Skip to content

RaimiShun/Active-Directory-Home-Lab

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
 
 
 
 

Repository files navigation

Active-Directory-Home-Lab

A functional Windows Server 2022 and Windows 11 enterprise lab environment.

Objective

The goal of this project was to build a functional, secure enterprise network environment using Oracle VirtualBox. This lab simulates a real-world corporate infrastructure, focusing on identity management, network configuration, and security principles like Least Privilege.

Core Competencies

Competency Area Key Technologies & Skills
Identity & Access Active Directory (AD DS), OU Design, Group Policy (GPO)
Security & Auditing Account Lockout Policies, NTFS/Share Permissions, Hardening
SIEM & Monitoring Splunk Enterprise, Universal Forwarder, Sysmon, Log Correlation
Infrastructure DHCP, DNS, Network Mapping, Virtualization (Oracle VM)
Incident Response Root Cause Analysis, Forensics, Log Aggregation, Troubleshooting
Remote Access VPN (L2TP/IPsec), RRAS, NPS, Perimeter Security

Technologies Used

  • Hypervisor: Oracle VirtualBox
  • Operating Systems: Windows Server 2022, Windows 11 Pro
  • Services: Active Directory Domain Services (AD DS), DNS, SMB File Sharing, Group Policy (GPO), Routing & Remote Access (RRAS), Network Policy Server (NPS)
  • Monitoring/SIEM: Splunk Enterprise (Indexer), Splunk Universal Forwarder (Agent)

Lab Asset Inventory

Asset Name Operating System Role / Service Network Configuration
LAB-DC01 Windows Server 2022 Domain Controller, DNS, DHCP, WSUS, VPN Gateway Static: 192.168.56.10
LAB-WS01 Windows 11 Pro Client Workstation Internal Network (LabNet)
S: Drive SMB Share Centralized User Backups Hosted on DC01
VPN Pool Virtual Interface Remote Client Access 10.0.0.100 - 10.0.0.150

Phase 1: Network Architecture

To ensure security and isolation, I implemented a dual-adapter network topology.

  • Internal Network (Host-Only): Dedicated for private communication between the Domain Controller and Client.

  • NAT: Provided controlled internet access for system updates and software installation.

Settings Settings (2)

Phase 2: Active Directory Architecture & Identity Design

Objective: Establishing a scalable, enterprise-grade Identity and Access Management (IAM) foundation within the LAB.local forest.

Hierarchical Organizational Unit (OU) Design

  • Scalable Framework: Implemented a tiered OU structure to facilitate granular Group Policy application and administrative delegation.

  • Separation of Concerns: Isolated Administrative Accounts, Standard Accounts (departmentalized by Finance, HR, and IT), and Security Groups into distinct containers to prevent policy leakage.

  • Standardized Provisioning: Developed an account naming and description convention to simulate enterprise auditing requirements, as seen in the profile for John Wick (Finance Manager).

AD UC

Phase 3: Endpoint Enrollment & Trust Validation

Objective: Securely integrating client assets into the domain and verifying the Kerberos trust relationship.

  • Domain Handshake: Successfully migrated the Windows 11 Pro workstation from a standalone workgroup to the LAB.local managed forest.

  • Security Validation: Utilized sysdm.cpl to verify the authoritative trust relationship between the endpoint (WS01.LAB.local) and the Domain Controller.

  • Identity Handshake: Confirmed that the workstation successfully honors domain credentials, allowing for centralized authentication and policy inheritance from the DC.

Trust Validation

Phase 4: Enterprise Resource Management & Identity-Based Access

I transitioned the lab from basic file sharing to an Identity-Based Access Control (IBAC) model, simulating how a Tier 2 SysAdmin manages corporate data at scale.

Scalable OU & Group Architecture:

Abandoned flat structures in favor of a tiered OU hierarchy. I separated Administrative Accounts from Standard Accounts and centralized permissions into dedicated Security Groups (e.g., SG_Finance_Users, SG_IT_Admins).

Dynamic Drive Mapping via GPP & Item-Level Targeting:

Replaced legacy .bat logon scripts with modern Group Policy Preferences (GPP). I consolidated multiple departmental policies into a single, high-efficiency GPO that utilizes Item-Level Targeting to dynamically map the S: Drive based on the user's specific Security Group membership.

  • The Logic: The GPO evaluates group membership (e.g., LAB\SG_HR) at logon before applying the mapping.

  • The Validation: Verified with a test user (Sarah Potter), ensuring the drive only maps once the security token is refreshed.

