A functional Windows Server 2022 and Windows 11 enterprise lab environment.
The goal of this project was to build a functional, secure enterprise network environment using Oracle VirtualBox. This lab simulates a real-world corporate infrastructure, focusing on identity management, network configuration, and security principles like Least Privilege.
| Competency Area | Key Technologies & Skills |
|---|---|
| Identity & Access | Active Directory (AD DS), OU Design, Group Policy (GPO) |
| Security & Auditing | Account Lockout Policies, NTFS/Share Permissions, Hardening |
| SIEM & Monitoring | Splunk Enterprise, Universal Forwarder, Sysmon, Log Correlation |
| Infrastructure | DHCP, DNS, Network Mapping, Virtualization (Oracle VM) |
| Incident Response | Root Cause Analysis, Forensics, Log Aggregation, Troubleshooting |
| Remote Access | VPN (L2TP/IPsec), RRAS, NPS, Perimeter Security |
- Hypervisor: Oracle VirtualBox
- Operating Systems: Windows Server 2022, Windows 11 Pro
- Services: Active Directory Domain Services (AD DS), DNS, SMB File Sharing, Group Policy (GPO), Routing & Remote Access (RRAS), Network Policy Server (NPS)
- Monitoring/SIEM: Splunk Enterprise (Indexer), Splunk Universal Forwarder (Agent)
| Asset Name | Operating System | Role / Service | Network Configuration |
|---|---|---|---|
| LAB-DC01 | Windows Server 2022 | Domain Controller, DNS, DHCP, WSUS, VPN Gateway | Static: 192.168.56.10 |
| LAB-WS01 | Windows 11 Pro | Client Workstation | Internal Network (LabNet) |
| S: Drive | SMB Share | Centralized User Backups | Hosted on DC01 |
| VPN Pool | Virtual Interface | Remote Client Access | 10.0.0.100 - 10.0.0.150 |
To ensure security and isolation, I implemented a dual-adapter network topology.
-
Internal Network (Host-Only): Dedicated for private communication between the Domain Controller and Client.
-
NAT: Provided controlled internet access for system updates and software installation.
Objective: Establishing a scalable, enterprise-grade Identity and Access Management (IAM) foundation within the LAB.local forest.
-
Scalable Framework: Implemented a tiered OU structure to facilitate granular Group Policy application and administrative delegation.
-
Separation of Concerns: Isolated
Administrative Accounts,Standard Accounts (departmentalized by Finance, HR, and IT), andSecurity Groupsinto distinct containers to prevent policy leakage. -
Standardized Provisioning: Developed an account naming and description convention to simulate enterprise auditing requirements, as seen in the profile for
John Wick (Finance Manager).
Objective: Securely integrating client assets into the domain and verifying the Kerberos trust relationship.
-
Domain Handshake: Successfully migrated the Windows 11 Pro workstation from a standalone workgroup to the
LAB.localmanaged forest. -
Security Validation: Utilized
sysdm.cplto verify the authoritative trust relationship between the endpoint (WS01.LAB.local) and the Domain Controller. -
Identity Handshake: Confirmed that the workstation successfully honors domain credentials, allowing for centralized authentication and policy inheritance from the DC.
I transitioned the lab from basic file sharing to an Identity-Based Access Control (IBAC) model, simulating how a Tier 2 SysAdmin manages corporate data at scale.
Abandoned flat structures in favor of a tiered OU hierarchy. I separated Administrative Accounts from Standard Accounts and centralized permissions into dedicated Security Groups (e.g., SG_Finance_Users, SG_IT_Admins).
Replaced legacy .bat logon scripts with modern Group Policy Preferences (GPP). I consolidated multiple departmental policies into a single, high-efficiency GPO that utilizes Item-Level Targeting to dynamically map the S: Drive based on the user's specific Security Group membership.
-
The Logic: The GPO evaluates group membership (e.g., LAB\SG_HR) at logon before applying the mapping.
