Creating Win VM and add it to AD

Cybersecurity Monitoring Lab – Part 6.2– GPO and adding WIN VM to AD

HOMELAB

Rezwan Siddique

11/16/20236 min read

Add Group Policy Object

This is not a mandatory step but this is surely the best practice for password policies for active directory.

- Open Group Policy Management Console (GPMC):

- On Server Manager, go to “Group Policy Management.”

Link the GPO:

- Right-click on the newly created GPO and choose "Edit."

- In the Group Policy Management Editor, navigate to `Computer Configuration` > `Policies` > `Windows Settings` > `Security Settings` > `Account Policies` > `Password Policy`.

Create a New Group Policy Object (GPO)

- In the GPMC, navigate to "Forest" > "Domains" > your domain.

- Right-click on "Group Policy Objects" and choose "New."

- Name the New GPO:

- Enter a descriptive name for the new GPO, e.g., "Password Policy."

Configure Password Policy Settings: (This is because as we want our user to set their own password when they first login, I am setting up some parameters for the acceptable passwords)

- Adjust the following settings: ( double click on the policy to set value and check explain tab if you need more info)

- `Enforce password history`: Set the number of remembered passwords.

- `Maximum password age`: Define the password expiration period.

- `Minimum password age`: Specify the minimum time a password must be used before changing.

- `Minimum password length`: Set the minimum characters required.

- `Password must meet complexity requirements`: Enable for strong passwords.

** Please check Explain tab for better clarification for all this parameters.

- Configure Account Lockout Policy:

- In the same GPO, navigate to `Account Lockout Policy`:

- `Account lockout duration`: Set the duration an account remains locked.

- `Account lockout threshold`: Specify the number of failed login attempts.

- `Reset account lockout counter after`: Define the reset period.

Apply & Update Group Policy:

- Close the Group Policy Management Editor.

- Run `gpupdate /force` in Command Prompt on domain-joined machines to force an immediate update.

With this update users must need to change their default password when login and meet complexity requirement when setting up new password. Also if there was any unauthorized attempts to login, after 5 invalid logon attempts account will get disable for 5 minutes. We will test all this features once we install our WIN10 machines on our proxmox.

Installing the Windows VM will be similar to the Windows Server install.

Go to this page to download a trial version of Windows 10 Enterprise or pro. You can use dummy information.

https://info.microsoft.com/ww-landing-windows-10-enterprise.html

Download the 64-bit version and upload it to Proxmox.

We also need the VirtIO drivers. The direct download for the latest stable version is here:

https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso

The links for the iso can also be found in the Proxmox docs:

https://pve.proxmox.com/wiki/Windows_VirtIO_Drivers#Wizard_Installation

Create a new VM.

On the System tab check Qemu Agent box. If you don’t see the option, make sure the advanced box is checked on the bottom of the window. Click Next

Choose “SCSI” as the bus device. Select “Write Back” for cache and check the “Discard” box. For Disk Size I am selecting 80GB, you can select it depending on your disk size (Min 20GB).

Choose the Windows 10 iso. Select Microsoft Windows as the OS.

Select the number of cores appropriate for you host system’s resources. I’m using 2 and also going with 6GB of RAM.

This machine is going on our Active Directory subnet so the network interface will be vmbr1. VLan Change the “Model” to “VirtIO (paravirtualized). Then finish making the VM. Don’t start it yet.

Click on the Windows 10 node that was just made. Click on “Hardware” and then add a new CD/DVD drive.

Same steps that we took during Windows 2019 server setup.

Choose the virtio iso that was downloaded earlier. Now, start the machine.

Accept the license terms. Choose custom install.

At the next screen, you won’t see a hard drive to choose. That’s normal. Click “Load Driver” from the options at the bottom.

Choose browse at the next screen. Go to the drive with the virtio driver. Go to the vioscsi folder. Under that folder, open the w10 folder and click on the amd64 folder. Then click OK.

You should see a driver highlighted in the window now. Click next.

Back at the main screen, you should see there’s a hard drive now. Before continuing, we need to install the network drivers. Click “Load Driver” again.

This time, navigate to the NetKVM folder of the virtio iso. Go to the w10 folder and highlight amd64. Hit okay and you should see another driver in the window. Click next.

Click next. Wait for the installation to finish.

Choose the region and keyboard options appropriate for you.

Choose “I don’t have internet.” We’ll configure it later.

Choose “Continue with limited setup.” We’re going to install the least amount of features as possible.

Choose a username for this PC.

Create a password and answers for the security questions

Turn off all of the extra settings. Decline using Cortana. Wait for the PC to start up.

If you want to attach any existing WIN VM to this network and AD, please follow below.

First shut down the Win VM. Click on the VM and select Network Device on the right. Change bridge to vbmr1 and VLAN tag 100 ( as we want to connect to AD network.) Change model to VirtIO. ( once you start the VM and if you dont see any internet connection and network adapter means you need to install VirtIO for windows. In that case shutdown VM comeback to network device and select model: Intel E1000 and start the VM, this should give you internet connection. then log in to https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.240-1/ and download x64.msi or x86.msi depending your machine. Install it . Once done shut down the VM and change network device to VirtIO , Start the VM and follow accordingly.)

Join Domain

Once installation is done login to the system using your username and password that you set during the installation process. After that open “About PC.” Scroll down to “Rename this PC (Advanced).

Click “Change.”

Rename the PC and add the name of the domain.

Enter the admin credentials then press “OK.” You should get a confirmation after. Restart the PC.

Confirm the computer has joined the domain by checking for it in the Server Manager on the domain controller.

Test Logging in to Domain

Switch back on the Windows machine. We’re going to log in as one of users created on the domain controller. At the log in screen, choose “Other User.” You should see the name of your domain below the log in fields. Log in with any user and the password will be Password1.

It should prompt you to change the password

Set the new password, If it doesn't match with the password complexity it will not take the new password until proper length and complexity criteria is met .

Once password is it should take couple of minutes to complete the setup.

Open the command prompt and run ipconfig. You should see you’re connected to the domain under the “DNS Suffix” line.

This proves our GPO policy for password works and we are connected to our domain.