Team,
To stay proficient with the broad security space and integration with the client/server world + cloud apps.; it is very valuable to setup your own lab environments, not only of CA solutions but likely userstores/applications that would be managed for customer use-cases. A very common use-case, is management of one or many ADS domains, with or without an Exchange Domain.
If you don't have access to a MSDN license or a company approved server key, you can leverage MS 180-day license for MS Window Servers or even the unlimited licenses for Hyper-V or Release Candidates (later versions).
Example: MS Windows 2012 R2
Try Windows Server 2012 R2 | TechNet Evaluation Center
You may use Vmware Workstation / ESXi or MS VHD Server to deploy a clean image of MS Windows OS.
1) After installing the OS, you may wish to declare this OS to be your base OS; and update it accordingly with MS Windows Updates & MS Defender (or other A/V solution).
- With this base image, I like to install a 2nd local Admin Account & a few adjustments
net user idmadmin Password01 /add
net localgroup administrators idmadmin /add
..\windows_2003_resource_kit\ntrights.exe -u idmadmin +r SeServiceLogonRight
- Add a 2nd NIC to the OS Image (Create a Vmware network host-only network w/o dhcp & address 10.10.10.x)
- Download and deploy MS Sysinternals Suite, especailly both ProcExplore (replace TaskManager) & BgInfo (Stamp the background image with hostname/ip/boottime) & ProcMonitor (to debug 3rd party installs)
Sysinternals Suite
- Deploy .NetFramework 3.51 (use by both embedded CA components as a pre-req and for MS-SQL)
DISM /Online /Enable-Feature /FeatureName:NetFx3 /All
- Deploy a 3rd party openssl binary for MS Windows x64 [Goal: Speed up process to build certs for lab]
https://slproweb.com/products/Win32OpenSSL.html
2) Making a clone of the MS Windows server requires an addtional step of MS SysPrep tool
- This tool will reinitialize the MS Windows Image, to allow it to be joined to an AD domain with no impacts.
- If you don't plan on making more than one image, you can skip this step; and only use the base OS image you deployed.
- Example: C:\Windows\System32\Sysprep\Sysprep.exe /generalize /quiet /reboot
3) After your MS Windows image is rebooted, you will answer a few localization questions (language/date/etc.), then be presented with the logon prompt. Upon Logon, rename the hostname of the image
- Example:
::Rename Hostname Options
set NEWHOSTNAME=dc001
::wmic method
wmic computersystem where name="%COMPUTERNAME%" call rename name="%NEWHOSTNAME%"
::Requires a reboot action
shutdown /r /t 30
::netdom alternative method
::netdom renamecomputer "%COMPUTERNAME%" /NetName:"%NEWHOSTNAME%" /Force /Reboot
4) After the reboot, update the IP address from DHCP to STATIC and to 10.10.10.x address
- Example:
::Update from DHCP IP to Static IP Address Options
set NIC_ADP_NAME=Ethernet1
:: set NIC_ADP_NAME=Local Area Connection
set IP_ADDR=10.10.10.3
set IP_MASK=255.255.255.0
set IP_GW=10.10.10.2
set DNS=10.10.10.3
::netsh method #1
:: Display Config
netsh interface ip show config
:: Save Before State
netsh -c interface dump > c:\%COMPUTERNAME%_NIC_before_state.txt
:: Update IP Address
netsh interface ip set address name=%NIC_ADP_NAME% static %IP_ADDR% %IP_MASK% %IP_GW% 1
::Netsh method to update DNS to static addresses
netsh interface ip set dns %NIC_ADP_NAME% static %DNS%
netsh interface ip set wins %NIC_ADP_NAME% static %DNS%
5) No reboot is required for the ip refresh; after the above step, lets ensure that MS Windows Update is working correctly.
- Example:
::Scan & find latest patches
wuauclt.exe /DectectNow /ReportNow
::Force update after scan
Wuauclt.exe /UpdateNow
::Show Update GUI
Wuauclt.exe /ShowWU
6) Create a new MS Active Directory Domain on the MS Windows OS. Update the DomainMode/ForestMode if desired; and replace the DomainName & DomainNetbiosNames for the correct domain name.