-
The Validation: Verified with a test user (Sarah Potter), ensuring the drive only maps once the security token is refreshed.
Implemented ABE on the global \\DC01\Shares root. This ensures "Security through Obscurity" by hiding folders (HR, IT, Finance) from any user who does not have explicit NTFS Read permissions, preventing internal reconnaissance.
- Verification: As shown below,
John Wick (Finance)can only see the Finance directory, whileRaimi (IT Admin)has full visibility into all departmental archives.
To validate that the Principle of Least Privilege was successfully applied beyond just visibility, I utilized the Effective Access tool to audit specific NTFS permissions for the Finance directory.
-
Administrative Oversight: Confirmed that
IT_Admin(Raimi) retains Full Control, ensuring administrative continuity and the ability to manage data lifecycle. -
Restricted Management: Verified that
Finance_Manager(John Wick) has necessaryRead/Writeaccess but is strictly denied the ability to change permissions or take ownership. This prevents accidental or malicious privilege escalation within the department.
To transition the lab into a "Hardened" state, I implemented centralized networking and defensive auditing policies.
-
Managed Infrastructure: Deployed a managed DHCP Scope (
192.168.56.100 - 192.168.56.200) on the Domain Controller to eliminate static IP overhead. -
DNS Infrastructure Integration: Configured DHCP Option 006 (DNS Servers) to automatically assign the Domain Controller’s IP (
192.168.56.10) to all network clients. This ensures seamless Active Directory service discovery and reliable Kerberos authentication across the forest. -
Validation: Verified the "Handshake" by migrating the Windows 11 client to a dynamic lease.
-
Strategy: Authored and enforced a "GPO Security Hardening Baseline" to mitigate automated credential-stuffing and brute-force attacks.
-
Policy Configuration: Enforced an Account Lockout Threshold of 3 failed attempts with a 30-minute reset window.
-
The Attack Simulation: Triggered a deliberate lockout on the Windows 11 workstation after exceeding the authorized logon attempts.
-
The Forensic Chain: Configured the Audit Account Management policy to track identity-based threats.
-
Log Correlation: Successfully correlated
Event ID 4740in the Domain Controller’s Security Log, proving the "Detection-to-Action" pipeline is fully operational.
Objective: Implementing enterprise-grade data protection through automation and surgical recovery methods.
-
Action: Deployed a PowerShell script to migrate "Critical Project" data from local user desktops to the centralized
S: Drive. -
Impact: Consolidated local data into a centralized server to ensure 100% backup coverage for all critical business files.
-
Action: Identified vulnerable legacy accounting data and migrated it to a Hidden Administrative Share (
Secure_Archives$). -
Impact: Reduced the attack surface by hiding the share from standard network discovery and enforcing
IT-Admin-onlyaccess.
-
Action: Configured Volume Shadow Copy Service (VSS) for point-in-time recovery.
-
Impact: Enabled self-service "Previous Version" restoration, significantly reducing Helpdesk RTO (Recovery Time Objective) for accidental deletions.
Objective: Final validation of Domain integrity and performance baselining.
Executed dcdiag to verify forest connectivity, advertising, and replication status. All tests passed.
Utilized Resource Monitor to baseline network and disk I/O, ensuring no bottlenecks exist within the virtualized environment.
The goal of this phase is to centralize all security logs into one place so I could monitor the entire lab from a single dashboard.
To get the logs from my Windows 11 machine to the Splunk Server, I had to configure a "Handshake" between them:
I configured the Splunk Indexer to listen on Port 9997. Think of this as opening a specific door on the server for security data to enter.
I installed the Splunk Universal Forwarder on the workstation. I then used the command line to verify the "Handshake," confirming the agent was actively forwarding data to the server at 192.168.56.10:9997.
Once the bridge was built, I tested it by performing actions that look like "hacker" activity to see if Splunk would catch them:
I tracked when an account with "Super User" powers logged in. This is a red flag if it’s an account that shouldn't have administrative access.
