Tom Neilly
System’s Administration – Final Project
12/1/2014
For my final project in System’s Administration, my original goal was to create a domain and an antivirus server with the ability remotely install the anti-virus software to domain computers and monitor
network threats. However, my project grew from there as I have added one physical machine and
several virtual machines to my domain which perform different tasks such as backup, file serving, and
Hyper-V replication.
My final project consists of several virtual machines and two physical machines. The first physical
machine I am using is a Dell PowerEdge R210 Server, the second being a Microsoft Surface Pro 2 tablet. I
will give speficic information about every different computer on my network in its own dedicated
section of the documentation. This information will include the the purpose of the machine, the
Operating System, the Ipv4 settings, any Windows features or roles installed, software installed, and
configurations that were made.
Before I get started, I’d like to display the network topology for my domain, tom.frickin.neilly. As we
move down through the different machines, this picture (which was created using Adobe Illustrator)
should help the reader keep all of the machines straight and displays how they are connected.
1
Tom Neilly
System’s Administration – Final Project
12/1/2014
Host-Server (Dell PowerEdge physical machine)
Operating system : Microsoft Server 2012 Datacenter R2
IP address : 10.10.10.11
Subnet mask : 255.255.255.0
Default gateway : 10.10.10.1
DNS : 10.10.10.1
The main function of the Dell PowerEdge server is to simply run Hyper-V manager and support all of the
virtual machines. To get started, I had to set up the Dell PowerEdge server. The very first step was to
install two 1.5 TB hard disk drives. After the HDD installation, I configured the server to use the two hard
disk drives (HDDs) in a RAID 1 configuration. To do this, I interrupted the boot process to access the BIOS
of the server and changed the HDD settings.
The second step to the initial server configuration was to install Microsoft Server 2012 R2 Datacenter.
This was not a straight forward, typical OS installation. The server itself was designed to run Microsoft
Server 2008, so to get Server 2012 installed took some research and tinkering around. While initially
trying to install Server 2012, the drivers for the HDDs were missing entirely – when choosing what disks
to install the OS onto, it was simply blank and there were no options. After installing several different
drivers from Dell’s website (http://www.dell.com/support/home/us/en/19/productsupport/servicetag/30v6fp1/drivers?s=BSD) with no luck, I did some more research. To solve this
problem, I had to go to Dell’s support website and download and burn two .ISO files to discs in order to
reset the server.
Now my host server is successfully up and running with the Microsoft Server 2012 Datacenter R2 OS and
the HDDs configured to RAID 1. Before I began installing VMs through Hyper-V manager, I first created
some External Virtual Switches in Hyper-V. These switches act like physical network cards, giving the
VMs the ability to create and be on their own internal network, which is how they will authenticate with
the Domain Controller, share files, and push MalwareBytes installations to remote clients. I created two
external virtual switches - one for my internal network (EXTERNAL 10.10.10.X) to allow connections from
DC1 to all other machines, and another (EXTERNAL INTERNET) to share internet connectivity between
the physical NIC on the Dell Poweredge and my virtual machines.
DC1 (PowerEdge VM)
Operating System : Microsoft Server 2012 Datacenter R2
IP address : 10.10.10.1
Subnet mask : 255.255.255.0
Default gateway : null
DNS server : 127.0.0.1
The first VM I installed was my Domain Controller using the same OS, Microsoft Server 2012 Datacenter
R2. The domain controller allows me to create a domain, add my host server and all VMs to my domain,
and use Active Directory to manage all of the users, computers, and group policys in my domain.
2
Tom Neilly
System’s Administration – Final Project
12/1/2014
After installing the necessary roles and features (Active Directory, DNS, and .NET framework) and setting
up my IP settings, I was ready to add computers to my domain and create user accounts, computer
accounts, group accounts, and organizational units (OUs) in Active Directory.
Creating group policy objects
*Note
After playing with the MalwareBytes console, I quickly came to the realization that in order to deploy
MalwareBytes Enterprise to clients on my domain, the computers required .NET Framework 3.5. This is
where group policy comes in handy. I was able to download a redistributable .NET Framework 3.5 .MSI
package from Microsoft here - http://www.microsoft.com/en-us/download/details.aspx?id=65 .
.NET Framework 3.5 Installation Policy
Open MMC, add the snapin “Group Policy Management”. Open it, navigate to “Forest” > “Domains” >
“tom.frickin.neilly” > “Group Policy Objects” > Right click > “New” > Name it “.NET Framework 3.5”.
Select the “.NET Framework 3.5” GPO > Right click > “Edit” > “Computer Configuration” > “Policies” >
“Software Settings” > “Software Installation” > Right click “Software Installation” > “New” > Package.
This is a part that I got hung up on for a bit. By default, when you select “New..Package”, it opens a
folder located at \\tom.frickin.neilly\SysVol\tom.frickin.neilly\scripts.
I made the mistake of navigating to the folder that I had saved my script in and tried running it from
there. After lots of frustration, I finally figured out that I had to move the .NET Framework 3.5 .MSI
package to the pre-selected folder and run it from there. After selecting the package, click “Assigned”
and the package is now created.
