Cybersecurity Labs

Why: Attackers often create backdoor accounts. Identifying all login-enabled accounts helps you spot unauthorized access.
Security Impact: Reduces attack surface by eliminating unnecessary user accounts that could be exploited.

Why: Using generic 'admin' or 'ubuntu' accounts makes you vulnerable to brute-force attacks. A uniquely named admin account with a strong password is harder to compromise.
Security Impact: Implements principle of least privilege and accountability through distinct administrative accounts.

Why: Instead of using root directly, sudo provides accountability through logging and time-limited privilege escalation.
Security Impact: All administrative actions are logged with timestamps and user attribution for audit trails.

Why: Root is the most targeted account in SSH brute-force attacks. Disabling root SSH login forces attackers to compromise two accounts (user + privilege escalation).
Security Impact: Prevents 90% of automated SSH attacks that target the root account. Edit 'PermitRootLogin' to 'no'.

Why: SSH configuration changes only take effect after service restart. Without this, your security changes won't be active.
Security Impact: Applies the root login restriction immediately, closing the vulnerability window.

Why: Without a firewall, all network services are exposed. UFW provides a simple defense-in-depth layer to control network access.
Security Impact: Blocks all incoming connections by default, forcing explicit allow rules for required services only.

Why: Principle of least privilege - only expose ports that are absolutely necessary. Port 22 (SSH), 80 (HTTP), and 443 (HTTPS) are required for web server management.
Security Impact: Reduces attack surface by 99% - only 3 ports open instead of 65,535. Blocks vulnerability scanners and exploit attempts on unused services.

Why: 60% of breaches exploit known vulnerabilities that have available patches. Keeping systems updated closes these security holes.
Security Impact: Patches critical CVEs (Common Vulnerabilities and Exposures) including remote code execution, privilege escalation, and data exposure flaws.

Why: Manual patching creates gaps where critical security updates are delayed. Automated updates ensure zero-day exploits are patched immediately when fixes are available.
Security Impact: Reduces vulnerability window from days/weeks to hours. Protects against wormable exploits that spread automatically across networks.

Why: Verification is critical - security configurations don't matter if they're not actually active. Always validate your hardening work.
Security Impact: Confirms defense-in-depth layers are operational. Provides audit evidence that security controls are functioning as intended.

Navigate to Server Manager > Tools > Active Directory Users and Computers
Why: ADUC is the central management tool for organizing and securing your domain users, groups, and computers.
Security Impact: Proper AD organization prevents lateral movement during breaches by implementing security boundaries.

Create the following 5 OUs:
Why: OUs enable role-based access control (RBAC) and different security policies for different user types. A flat AD structure is a security nightmare.
Security Impact: Allows granular GPO application - finance users can have strict data protection while IT has necessary admin access. Limits breach blast radius.

Navigate to Server Manager > Tools > Group Policy Management. Use the tree navigation on the left to explore Domain > Group Policy Objects.
Why: Group Policy is how you enforce security settings across thousands of machines from one central location using a hierarchical tree structure.
Security Impact: Ensures consistent security configuration domain-wide. Prevents users from weakening security on their local machines.

Right-click domain > Create GPO > Name: Secure Password Policy
Why: 81% of breaches involve weak or stolen passwords (Verizon DBIR). Strong password policies are your first line of defense.
Security Impact: Prevents dictionary attacks, brute force, and credential stuffing. Forces attackers to use more sophisticated techniques.

Set: Min length: 12, Complexity: Enabled, History: 24, Max age: 90 days
Why: 12+ character passwords resist brute force for years vs hours for 8-character passwords. Complexity requirements force mixing of character types.
Security Impact: NIST recommends 12+ characters. Password history prevents reuse. Rotation limits exposure from compromised credentials.

Set: Threshold: 5 attempts, Duration: 30 minutes, Reset: 30 minutes
Why: Account lockout defeats automated password guessing. 5 attempts is enough for legitimate typos but blocks brute force.
Security Impact: Makes password cracking impractical - even with 1000 accounts to target, attackers get only 5000 attempts before mass lockouts trigger alerts.

Configure: Audit account logon events, Audit account management, Audit policy change
Why: You can't detect what you don't log. Audit policies create forensic evidence and enable threat detection.
Security Impact: Detects privilege escalation, unauthorized account creation, and policy tampering. Required for compliance (PCI-DSS, HIPAA, SOC 2).

Create the following 3 security groups:
Why: Groups enable least privilege access control. Never assign permissions to individual users - always use groups for scalability.
Security Impact: Limits data exposure during breaches. Finance users can't access HR data and vice versa. Simplified access reviews for compliance.

Link security GPOs to appropriate organizational units
Why: GPOs don't do anything until they're linked to OUs. This step activates your security policies.
Security Impact: Enforces security settings on all computers/users in the OU. Policies update automatically without touching each machine.

Run gpupdate /force and verify policies are applied correctly
Why: GPOs may take up to 90 minutes to apply naturally. Force update ensures immediate application for testing.
Security Impact: Confirms security controls are operational. Identifies misconfiguration before attackers can exploit gaps.

Click on the Dashboard tab to view the pfSense system information and interface status.
Why: The dashboard provides an overview of all network interfaces and system health. It's the starting point for firewall configuration.
Security Impact: Monitoring dashboard alerts helps detect misconfigurations or security issues before they become critical vulnerabilities.