- Result: Splunk caught the
"Attack_Account"logging in with special system-level privileges.
I enabled a setting that records exactly what is typed into the PowerShell window. This is perfect for seeing if someone is trying to run malicious scripts.
- Result: I created a simple table that clearly lists the time, the computer name, and the exact command that was run.
I monitored for the creation of new services, which is a common technique used by attackers to establish "persistence" allowing their malicious programs to run automatically in the background.
- Result: I captured a successful alert showing the exact name of the new service
(SplunkTestService)and the file path it used(C:\Windows\System32\cmd.exe), allowing me to identify unauthorized background installations.
To transition the lab from an "unmanaged" environment to a governed enterprise network, I deployed Windows Server Update Services (WSUS) on the Domain Controller.
Configured Group Policy Objects to redirect the workstation to the local update server. As shown in the client-side view, the "managed" status is verified by the system blocking manual user overrides.
Utilized the WSUS console to organize assets into a dedicated Lab_Workstations group. Successfully synchronized 335 updates, achieving a 99% patch compliance rate across the domain.
Resolved a critical dependency issue involving legacy SQL CLR and Report Viewer runtimes on Server 2022. This enabled the generation of "Computer Detailed Status Reports," providing actionable security audits for stakeholders.
Objective: Bridging the gap between the internal lab and the outside world. I implemented a secure entry point to allow remote users to "dial-in" and access corporate resources as if they were sitting in the office.
-
Service: Configured Routing and Remote Access Service (RRAS) on the Domain Controller to act as a Full-Tunnel VPN Gateway. By routing all remote traffic through this secure perimeter, the organization ensures centralized monitoring and security auditing of all external web activity.
-
Authentication: Leveraged Active Directory (AD DS) for native identity verification, ensuring that only users with explicit "Dial-in" permissions can establish a tunnel.
-
Identity-Based Access: Used Network Policy Server (NPS) to validate user credentials against the forest, maintaining a unified security posture for both local and remote endpoints.
Configured specific "Dial-in" permissions for Sarah Potter in Active Directory, verifying that the VPN acts as a gatekeeper for corporate network resources.
Utilized ipconfig to confirm a successful VPN handshake, resulting in the acquisition of a virtualized tunnel IP address (10.0.0.102).
Verified that the remote client successfully mapped the HR (S:) drive over the encrypted tunnel, confirming that GPO-based file share mapping remains functional outside the local network perimeter.
Objective: To validate the security of the domain authentication process and monitor the resource request lifecycle at the packet level using Wireshark.
By capturing traffic on the Domain Controller, I visualized the "Identity Handshake" that occurs when the Windows 11 workstation authenticates.
| Protocol | Analysis & Observation |
|---|---|
| KRB5 (Kerberos) | The Challenge-Response: Captured the AS-REQ and subsequent PREAUTH_REQUIRED error. This confirms the DC is enforcing secure Pre-Authentication, a critical defense against offline password guessing. |
| TGS-REQ | Ticket Granting: Observed the client requesting specific service tickets after successful login, proving the transition from identity verification to resource authorization. |
| LDAP (SASL) | Secure Directory Lookups: Verified that the client queries Active Directory for Group Policy and user attributes using SASL encryption, ensuring sensitive directory data is not sent in cleartext. |
| SMB2 | File System Handshake: Identified the exact moment the client established a connection to the S: drive, correlating the network traffic with the Group Policy Preferences (GPP) mapping. |
| DCERPC | Directory Replication: Monitored the DRSUAPI interface, confirming the workstation is successfully synchronizing security descriptors with the Domain Controller. |
-
Issue: Encountered a "Version Mismatch" where Windows 11 Home could not join a domain.
- Solution: Successfully upgraded the VM to Windows 11 Pro to enable enterprise features.
-
Issue: Kerberos Time Skew. Encountered an error where the computer clock was not synchronized with the Domain Controller.