Close the “Group Policy Management Editor” and go back to the MMC. Under “Group Policy Objects”,
click the “.NET Framework 3.5” object. Here we can edit our Security Filtering. We want every domain
machine to have this GPO, so I added “Domain Computers” to the Security Filtering to ensure the GPO
links properly. Afterwards, I always “Enforced” the GPO.
Still under “Group Policy Management Editor”, right click “Domain Computers” > “Link an existing GPO”
> “.NET Framework 3.5” > Click “OK”.
The policy will now be applied to all computers in the Domain Computers OU, which is where all
computers on my domain will be. Since I have already installed the .NET Framework 3.5 on the Domain
Controller (DC1), there’s no need to apply this GPO to the “Domain Controllers” OU as well.
Now after joining the domain and rebooting, all machines should be equipped with the .NET Framework
3.5 that is required for the remote MalwareBytes installation.
3
Tom Neilly
System’s Administration – Final Project
12/1/2014
Enable WMI Policy
After still failing to install MalwareBytes from the MB Server, I had to change my group policy to enable
some Windows Firewall Inbound rules. This seems to be the most reliable way to install the
MalwareBytes software using the MalwareBytes Enterprise Console client push.
Under my existing GPO (.NET Framework 3.5), I navigated to > “Computer Configuration” > “Policies” >
“Windows Settings” > “Security Settings” > “Windows Firewall with Advanced Security” > “Inbound
Rules” > Right click > “New Rule” > “Predefined” > “Windows Management Instrumentation (WMI)” >
“Next” > Click all and enable them.
Now after forcing the group policy to update (from CMD, gpupdate /force), all the machines running the
.NET Framework Group Policy will be ready to have MalwareBytes installed onto it.
Windows Firewall Policy
In order to allow VMs to communicate without completely disabling the firewall, I set another group
policy to allow IP connections over the domain.
After creating a new GPO called “Firewall Rules”, I went to > “Computer Configuration” > “Policies” >
“Windows Settings” > “Security Settings” > “Windows Firewall with Advanced Security” > “Windows
Firewall with Advanced Security – LDAP” > On the right pane, click “Windows Firewall Properties” >
“Firewall state – On” > “Inbound Connections – Allow” > “Outbound Connections – Allow”
Remote Desktop Policy
I want to be able to remote desktop into all of my VM’s without going through each on and changing the
settings, so I will apply a Group Policy to do this across my entire domain. After creating a new GPO
called “Remote Desktop”, I went to > “Computer Configuration” > “Policies” > “Administrative
Templates” > “Windows Components” > “Remote Desktop Services” > “Remote Desktop Session Host” >
“Connections” > “Allow users to connect remotely by using Remote Desktop Services” > Enabled.
Infected Machines Policy
Now I want to make another group policy to help me take care of infected machines. On the
MalwareBytes Server, I created a folder called “VirusRemovalTools”, and set the sharing and security
permissions accordingly.
“Computer Configuration” > “Policies” > “Administrative Template” > “System” > “Logon” > “Run these
programs at user logon” > Right-click, “Edit” > “Enabled” > “Show” > Insert the location of the desired
script.
I wrote a batch script that creates a folder on the current user’s desktop which utilizes robocopy to copy
all of the contents from the \\MalwareBytes\VirusRemovalTools$ share to the desktop of the current
user.
4
Tom Neilly
System’s Administration – Final Project
12/1/2014
MalwareBytes-Server (PowerEdge VM)
Operating System : Microsoft Server 2012 Datacenter R2
IP address : 10.10.10.20
Subnet mask : 255.255.255.0
Default gateway : 10.10.10.1
DNS server : 10.10.10.1
The next VM I installed was the MalwareBytes-Server, also using the Microsoft Server 2012 Datacenter.
Upon installation of the OS, I moved directly to changing the system settings. I renamed the machine to
“MalwareBytes-Server”, changed the Ipv4 settings to be on the same Internal network as the Domain
Controller, and added the machine to my domain (tom.frickin.neilly).
The main purpose of this VM is to run the MalwareBytes Enterprise console which gives me the ability to
remotely deploy (and remove) the MB software, run full scans on machines, and monitor network
threats which will help keep my computers and users safe from viruses, spyware, and potentially
unwanted programs.
Installing the MalwareBytes Enterprise Console
This was a simple process. It was just a matter of running the installation wizard, entering the IP address
of the MalwareBytes server, and using the default Admin credentials to log in to the console.
After logging in and exploring the console, I created my own policy which specifies all of the settings for
the client, such as when to scan, what to scan, when to update, how to update, where to store scan logs,
and so on.
There are different ways to find computers to push the MalwareBytes software out to. One way is to do
an IP scan of all the addresses on the network. Another is to select an OU from within Active Directory.
The method I chose was to do an IP scan. The IP scan quickly found all 4 machines on my domain, (the
host server, DC1, MalwareBytes Server, and Windows 7 VM), and since they all had the necessary .NET
Framework 3.5 installed thanks to the group policy from DC1, installations went easily. The client
installations are completely silent - the client sees no progress bars, command prompts, or has to click
or agree to anything. They are completely unaware that they are in the process of becoming extremely
resistant to malware.
