Scott,O...ur-tress,DC=soc: 
   String) [New-ADUser], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Man 
   agement.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Comm  
  ands.NewADUser

$userPath = "OU=Users,DC=fur-tress,DC=soc" was the problem, and from what I could see in the resources \I checked, this wasn't really required, so I removed this line, and ran the script again. A couple of errors regarding the password complexity, so there was something I didn't have configured quite correctly, but I could see my users created in AD Users and Groups. Now I just had to assign some users to the different groups I had created.

Local Admin GPO

Now that I had some groups and users created, to mimic a real world environment, I now wanted to limit Local Admin to a select group, in this case an IT Operations group that I created. To do this, I created a new GPO and then edited it. In the Group Policy management Editor, I went to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Restricted Groups and created a new group called 'Local Admin', then I added the IT Operations group to the Local Admin Restricted Group.

Deploy Software from GPO

As part of the set-up for my SOC lab, I want some applications to be automatically installed to devices when they sign on to the domain, to ensure that monitoring and logging applications are automatically added, and set. For now though, I just wanted to get the basic group policy configured, and would test with a web browser application, and then I can check if this is applied when I set up a Windows 10 workstation for the domain.

I downloaded the MSI for Google Chrome Enterprise, then I created a new policy and named it 'Software Install Policy', then edited this policy. At Computer Configuration > Policies > Software Setting > Software installation, I right-clicked on Software Installation and clicked on New >> Package and selected the Google Chrome MSI package. I chose the 'Assigned' option, so the package would be installed without modifications, and then I could see Google Chrome in the package list.

Summary

In Part 5, I’ll set up a Windows 10 workstation to connect to the domain. Following that, I plan to create a Linux VM. My goals include connecting it to the domain and then installing Docker and Portainer, so that vulnerable web applications can be set up for testing and experimenting.

Resources

• Password must meet complexity requirements
• PowerShell Hashtables
• Getting Started with PowerShell
• Manage security groups with PowerShell
• New-ADUser
• PowerShell to Create New Users in Active Directory
• Use Group Policy to remotely install software
• Google Chrome Enterprise