Screenshot 2026-04-29 020044 Screenshot 2026-04-29 022850

Access-Based Enumeration (ABE):

Implemented ABE on the global \\DC01\Shares root. This ensures "Security through Obscurity" by hiding folders (HR, IT, Finance) from any user who does not have explicit NTFS Read permissions, preventing internal reconnaissance.

  • Verification: As shown below, John Wick (Finance) can only see the Finance directory, while Raimi (IT Admin) has full visibility into all departmental archives.
Finance only IT Admin

Granular Permission Audit (NTFS Verification)

To validate that the Principle of Least Privilege was successfully applied beyond just visibility, I utilized the Effective Access tool to audit specific NTFS permissions for the Finance directory.

  • Administrative Oversight: Confirmed that IT_Admin (Raimi) retains Full Control, ensuring administrative continuity and the ability to manage data lifecycle.

  • Restricted Management: Verified that Finance_Manager (John Wick) has necessary Read/Write access but is strictly denied the ability to change permissions or take ownership. This prevents accidental or malicious privilege escalation within the department.

effective access 2 effetive access

Phase 5: Network Services & Security Hardening

To transition the lab into a "Hardened" state, I implemented centralized networking and defensive auditing policies.

Centralized Network Management (DHCP)

  • Managed Infrastructure: Deployed a managed DHCP Scope (192.168.56.100 - 192.168.56.200) on the Domain Controller to eliminate static IP overhead.

  • DNS Infrastructure Integration: Configured DHCP Option 006 (DNS Servers) to automatically assign the Domain Controller’s IP (192.168.56.10) to all network clients. This ensures seamless Active Directory service discovery and reliable Kerberos authentication across the forest.

  • Validation: Verified the "Handshake" by migrating the Windows 11 client to a dynamic lease.

DHCP Handshake DNS Server 006

Brute-Force Mitigation & GPO Hardening

  • Strategy: Authored and enforced a "GPO Security Hardening Baseline" to mitigate automated credential-stuffing and brute-force attacks.

  • Policy Configuration: Enforced an Account Lockout Threshold of 3 failed attempts with a 30-minute reset window.

Security hardening GPO

Security Auditing & Incident Simulation

  • The Attack Simulation: Triggered a deliberate lockout on the Windows 11 workstation after exceeding the authorized logon attempts.

  • The Forensic Chain: Configured the Audit Account Management policy to track identity-based threats.

  • Log Correlation: Successfully correlated Event ID 4740 in the Domain Controller’s Security Log, proving the "Detection-to-Action" pipeline is fully operational.

AC Lockout Audit Policy AC Lockout Eventviewer

Phase 6: Data Governance & Resiliency

Objective: Implementing enterprise-grade data protection through automation and surgical recovery methods.

Task A: Automated Endpoint Migration

  • Action: Deployed a PowerShell script to migrate "Critical Project" data from local user desktops to the centralized S: Drive.

  • Impact: Consolidated local data into a centralized server to ensure 100% backup coverage for all critical business files.

Script

Task B: Legacy Application Risk Mitigation

  • Action: Identified vulnerable legacy accounting data and migrated it to a Hidden Administrative Share (Secure_Archives$).

  • Impact: Reduced the attack surface by hiding the share from standard network discovery and enforcing IT-Admin-only access.

Legacy migration

Task C: Disaster Recovery (VSS)

  • Action: Configured Volume Shadow Copy Service (VSS) for point-in-time recovery.

  • Impact: Enabled self-service "Previous Version" restoration, significantly reducing Helpdesk RTO (Recovery Time Objective) for accidental deletions.

Shadowcopies self-service recovery

Phase 7: Infrastructure Health & Validation

Objective: Final validation of Domain integrity and performance baselining.

Active Directory Health Audit:

Executed dcdiag to verify forest connectivity, advertising, and replication status. All tests passed.

dcdiag

Perfomance Monitoring:

Utilized Resource Monitor to baseline network and disk I/O, ensuring no bottlenecks exist within the virtualized environment.

resmon

Phase 8: Monitoring with Splunk (SIEM Integration)

The goal of this phase is to centralize all security logs into one place so I could monitor the entire lab from a single dashboard.

The Setup: Building the Data Bridge

To get the logs from my Windows 11 machine to the Splunk Server, I had to configure a "Handshake" between them:

The Receiver:

I configured the Splunk Indexer to listen on Port 9997. Think of this as opening a specific door on the server for security data to enter.