5
Tom Neilly
System’s Administration – Final Project
12/1/2014
Windows 7 VM (PowerEdge VM)
Operating System : Windows 7 Evaluation
IP address : 10.10.10.10
Subnet mask : 255.255.255.0
Default gateway : 10.10.10.1
DNS server : 10.10.10.1
This machine was for testing purposes of the different group policies and MalwareBytes Enterprise.
Having multiple different operating systems for testing is important to be sure that everything works on
different versions of Windows.
Microsoft Surface Pro 2 (Toms-Surface) – Physical machine
Operating System : Windows 8.1 Professional
IP address : 10.10.10.19
Subnet mask : 255.255.255.0
Default gateway : 10.10.10.1
DNS server : 10.10.10.1
The main purpose of the Microsoft Surface Pro 2 is to host another set of virtual machines, such as
Fserv, the Backup Server, and a Linux based VM for fun.
After joining my domain, I created two external virtual switches for the Surface to provide connectivity
from DC1 to the Surface itself and the virtual machines. The first virtual switch (EXTERNAL) shares
connectivity with the physical NIC of the Surface’s docking station which allows communications to DC1.
The second switch (INTERNET) shares the Wireless adapter of the Surface to provide internet
connectivity to the virtual machines.
Surface-FServ (Microsoft Surface Pro 2 VM)
Operating system : Microsoft Server 2012 Datacenter R2
IP address : 10.10.10.18
Subnet mask : 255.255.255.0
Default gateway : 10.10.10.1
DNS : 10.10.10.1
On Surface-Fserv, I put a few programs into the \\Surface-FServ\Fileshares folder that any domain users
can access and download from. Only Domain Admins can write to this folder. I did not put much in this
folder as it is just for simulation.
6
Tom Neilly
System’s Administration – Final Project
12/1/2014
Ubuntu (Microsoft Surface VM)
Operating system : Ubuntu 14.04 LTS
IP address : 10.10.10.17
Subnet mask : 255.255.255.0
Default gateway : 10.10.10.1
DNS : 10.10.10.1
https://www.youtube.com/watch?v=eRtT_C6KBJs
http://bjtechnews.org/2014/09/03/joining-ubuntu-to-windows-active-directory-notes/
The main purpose of installing a Linux VM (Ubuntu 14.04 LTS) was to see if I could successfully add it to
my Windows Domain, which I did thanks to this excellent tutorial. I am going to paste these steps from
this tutorial in case this site and video ever get taken down because they are absolutely worth keeping. I
followed along with zero problems and afterwards everything worked as it should. *Commands in red
are exactly what you paste into the terminal. These are the steps:
Adding an Ubuntu 14.04 LTS desktop to Windows Active Directory Open the terminal and paste these ‘wget’ commands in this exact order :
wget http://de.archive.ubuntu.com/ubuntu/pool/main/l/likewise-open/likewise-open_6.1.0.4060ubuntu10_amd64.deb
wget http://de.archive.ubuntu.com/ubuntu/pool/main/libg/libglade2/libglade2-0_2.6.41ubuntu3_amd64.deb
wget http://de.archive.ubuntu.com/ubuntu/pool/universe/l/likewise-open/likewise-opengui_6.1.0.406-0ubuntu10_amd64.deb
Open terminal and get root –
Sudo –s
Enter password
Unpackage the contents –
sudo dpkg -i likewise-open_6.1.0.406-0ubuntu10_amd64.deb
sudo dpkg -i libglade2-0_2.6.4-1ubuntu3_amd64.deb
sudo dpkg -i likewise-open-gui_6.1.0.406-0ubuntu10_amd64.deb
Time to access the Likewise GUI to join your Windows Active Directory
*This will bring up a GUI that allows you to join the Windows Domain.
sudo domainjoin-gui
7
Tom Neilly
System’s Administration – Final Project
12/1/2014
Domain – tom.frickin.neilly (or whatever your domain may be)
Prefix – TOMMY (the prefix for my domain)
Click ‘Join Domain’
Reboot the Ubuntu machine and log back in
Open the terminal and navigate to this directory
cd /usr/share/lightdm/lightdm.conf.d/
Sudo –s
Enter password
gedit 50-ubuntu.conf
This will open the 50-ubuntu.conf text file and allow you to make changes. In the text file, add these two
lines to the configuration –
allow-guest=false
greeter-show-manual-login=true
Click “Save”
Reboot the Ubuntu machine
After rebooting, there should be another option called “Login”. Click “Login”, and for username enter
the full domain and your domain user name (example – tom.frickin.neilly\tneilly) and your domain
username password. You should now be logged in as your Windows domain account.
*Note – you may have to log in as the local Ubuntu administrator and log back out before the “Login”
option is available. Rebooting again is not necessary.
BackupServer (Microsoft Surface VM)
Operating system : Microsoft Server 2012 Datacenter R2
IP address : 10.10.10.13
Subnet mask : 255.255.255.0
Default gateway : 10.10.10.1
DNS : 10.10.10.1
While I did create a BackupServer VM, I unfortunately did not have enough time to actually set up the
backup server. Sorry.
8