Defender for Identity Security Alert Lab

Thu Dec 01, 22 | MDI | Identity | Microsoft | Labs

Based on the Defender for Identity Security Alert Lab, this will create an isolated lab environment where you can safely install, configure, and test the MDI learning scenarios.

Deployment Instructions

Updates

29 Nov 2022 - MDI Event 1644 DSC

Added the Registry settings recommended by MDI to the AD Desired State Configuration. The specific settings are also available in a standalone DSC file which can be deployed to other environments.

  1. Generate a root and child certificate for the Gateway VPN using these instructions
  2. Open the Azure Portal in a seperate tab in your browser
  3. Use the Deploy to Azure button below to deploy the lab to your Azure Environment
    1. Required: Specify a Resource Group where the lab will be deployed
    2. Required: Provide an Admin Password
    3. Recommended: Select the region where the lab should be deployed if using a new resource group
    4. Recommended: Update the Admin User Name to your desired name
    5. Recommended: Specify a Gateway Cert Name
    6. Recommended: Specify the Gateway Cert Data

Deploy to Azure

Post Deployment Setup

Configure Point-to-Site VPN

If you did not specify the VPN Root Cert and provide the Certificate Datat then you need to follow these steps. Otherwise you can skip these steps and go to the Install VPN Client section below.

  1. Use the New-P2SCertificate.ps1 script, found here to create a new Root & Child certificate pair for use with the Point-to-Site Gateway
    1. Copy the text from the rootcert.txt file that the script generates in the folder where it is run or from the console’s on-screen output
  2. In the Azure Portal go to the Resource Group where the lab was created and find the Virtual Network Gateway Resource that was created and click on it
    1. Go to the Point-to-Site Configuration
    2. Provide a name for the Root Certificate
    3. Paste the output from the above step into the Public certificate data field
    4. Save the changes

Install VPN Client

  1. In the Azure Portal go to the Resource Group where the lab was created and find the Virtual Network Gateway Resource that was created and click on it
    1. Go to the Point-to-Site Configuration
    2. Click the Download VPN client button
  2. Install the appropriate VPN client for your OS
  3. Connect the to the Point-to-Site VPN

Domain Join Machines

  1. In the Azure Portal go to the Resource Group where the lab was created and find the Virutal Network Resource and click on it. It should be named [resource group name]-vnet
  2. In the left navigation click on DNS servers
    1. On the DNS Servers page select the Custom radio button
    2. Add 10.0.24.4, the DC Server’s IP Address, as a DNS Server
    3. Click Save
    4. Reboot all VMs in the resource group
  3. RDP to VictimPC and domain join it to the contoso.com domain
  4. RDP to AdminPC and domain join it to the contoso.com domain

Return to MS Documentation

After completing the above sections you can return to the process oulined in the Alert Lab beginning with the Configure SAM-R capabilities from ContosoDC to complete the lab setup and learning.

VMs Created

VM Name Operating Sytem IP Address Scheduled Shutdown
ContosoDC1 Windows Server 2012 R2 10.0.24.4 7PM EST
Victim-PC Windows 10 10.0.24.5 7PM EST
Admin-PC Windows 10 10.0.24.6 7PM EST

Accounts and Groups Created

The deployment script and Active Directory DSC script set up the following accounts and groups for use with the Security Alert Lab

Account From OU Details
labadmin deployment script Users This is the admin setup account on all VMs created. This account can be updated/changed/modified as part of the deployment.
jeffl AD DSC LabUsers Jeff Leatherman Account from Alert Lab
ronhd AD DSC LabUsers Ron HelpDesk account from Alert Lab
samiraa AD DSC LabUsers Samira Abbasi account from Alert Lab
aatpservice AD DSC LabUsers Defender for Identity Service Acount
Helpdesk AD DSC LabUsers Security Group which ronhd is member