Lab 10.1 - Windows Logging and AD

Installing AD

• Since the VCenter window was way too small to install this with a GUI, I had to figure out how to do this with PowerShell. This can be done with the following commands, assuming you are logged in as an Administrator or user with sufficient privaleges:

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Install-ADDSForest -DomainName “miles.local”

• Enter a new password, hit "A" when prompted to configure as the Domain Controller.
• Let the computer log out, and when you're back into the Administrator user enter:

$pass = Read-Host -AsSecureString
New-ADUser -Name miles.cummings -AccountPassword $pass -Passwordneverexpires $true -Enabled $true
Add-ADGroupMember -Identity "Domain Admins" -Members miles.cummings

Installing Wazuh Agents

Wks01

• This one is relativity easy since it's already on the WAN network and can download the agent file relativley easily. We can just use the same PowerShell oneliner to do so from previous Wazuh labs:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.10-1.msi -OutFile ${env:tmp}\wazuh-agent-4.3.10.msi; msiexec.exe /i ${env:tmp}\wazuh-agent-4.3.10.msi /q WAZUH_MANAGER='172.16.200.10' WAZUH_REGISTRATION_SERVER='172.16.200.10' WAZUH_AGENT_GROUP='windows'
NET START WazuhSvc
NET STOP WazuhSvc

• Now, we have to get it on Mgmt02. Since Mgmt01 does have internet connectivity and is on the same network as Mgmt02, we can download the agent file and send it over to Mgmt02 that way. On Mgmt01:

cd Desktop
wget https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.10-1.msi

• I had a good bit of trouble getting this over. It seemed like SCP was not working, so I tried allowing it through the local Windows firewall on MGMT02 and I wasn't having any luck there. Since there is already a LAN-to-MGMT firewall rule that allows SSH to 172.16.200.10 (Wazuh server), I am just going to use that as an intermediate. I did the following on MGMT01 (from Desktop directory):

scp ./wazuh-agent-4.3.10-1.msi [email protected]:/home/miles

• I wanted to just SCP from Wazuh, but I couldn't install the feature on MGMT02 for some reason. Looks like we can SFTP it from Wazuh to MGMT02 thought! From MGMT02:

sftp [email protected]:/home/miles/wazuh-agent-4.3.10-1.msi C:\Users\Administrator\Desktop\wazuh-agent-4.3.10.msi

• Now we can set the agent up:

msiexec.exe /i C:\Users\Administrator\Desktop\wazuh-agent-4.3.10.msi /q WAZUH_MANAGER='172.16.200.10' WAZUH_REGISTRATION_SERVER='172.16.200.10' WAZUH_AGENT_GROUP='windows'
NET START WazuhSvc

• It worked, Wazuh was running and I could see the new agent in Wazuh!
• Time for firewall stuff. Thankfully, it's only getting traffic through Fw-mgmt since the endpoints are on either side of that firewall. However, there is a LOT of ports that we need to add in order to get this working. On Fw-mgmt:

set firewall name MGMT-to-LAN rule 30 action accept
set firewall name MGMT-to-LAN rule 30 description "Allow AD ports from MGMT to LAN"
set firewall name MGMT-to-LAN rule 30 source address 172.16.200.11
set firewall name MGMT-to-LAN rule 30 source port 53,88,135,137,138,139,389,445,464,636,3268,3269,1024-65535
set firewall name MGMT-to-LAN rule 30 protocol tcp_udp

• We also need to allow these ports to send traffic the other way:

set firewall name LAN-to-MGMT rule 40 action accept
set firewall name LAN-to-MGMT rule 40 description "Allow AD ports from LAN to MGMT"
set firewall name LAN-to-MGMT rule 40 destination address 172.16.200.11
set firewall name LAN-to-MGMT rule 40 destination port 53,88,135,137,138,139,389,445,464,636,3268,3269,1024-65535
set firewall name LAN-to-MGMT rule 40 protocol tcp_udp

• We need to first update our DHCP server settings in order to get our domain join working properly. On the DHCP server:

sudo systemctl stop isc-dhcp-server
sudo nano /etc/dhcp/dhcpd.conf

# Edited the following:
option domain-name "miles.local"
# And under "subnet 172.16.150.0 subnet 255.255.255.0 {
option domain-name-servers 172.16.200.11

• And on Wks01:

ipconfig /flushdns
ipconfig /release
ipconfig /renew

• Back on MGMT02, we need to set up DNS so our Wks01 knows where to get its domain info from:

netsh interface ipv4 set dnsservers "Ethernet0" static 172.16.200.11 primary
Install-WindowsFeature DNS -IncludeManagementTools
Add-DnsServerPrimaryZone -NetworkID 172.16.200.0/24 -ReplicationScope “Domain”
Add-DnsServerPrimaryZone -NetworkID 172.16.150.0/24 -ReplicationScope “Domain”
Add-DnsServerResourceRecordPtr -Name "11" -ZoneName “200.16.172.in-addr.arpa” -AllowUpdateAny -AgeRecord -PtrDomainName "miles-mgmt02.miles.local."

• Now Wks01 needs to be added to our domain. To do this we can go to Start -> search "Workgroup" -> edit workgroup settings -> Add "miles.local" domain, enter creds, and restart!

Sources Used

• https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/install-active-directory-domain-services--level-100-
• https://computingforgeeks.com/setup-active-directory-domain-services-using-powershell/
• https://www.thewindowsclub.com/change-dns-server-using-command-prompt-and-powershell#google_vignette