Go to the Interfaces tab and review WAN and LAN (already configured). Click Configure button on the DMZ interface to set it up:
Note: WAN (203.0.113.5/24) and LAN (192.168.10.1/24) interfaces are pre-configured. You can click Edit to review their settings, but focus on configuring the DMZ interface.
Why: Network segmentation is the #1 defense against lateral movement. Breached web server shouldn't reach internal databases.
Security Impact: DMZ isolation limits blast radius. If attacker compromises web server in DMZ, they can't pivot to internal network without breaking through another firewall layer.

Go to the Firewall tab and click on the Aliases subtab. Create the following 3 aliases:
Why: Aliases make rules readable and maintainable. "Allow Management_IPs" is clearer than "Allow 192.168.10.5". Change alias once, updates all rules.
Security Impact: Reduces configuration errors. Mistyped IP in 20 rules = security holes. Aliases ensure consistency across your ruleset.

Go to the Firewall tab, click on the Rules subtab, then select DMZ from the interface dropdown menu. Click Add Rule button to create a new firewall rule:
Why: Public-facing services must be accessible from internet, but ONLY on required ports. Attackers scan all 65,535 ports looking for weaknesses.
Security Impact: Allows legitimate web traffic while blocking SSH, RDP, database ports. Prevents attackers from accessing management interfaces or exploiting unpatched services.

Go to the Firewall tab, click on the Rules subtab, then select LAN from the interface dropdown. Add the following 3 rules in order:
Why: Internal users need internet but shouldn't directly access DMZ servers. Only designated admins need SSH to DMZ for maintenance.
Security Impact: Prevents compromised employee workstation from attacking DMZ servers. Limits admin access to specific IP addresses for accountability.

Go to the Firewall tab, then navigate to NAT > Port Forward. Click Add to create a new port forwarding rule with these settings:
Why: Your web server has private IP (192.168.100.10) but internet users connect to your public IP. NAT translates public IP:80 → private IP:80.
Security Impact: Hides internal network topology. Attackers see only your public IP, not the real server addresses. Makes reconnaissance harder.

Go to the Firewall tab, then navigate to NAT > Outbound. Set the mode to Hybrid or Manual. Add outbound NAT rules for both networks:
Why: Internal devices use private IPs (RFC 1918) which aren't routable on internet. Outbound NAT rewrites source IPs to your public IP.
Security Impact: Enables connection tracking (stateful firewall). Return traffic is automatically allowed. Prevents IP spoofing attacks by validating source addresses.

Go to the Services tab and click the Configure button on DNS Resolver (Unbound). Configure the following settings:
Why: DNS Resolver (Unbound) performs recursive DNS queries directly to authoritative servers, providing better privacy than forwarding to external DNS servers like Google or Cloudflare.
Security Impact: Prevents DNS poisoning, enables internal name resolution for network devices, and protects against DNS-based data exfiltration. Port 53 is the standard DNS port.

Go to the Services tab and click the Configure button on NTP Server. Configure the following settings:
Why: Accurate time synchronization is critical for security. Log correlation across systems requires synchronized clocks. SSL/TLS certificates fail if time is wrong. Kerberos authentication breaks with >5 minute time drift.
Security Impact: Enables accurate forensic analysis after incidents. Prevents attackers from manipulating timestamps to hide their tracks. Required for compliance (PCI-DSS requires time sync).

Go to the Services tab and click the Configure button on DHCP Server. Configure the following settings:
Why: DHCP automates IP address assignment for client devices, preventing IP conflicts. Reserve .1-.99 for static assignments (servers, printers). Use .100-.200 for dynamic client allocation.
Security Impact: Centralized IP management enables better network visibility and access control. Prevents rogue DHCP servers (DHCP snooping). DNS setting points clients to your secure DNS resolver, not potentially malicious external DNS.

Go to the Services tab and click the Configure button on Snort IDS/IPS. Enable it on WAN and DMZ interfaces, and select rulesets (ET Open, Snort VRT).
Why: Firewalls block ports but can't detect application-layer attacks like SQL injection, XSS, or zero-day exploits in allowed traffic.
Security Impact: IDS detects attack patterns in real-time. IPS actively blocks malicious packets. Protects against OWASP Top 10 web attacks even when port 80/443 must be open.

Go to the Status tab, then navigate to System Logs > Settings. Enable logging for firewall (deny rules), IDS alerts, and NAT events. Send logs to a remote syslog server if available.
Why: Logs are forensic evidence. When breach occurs, logs tell you what happened, when, and from where. Required for compliance (PCI-DSS, HIPAA).
Security Impact: Enables threat hunting and incident response. Detect port scans, brute force attempts, and policy violations. Average breach detection time: 207 days (IBM). Logs reduce this dramatically.

Click the Test Connectivity button below to verify your configuration. Ensure that: WAN is accessible, LAN can reach the internet, DMZ web server is reachable from WAN, and LAN traffic is blocked from accessing DMZ.
Why: Firewalls can look perfect in config but fail in practice due to rule ordering, typos, or misunderstood requirements. Always test!
Security Impact: Prevents false sense of security. Misconfigured firewall = no security. Testing confirms defense-in-depth layers work as designed before going production.