Based on the Defender for Identity Security Alert Lab, this will create an isolated lab environment where you can safely install, configure, and test the MDI learning scenarios.
Deployment Instructions
Updates
29 Nov 2022 - MDI Event 1644 DSC
Added the Registry settings recommended by MDI to the AD Desired State Configuration. The specific settings are also available in a standalone DSC file which can be deployed to other environments.
- Generate a root and child certificate for the Gateway VPN using these instructions
- Open the Azure Portal in a seperate tab in your browser
- Use the Deploy to Azure button below to deploy the lab to your Azure Environment
- Required: Specify a Resource Group where the lab will be deployed
- Required: Provide an Admin Password
- Recommended: Select the region where the lab should be deployed if using a new resource group
- Recommended: Update the Admin User Name to your desired name
- Recommended: Specify a Gateway Cert Name
- Recommended: Specify the Gateway Cert Data
Post Deployment Setup
Configure Point-to-Site VPN
If you did not specify the VPN Root Cert and provide the Certificate Datat then you need to follow these steps. Otherwise you can skip these steps and go to the Install VPN Client section below.
- Use the New-P2SCertificate.ps1 script, found here to create a new Root & Child certificate pair for use with the Point-to-Site Gateway
- Copy the text from the rootcert.txt file that the script generates in the folder where it is run or from the console’s on-screen output
- In the Azure Portal go to the Resource Group where the lab was created and find the Virtual Network Gateway Resource that was created and click on it
- Go to the Point-to-Site Configuration
- Provide a name for the Root Certificate
- Paste the output from the above step into the Public certificate data field
- Save the changes
Install VPN Client
- In the Azure Portal go to the Resource Group where the lab was created and find the Virtual Network Gateway Resource that was created and click on it
- Go to the Point-to-Site Configuration
- Click the Download VPN client button
- Install the appropriate VPN client for your OS
- Connect the to the Point-to-Site VPN
Domain Join Machines
- In the Azure Portal go to the Resource Group where the lab was created and find the Virutal Network Resource and click on it. It should be named
[resource group name]-vnet
- In the left navigation click on DNS servers
- On the DNS Servers page select the Custom radio button
- Add
10.0.24.4
, the DC Server’s IP Address, as a DNS Server - Click Save
- Reboot all VMs in the resource group
- RDP to VictimPC and domain join it to the contoso.com domain
- RDP to AdminPC and domain join it to the contoso.com domain
Return to MS Documentation
After completing the above sections you can return to the process oulined in the Alert Lab beginning with the Configure SAM-R capabilities from ContosoDC to complete the lab setup and learning.
VMs Created
VM Name | Operating Sytem | IP Address | Scheduled Shutdown |
---|---|---|---|
ContosoDC1 | Windows Server 2012 R2 | 10.0.24.4 | 7PM EST |
Victim-PC | Windows 10 | 10.0.24.5 | 7PM EST |
Admin-PC | Windows 10 | 10.0.24.6 | 7PM EST |
Accounts and Groups Created
The deployment script and Active Directory DSC script set up the following accounts and groups for use with the Security Alert Lab
Account | From | OU | Details |
---|---|---|---|
labadmin | deployment script | Users | This is the admin setup account on all VMs created. This account can be updated/changed/modified as part of the deployment. |
jeffl | AD DSC | LabUsers | Jeff Leatherman Account from Alert Lab |
ronhd | AD DSC | LabUsers | Ron HelpDesk account from Alert Lab |
samiraa | AD DSC | LabUsers | Samira Abbasi account from Alert Lab |
aatpservice | AD DSC | LabUsers | Defender for Identity Service Acount |
Helpdesk | AD DSC | LabUsers | Security Group which ronhd is member |