- Solution: Identified a VM clock drift mismatch and utilized
w32tm /resyncto align the client with the DC's NTP source * Security: Implemented Account Lockout Policies to mitigate brute-force attacks.
- Solution: Identified a VM clock drift mismatch and utilized
-
Issue: GPO settings (Audit Policies) were not applying to the Windows 11 workstation.
- Root Cause: The workstation was located in the default "Computers" container, which does not support GPO linking.
- Solution: Created a dedicated Workstation OU, moved the computer object, and performed a
gpupdate /forceto successfully trigger policy inheritance.
-
Issue: Event Viewer GUI "Query Timeout" or hang on the client machine.
- Solution: Pivoted to PowerShell-based forensics using
Get-EventLogto bypass GUI limitations and extract security data directly from the.evtxbuffer.
- Solution: Pivoted to PowerShell-based forensics using
-
Issue: Splunk CLI returned "parameter name: path must be a file or directory" when adding monitors.
- Root Cause: The CLI was misinterpreting the Windows Event Log provider as a local file path.
- Solution: Pivoted to manual configuration by authoring a custom
inputs.conffile inetc/system/local, ensuring proper ingestion of the Windows Security buffer.
-
Issue: "Local Event Log Collection" UI returned a 404 error on the Server VM.
- Solution: Bypassed the GUI limitation by manually editing the server-side configuration files and restarting the Splunk service via CLI to force-enable local log indexing.
-
Issue: WSUS Reporting console failed to load on Windows Server 2022.
- Root Cause: A legacy hard-coded dependency requiring Microsoft Report Viewer 2012, which is not included in modern Server OS builds.
- Solution: Navigated the prerequisite chain by manually installing the SQL Server 2012 System CLR Types library followed by the Report Viewer 2012 Runtime, enabling the generation of PDF/GUI compliance reports.
-
Issue: Windows 11 client stuck at "Downloading 0%" from the local WSUS server.
- Solution: Performed a SoftwareDistribution cache reset on the client machine and utilized
wuauclt /reportnowto force a fresh handshake with the Domain Controller, resolving the hung update task.
- Solution: Performed a SoftwareDistribution cache reset on the client machine and utilized
-
Issue: Encountered routing conflicts when attempting to implement Split Tunneling.
-
Root Cause: A gateway conflict between the NAT (Internet) adapter and the Internal (LAN) adapter caused the VPN handshake to fail.
-
Solution: Pivoted to a Full Tunnel configuration. While this routes all traffic through the corporate gateway, it ensures that 100% of the remote client's traffic is subject to organizational security policies and monitoring, a preferred "Security First" approach.
-
-
Issue: VPN client was unable to resolve Domain names after connecting.
- Solution: Manually configured the VPN adapter's DNS settings to point directly to the DC’s internal IP (
10.0.0.1), ensuring proper resolution of local resource names.
- Solution: Manually configured the VPN adapter's DNS settings to point directly to the DC’s internal IP (
-
Issue:
KRB5KDC_ERR_PREAUTH_REQUIREDin packet captures.- Root Cause: Initial Kerberos requests are sent without a timestamp to see if the KDC requires pre- authentication.
- Solution: Confirmed this as Normal Behavior. The subsequent
AS-REQincluded the encrypted timestamp, resulting in a successful login. This validated that the lab's security baseline for Kerberos is functioning as intended.
To further expand this lab, I plan to implement:
-
Infrastructure as Code (IaC): Automating the deployment of the lab using Terraform or Ansible to simulate rapid environment provisioning.
-
Intrusion Detection (IDS/IPS): Integrating Suricata or Snort to monitor for malicious network signatures between the Internal Network and the VPN gateway.
-
Advanced Threat Simulation: Using the Mitre ATT&CK framework to simulate specific adversary techniques (e.g., Golden Ticket attacks) and creating custom Splunk dashboards to detect them.