Screenshot 2026-04-28 220418

The Agent & Connection:

I installed the Splunk Universal Forwarder on the workstation. I then used the command line to verify the "Handshake," confirming the agent was actively forwarding data to the server at 192.168.56.10:9997.

Screenshot 2026-04-28 222349

Security Alerts & Activity Catching

Once the bridge was built, I tested it by performing actions that look like "hacker" activity to see if Splunk would catch them:

High-Privilege Login (Event 4672)

I tracked when an account with "Super User" powers logged in. This is a red flag if it’s an account that shouldn't have administrative access.

  • Result: Splunk caught the "Attack_Account" logging in with special system-level privileges.
Screenshot 2026-04-28 220635

PowerShell Command Logging (Event 4104)

I enabled a setting that records exactly what is typed into the PowerShell window. This is perfect for seeing if someone is trying to run malicious scripts.

  • Result: I created a simple table that clearly lists the time, the computer name, and the exact command that was run.
Screenshot 2026-04-28 225953

New Service Created (Event 7045)

I monitored for the creation of new services, which is a common technique used by attackers to establish "persistence" allowing their malicious programs to run automatically in the background.

  • Result: I captured a successful alert showing the exact name of the new service (SplunkTestService) and the file path it used (C:\Windows\System32\cmd.exe), allowing me to identify unauthorized background installations.
Screenshot 2026-04-28 221455

Phase 9: Patch Management & Compliance (WSUS)

To transition the lab from an "unmanaged" environment to a governed enterprise network, I deployed Windows Server Update Services (WSUS) on the Domain Controller.

Policy-Driven Updates (GPO):

Configured Group Policy Objects to redirect the workstation to the local update server. As shown in the client-side view, the "managed" status is verified by the system blocking manual user overrides.

Screenshot 2026-04-23 153748

Centralized Administration:

Utilized the WSUS console to organize assets into a dedicated Lab_Workstations group. Successfully synchronized 335 updates, achieving a 99% patch compliance rate across the domain.

Screenshot 2026-04-23 154418

Infrastructure Troubleshooting & Reporting:

Resolved a critical dependency issue involving legacy SQL CLR and Report Viewer runtimes on Server 2022. This enabled the generation of "Computer Detailed Status Reports," providing actionable security audits for stakeholders.

Screenshot 2026-04-23 162445

Phase 10: Remote Access & VPN Implementation

Objective: Bridging the gap between the internal lab and the outside world. I implemented a secure entry point to allow remote users to "dial-in" and access corporate resources as if they were sitting in the office.

The Architecture: Secure Remote Connectivity

  • Service: Configured Routing and Remote Access Service (RRAS) on the Domain Controller to act as a Full-Tunnel VPN Gateway. By routing all remote traffic through this secure perimeter, the organization ensures centralized monitoring and security auditing of all external web activity.

  • Authentication: Leveraged Active Directory (AD DS) for native identity verification, ensuring that only users with explicit "Dial-in" permissions can establish a tunnel.

  • Identity-Based Access: Used Network Policy Server (NPS) to validate user credentials against the forest, maintaining a unified security posture for both local and remote endpoints.

Validation & Proof of Concept

Identity Verification:

Configured specific "Dial-in" permissions for Sarah Potter in Active Directory, verifying that the VPN acts as a gatekeeper for corporate network resources.

Screenshot 2026-04-30 025012

Connectivity Audit:

Utilized ipconfig to confirm a successful VPN handshake, resulting in the acquisition of a virtualized tunnel IP address (10.0.0.102).

Screenshot 2026-04-30 024948

Resource Access:

Verified that the remote client successfully mapped the HR (S:) drive over the encrypted tunnel, confirming that GPO-based file share mapping remains functional outside the local network perimeter.

Screenshot 2026-04-30 015053

Phase 11: Network Protocol Analysis & Forensic Verification

Objective: To validate the security of the domain authentication process and monitor the resource request lifecycle at the packet level using Wireshark.

The Lifecycle of a Domain Login

By capturing traffic on the Domain Controller, I visualized the "Identity Handshake" that occurs when the Windows 11 workstation authenticates.

