10.2 Windows Logging - CameronProvost/SEC-350 GitHub Wiki

Deliverable 1. Install Active Directory Domain Services on mgmt02. Join wks1 to your new domain. Provide a screenshot showing a whoami and an ipconfig /all on wsk1 that indicates you are logged in as a domain user

Install Active directory Domain Services

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools Install-ADDSForest -DomainName “cameron.local”

Creating an Admin User

$password = Read-Host -AsSecureString New-ADUser -Name cameron-admin -AccountPassword $password -Passwordneverexpires $true -Enabled $true Add-ADGroupMember -Identity "Domain Admins" -Members cameron-admin Add-ADGroupMember -Identity "Enterprise Admins" -Members cameron-admin

Setting DNS PTR Record and Zones

Install-WindowsFeature DNS -IncludeManagementTools Add-DnsServerPrimaryZone -NetworkID 172.16.200.0/24 -ReplicationScope “Domain” Add-DnsServerPrimaryZone -NetworkID 172.16.150.0/24 -ReplicationScope “Domain” Add-DnsServerResourceRecordPtr -Name "11" -ZoneName “200.16.172.in-addr.arpa” -AllowUpdateAny -AgeRecord -PtrDomainName "mgmt02-cameron.cameron.local."

Add Domain User

$password = Read-Host -AsSecureString New-ADUser -Name cameron.provost -AccountPassword $password -Passwordneverexpires $true -Enabled $true

**Fw-mgmt configurations **

set firewall name MGMT-to-LAN rule 50 action 'accept' set firewall name MGMT-to-LAN rule 50 description 'Windows Active Directory' set firewall name MGMT-to-LAN rule 50 source address '172.16.200.11' set firewall name MGMT-to-LAN rule 50 source port '53,88,135,137-138,389,445,464,636,3268-3269,1024-65535' set firewall name MGMT-to-LAN rule 50 protocol 'tcp_udp' set firewall name LAN-to-MGMT rule 51 action 'accept' set firewall name LAN-to-MGMT rule 51 description 'Windows Active Directory' set firewall name LAN-to-MGMT rule 51 destination address '172.16.200.11' set firewall name LAN-to-MGMT rule 51 destination port '53,88,135,137-138,389,445,464,636,3268-3269,1024-65535' set firewall name LAN-to-MGMT rule 51 protocol 'tcp_udp' commit Save

Adding domain to dhcp server

/ect/dhcp/dhcpd.conf

Change domain name servers to

Option domain-name-servers 172.16.200.11

Restart dhcp-server

Deliverable 2. Figure out how to install Wazuh agents on wks1 and mgmt02, remember MGMT does not enjoy the same internet connectivity as LAN. Provide a screenshot similar to the one below that shows these agents are registered with Wazuh. Make sure to create a new Agent Group called windows.

WAZUH Setup Adding Windows Machines Windows 172.16.200.10 Windows On wks01 and mgmt02 Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.11-1.msi -OutFile ${env:tmp}\wazuh-agent-4.3.11.msi; msiexec.exe /i ${env:tmp}\wazuh-agent-4.3.11.msi /q WAZUH_MANAGER='172.16.200.10' WAZUH_REGISTRATION_SERVER='172.16.200.10' WAZUH_AGENT_GROUP='default'

NET START WazuhSvc

For mgmt02 sftp wazuh-agent-4.3.10-1.msi from 172.16.150.10