::Installing AD DS by Using Windows PowerShell
::Beginning with Windows Server 2012 , you can install AD DS using Windows PowerShell.
Install-ADDSForest `-CreateDnsDelegation:$false ` -DatabasePath "C:\Windows\NTDS" ` -DomainMode "Win2012" ` -DomainName "exchange.lab" ` -DomainNetbiosName "EXCHANGE" ` -ForestMode "Win2012" ` -InstallDns:$true ` -LogPath "C:\Windows\NTDS" ` -NoRebootOnCompletion:$false ` -SysvolPath "C:\Windows\SYSVOL" ` -Force:$true
7) Reboot, then login with Administrator account; validate the server now reports it is now a DC and is a member of a domain. Use the new MS ADS tools, of ADUC (Active Directory Users and Computers) and view the DC OU.
8) Check if TCP 636 is listening with a certificate. Use MS tool ldp.exe to connect via SSL to port 636.
Alternatively, use: openssl s_client -connect hostname:636 -showcerts
9a) Create a CA root certificate and a signed server certificate using openssl and MS tool certreq.exe. Goal: Avoid using the "blackbox" wizard use of MS Certificate Authority and/or Enterprise Certificate, to allow better understanding of how certificates may be created and used for AD Domain Controller.
Active Directory requires a SCHANNEL type SSL certificate as an option to function correctly. To ensure this format is used, recommend having the following "request.inf" file ready, update the Subject line to the correct FQDN (dc001.exchange.lab):
;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=dc001.exchange.lab"
;
KeySpec = 1
KeyLength = 1024
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
9b) Steps to create a CA root certificate and server certificate for AD Domain Controller. Note, this script has variables to be updated; and it will auto-clean itself up when run every time, as long as the "names" match.
@echo on
:: Create a CA root Certificate
:: Set an initial openssl configuration file
set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg
set FQDN=dc001.exchange.lab
set PASSWORD=P$ssword01
:: Make a output folder
mkdir c:\temp\openssl
:: Clean up Certs from prior executions / stores
certutil -delstore "Root" ###_LAB_ROOT_CA_Cert_Auth_For_Active_Directory_###
certutil -delstore "My" %FQDN%
:: Update inf file with the latest FQDN name
copy ADS_server_cert_request.inf c:\temp\openssl\ADS_server_cert_request.inf
:: Generate a private CA key
cd /d C:\OpenSSL-Win64\bin
openssl genrsa -des3 -passout pass:%PASSWORD% -out c:\temp\openssl\01.rootCA.key 1024
openssl rsa -in c:\temp\openssl\01.rootCA.key -passin pass:%PASSWORD% -out c:\temp\openssl\02.rootCA_nopassword.key
:: Create a self-signed x509 cert
openssl req -out c:\temp\openssl\03.rootCA.crt -key c:\temp\openssl\02.rootCA_nopassword.key -new -x509 -days 7300 -subj "/CN=###_LAB_ROOT_CA_Cert_Auth_For_Active_Directory_###"
:: Execute on the Active Directory Server (DC) only
certreq -f -new c:\temp\openssl\ADS_server_cert_request.inf c:\temp\openssl\%FQDN%.csr
:: Sign the CSR with the private CA key
openssl x509 -req -days 3650 -in c:\temp\openssl\%FQDN%.csr -CA c:\temp\openssl\03.rootCA.crt -CAkey c:\temp\openssl\02.rootCA_nopassword.key -set_serial 01 -out c:\temp\openssl\%FQDN%.crt
:: On both the AD & IMPS Servers, import the CA root file into (Local Computer \ Trusted Root Cert Auth \ Certificates)
:: Use either the MS GUI tool of certlm.msc or use the MS CLI process with certutil
certutil -addstore "Root" c:\temp\openssl\03.rootCA.crt
:: Only on the AD server, accept the signed cert. This MUST PASS to SUCCEED
:: Cert will then be auto-copied to (Local Computer \ Personal \ Certificates )
certreq -accept c:\temp\openssl\%FQDN%.crt
pause
9c) Call out this step for clarity. On all of the IMPS & CCS Servers, import the CA root file into (Local Computer \ Trusted Root Cert Auth \ Certificates). Use either the MS GUI tool of certlm.msc or use the MS CLI process with certutil
certutil -addstore "Root" c:\temp\openssl\03.rootCA.crt
Note: This is the public CA root cert that would be copied to other 3rd party LDAP client tools as well.