Technical Protocol Breakdown

Protocol Analysis & Observation
KRB5 (Kerberos) The Challenge-Response: Captured the AS-REQ and subsequent PREAUTH_REQUIRED error. This confirms the DC is enforcing secure Pre-Authentication, a critical defense against offline password guessing.
TGS-REQ Ticket Granting: Observed the client requesting specific service tickets after successful login, proving the transition from identity verification to resource authorization.
LDAP (SASL) Secure Directory Lookups: Verified that the client queries Active Directory for Group Policy and user attributes using SASL encryption, ensuring sensitive directory data is not sent in cleartext.
SMB2 File System Handshake: Identified the exact moment the client established a connection to the S: drive, correlating the network traffic with the Group Policy Preferences (GPP) mapping.
DCERPC Directory Replication: Monitored the DRSUAPI interface, confirming the workstation is successfully synchronizing security descriptors with the Domain Controller.
Screenshot 2026-05-01 161939

Key Takeaways & Troubleshooting

  • Issue: Encountered a "Version Mismatch" where Windows 11 Home could not join a domain.

    • Solution: Successfully upgraded the VM to Windows 11 Pro to enable enterprise features.
  • Issue: Kerberos Time Skew. Encountered an error where the computer clock was not synchronized with the Domain Controller.

    • Solution: Identified a VM clock drift mismatch and utilized w32tm /resync to align the client with the DC's NTP source * Security: Implemented Account Lockout Policies to mitigate brute-force attacks.
  • Issue: GPO settings (Audit Policies) were not applying to the Windows 11 workstation.

    • Root Cause: The workstation was located in the default "Computers" container, which does not support GPO linking.
    • Solution: Created a dedicated Workstation OU, moved the computer object, and performed a gpupdate /force to successfully trigger policy inheritance.
  • Issue: Event Viewer GUI "Query Timeout" or hang on the client machine.

    • Solution: Pivoted to PowerShell-based forensics using Get-EventLog to bypass GUI limitations and extract security data directly from the .evtx buffer.
  • Issue: Splunk CLI returned "parameter name: path must be a file or directory" when adding monitors.

    • Root Cause: The CLI was misinterpreting the Windows Event Log provider as a local file path.
    • Solution: Pivoted to manual configuration by authoring a custom inputs.conf file in etc/system/local, ensuring proper ingestion of the Windows Security buffer.
  • Issue: "Local Event Log Collection" UI returned a 404 error on the Server VM.

    • Solution: Bypassed the GUI limitation by manually editing the server-side configuration files and restarting the Splunk service via CLI to force-enable local log indexing.
  • Issue: WSUS Reporting console failed to load on Windows Server 2022.

    • Root Cause: A legacy hard-coded dependency requiring Microsoft Report Viewer 2012, which is not included in modern Server OS builds.
    • Solution: Navigated the prerequisite chain by manually installing the SQL Server 2012 System CLR Types library followed by the Report Viewer 2012 Runtime, enabling the generation of PDF/GUI compliance reports.
  • Issue: Windows 11 client stuck at "Downloading 0%" from the local WSUS server.

    • Solution: Performed a SoftwareDistribution cache reset on the client machine and utilized wuauclt /reportnow to force a fresh handshake with the Domain Controller, resolving the hung update task.
  • Issue: Encountered routing conflicts when attempting to implement Split Tunneling.

    • Root Cause: A gateway conflict between the NAT (Internet) adapter and the Internal (LAN) adapter caused the VPN handshake to fail.

    • Solution: Pivoted to a Full Tunnel configuration. While this routes all traffic through the corporate gateway, it ensures that 100% of the remote client's traffic is subject to organizational security policies and monitoring, a preferred "Security First" approach.

  • Issue: VPN client was unable to resolve Domain names after connecting.

    • Solution: Manually configured the VPN adapter's DNS settings to point directly to the DC’s internal IP (10.0.0.1), ensuring proper resolution of local resource names.
  • Issue: KRB5KDC_ERR_PREAUTH_REQUIRED in packet captures.

    • Root Cause: Initial Kerberos requests are sent without a timestamp to see if the KDC requires pre- authentication.
    • Solution: Confirmed this as Normal Behavior. The subsequent AS-REQ included the encrypted timestamp, resulting in a successful login. This validated that the lab's security baseline for Kerberos is functioning as intended.

Future Enhancements

To further expand this lab, I plan to implement:

  • Infrastructure as Code (IaC): Automating the deployment of the lab using Terraform or Ansible to simulate rapid environment provisioning.

  • Intrusion Detection (IDS/IPS): Integrating Suricata or Snort to monitor for malicious network signatures between the Internal Network and the VPN gateway.

  • Advanced Threat Simulation: Using the Mitre ATT&CK framework to simulate specific adversary techniques (e.g., Golden Ticket attacks) and creating custom Splunk dashboards to detect them.

About

A secure Windows Server 2022 and Windows 11 enterprise lab environment featuring departmental OU hierarchy, GPO automation, and RBAC-driven file sharing.

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors