SSEC350 Lab 10.1 ‐‐ Windows Logging - ConnorEast/Tech-Journal GitHub Wiki
For this lab we will be setting up logging, through wazuh for our internal network. This will require a total of at least 14 port firewall rules to be added to our network. 9 TCP and 5 UDP. Below are the expectations for the course
-
Disable Traveler, NGINX, and Jump [Unless Jump hosts Wazuh]
--- My Jump box hosts Wazuh and by proxy is exempt from this. -
Active Directory Domain Services must be installed on MGMT02
--- -
Access to the following ports must be allowed through the firewall
--- For the port group use the vyos port group commands. Said commands are linked.
| Non-Ephemeral Port | Purpose |
|---|---|
| UDP: Port 88 | |
| UDP: Port 138 | |
| UDP: Port 389 | |
| TCP: Port 135 | |
| TCP: Port 636 | |
| TCP: Port 3269 | |
| TCP: Port 3268 | |
| TCP: Port 139 | |
| UDP_TCP: Port 464 | |
| UDP_TCP: Port 445 | |
| UDP_TCP: Port 335 | |
| UDP_TCP: Port 53 | |
| UDP_TCP: Port 128 | |
| Ephemeral Port | Purpose |
| UDP_TCP: Ports 1025-5000 | |
| UDP_TCP:Port 49152-65535 |
- Figure out how to install Wazuh Agents on WKs1 and MGMT02
--- - AD joining wks1 to your MGMT 2 AD Forest
--- - Be able to RDP from WKs1 to MGMT02 using Valid AD credentials
---
-
MGMT Box Installation
--- Go to Server Manager.
--- Select "Add Roles and Features".
--- Select "MGMT02-East" as your server in server selection.
--- Under Server Roles select "Active Directory Domain Services".
--- Complete the install and promote the Server.
--- For the "Deployment Configuration" section add the domain name east.local
--- Set a DSRM password
--- Commit all changes and allow server to restart -
Management Firewall commands
# Allow AD traffic from LAN to MGMT02 (main services) set firewall name LAN-to-MGMT rule 40 action 'accept' set firewall name LAN-to-MGMT rule 40 description 'Allow AD traffic to MGMT02' set firewall name LAN-to-MGMT rule 40 destination address '172.16.200.11' set firewall name LAN-to-MGMT rule 40 protocol 'tcp_udp' set firewall name LAN-to-MGMT rule 40 destination port '53,88,123,135,137-139,389,445,464,636,3268,3269' set firewall name LAN-to-MGMT rule 40 source address '172.16.150.0/24'
set firewall name LAN-to-MGMT rule 41 action 'accept' set firewall name LAN-to-MGMT rule 41 description 'Allow AD dynamic RPC ports' set firewall name LAN-to-MGMT rule 41 destination address '172.16.200.11' set firewall name LAN-to-MGMT rule 41 protocol 'tcp_udp' set firewall name LAN-to-MGMT rule 41 destination port '49152-65535' set firewall name LAN-to-MGMT rule 41 source address '172.16.150.0/24'
-
Domain Joining Windows Box
--- Go to "System and security"
--- Go to System and select "Change Settings"
--- In System Properties select "Change"
--- Change the type to Domain and enter the forest name
--- Use Administrative level account to complete setup -
WKS1 Wazuh Agent Setup
--- Open Wazuh at "https://172.16.50.4"
--- Select "Wazuh > Agents"
--- On the page "Agents" select "Deploy new agent"
--- On the page labeled "Deploy new agents", put in the needed information.
--- At the bottom a powershell script should be outputted, run it in an admin powershell box.
--- Following installation open ports 1514 and 1515 on the windows firewall
--- Run "NET STOP wazuhsvc"
--- Run "NET START wazuhsvc" -
MGMT02 Wazuh Agent Setup
--- On MGMT02 set the following rules to open web traffic to MGMT02set firewall name MGMT-to-LAN rule 40 action 'accept' set firewall name MGMT-to-LAN rule 40 description 'Allow MGMT02 web requests' set firewall name MGMT-to-LAN rule 40 protocol 'tcp' set firewall name MGMT-to-LAN rule 40 destination port '80,443' set firewall name MGMT-to-LAN rule 40 source address '172.16.200.11'
--- Download Chrome as your default browser [Cause its nicer]
--- Open Wazuh at "https://172.16.50.4"
--- Select "Wazuh > Agents"
--- On the page "Agents" select "Deploy new agent"
--- On the page labeled "Deploy new agents", put in the needed information.
--- At the bottom a powershell script should be outputted, run it in an admin powershell box.
---
---