Note2: Active Directory keystore has TWO (2) sections: Current User and Local Computer. Ensure that the public CA root certificates is published to Local Computer.
10) Done. Validate TCP 636 is available with a SSL Cert; may use MS LDP. Note: DC may not need to be rebooted/bounced. ldp.exe
11) Extra: Create 120,000 accounts on your new AD domain with a for loop. With example rates for commands: dsadd user, dsmod user, net user:
:: Batch Version for 120K accounts, e.g. add START in front, if wish to call from this file.
:: Rate: 2 add/sec - suggest parallel adds, e.g. 40K / 2 add/sec = 20K seconds /60 = 334 min = 5.6 hours
::START FOR /L %%i in (1,1,40000) DO dsadd user "cn=AA Test User%%i,ou=Office_002,ou=CompanyABC_Users_OU,dc=exchange,dc=dom" -samid aatestuser%%i -upn aatestuser%%i@exchange.dom -fn AATest -ln User%%i -display "AATest User%%i" -pwd P@ssw0rd -disabled no
::START FOR /L %%i in (1,1,40000) DO dsadd user "cn=BB Test User%%i,ou=Office_002,ou=CompanyABC_Users_OU,dc=exchange,dc=dom" -samid bbtestuser%%i -upn bbtestuser%%i@exchange.dom -fn AATest -ln User%%i -display "BBTest User%%i" -pwd P@ssw0rd -disabled no
::START FOR /L %%i in (1,1,40000) DO dsadd user "cn=Test User%%i,ou=Office_002,ou=CompanyABC_Users_OU,dc=exchange,dc=dom" -samid testuser%%i -upn testuser%%i@exchange.dom -fn Test -ln User%%i -display "Test User%%i" -pwd P@ssw0rd -disabled no
:: Rate: 30 mod/sec - suggest parallel mods, e.g. 40K / 30 mod/sec = 1334 seconds / 60 = 22 min
::START FOR /L %%i in (1,1,40000) DO dsmod user "cn=AA Test User%%i,ou=Office_002,ou=CompanyABC_Users_OU,dc=exchange,dc=dom" -desc "CHANGE VIA DSMOD QUIET" -q
::START FOR /L %%i in (1,1,40000) DO dsmod user "cn=BB Test User%%i,ou=Office_002,ou=CompanyABC_Users_OU,dc=exchange,dc=dom" -desc "CHANGE VIA DSMOD QUIET" -q
::START FOR /L %%i in (1,1,40000) DO dsmod user "cn=Test User%%i,ou=Office_002,ou=CompanyABC_Users_OU,dc=exchange,dc=dom" -desc "CHANGE VIA DSMOD QUIET" -q
:: Rate: 60 mod/sec - suggest parallel mods, e.g. 40K / 60 mod/sec = 667 seconds / 60 = 11 min
START FOR /L %%i in (1,1,40000) DO net user aatestuser%%i /comment:"NET USER"
START FOR /L %%i in (1,1,40000) DO net user bbtestuser%%i /comment:"NET USER"
START FOR /L %%i in (1,1,40000) DO net user testuser%%i /comment:"NET USER"
12) Test this new domain with the following tools:
IMPS - Active Directory Endpoint (define and Explore/Correlate)
IMPS\bin\adsldapdiag.exe (CLI tool)
IMPS\bin\ldapsearch.exe (CLI tool)
openssl s_client -connect DC_FQDN:636 -showcerts (CLI tool)
Jxplorer (install/update)
Apache Directory Studio (no install/update + csv export)
SoftTerra LDAPBrowser (install/read-only tool + csv export)
OpenLDAP ldapsearch (CLI tool)
ldp.exe (MS ADS GUI tool)
ADUC (MS ADS GUI tool)
Let me know if this was valuable.
Cheers,
A.
Edit 8/16/2016 - Added step 9c for clarity. Where to copy the pubic CA root cert to, local computer (aka local machine via certlm.msc)
Edit: 9/28/2016 add in script to pull from current production active directory domain, to either assist with building a lab AD domain or for role engineering exercise.