KL 031.30 Eng Class Setup Guide 1.2

1
Class Setup Guide

2 KASPERSKY LAB
KL 031.30. Kaspersky Security for Virtualization 3.0. Light Agent
Class Setup Guide

Chapter 1. Description
1.1 Guide Description
This Guide helps to prepare a class for the "Kaspersky Security for Virtualization 3.0. Light Agent" training.
The guide describes the class setup in detail (virtual machines, their characteristics and interrelations) for trainers
who need to thoroughly understand the training environment.
For technicians who just prepare the class and do not want or need to understand the training environment, the guide
contains step-by-step instructions on how to configure physical and virtual computers.
Additionally, the guide explains the reasons why the described configuration was selected and how the instruction
can be changed depending on the available equipment.
1.2 Environment Description
All labs will be done on virtual machines. The guide presumes that VMWare Workstation is used.
An abstract ABC company is considered in the labs. Its computers belong to the abc.lab domain.
Computers
The following computers will be used in the labs:
DCdomain controller and DNS server of the abc.lab domain. Is used in all labs as an infrastructure
element, meaning, must be running, but actions are not performed there.
Clienta users workstation from which he or she connects to an RDS virtual machine. RemoteFX
demonstration requires the latest version of the RDP protocol that can be installed on Windows 7 SP1. We
will use Windows 8 in our labs, where everything works out of the box
Hyper-Vthe hypervisor where the virtual machines listed below are deployed; it also runs the roles
necessary for Remote Desktop Services
Routera virtual machine that connects the external network (VMware NAT) and virtual networks.
Also performs the roles of a DHCP server and DNS relay.
Security-Center (or SC)a computer whose main role is to be the Administration Server in the ABC
company. It belongs to the ABC domain and has a static IP address.
Mastera template virtual machine for the Remote Desktop Services collection
SVM-FOa virtual machine, the Protection Server of Kaspersky Security for Virtualization. Will be
used for demonstrating how the Light Agent switches between the Protection Servers if one of them
malfunctions

3

Domain
All computers belong to the ABC domain.
Users
The account of the domain administrator (ABC\Administrator) will be used on most of the computers.
The ABC\Alex account will be used for accessing virtual machines belonging to the Remote Desktop Services pool.
The password is Ka5per5Ky for all users
Subnets
Two subnets are configured for virtual machines in ABC company: 10.28.1.0/24 and 10.28.2.0/24. The former is
designed for servers, the Administration Server will belong to it, and the latterfor Remote Desktop Services
virtual machines. The domain controller should not run within Hyper-V to avoid connectivity issues, therefore
the DC machine is configured within the VMware NAT network. It is necessary to change the default address for
this network: open Edit | Virtual Network Editor, select the NAT interface (usually, VMNet8) and specify address
10.28.0.0/24.
These specific addresses of subnets are not particularly important, but they were used when designing the course
labs and are mentioned in the Lab Guide.
The network schema is as follows

Operating systems
The computers that perform server functions are running Windows 2012 Standard Edition. On other computers,
Windows 8 Enterprise is installed.

4 KASPERSKY LAB
Class Setup Guide

Hardware requirements
The host machine must have at least 12 GB RAM, preferably 16 GB.
Another (and maybe even more important) bottleneck is the disk subsystem. A host machine with one HDD drive
usually cannot ensure comfortable performance. An SSD drive or performance-oriented RAID configuration is
preferred.

5

Chapter 2. Class Setup Guide
2.1 DC
1. Create a virtual machine with the following minimal configuration:
1024 MB RAM
40 GB hard drive
One network adapter (NAT)
2. Install Windows Server 2012 Standard:
Computer nameDC
IP address10.28.0.10
DNS server and gateway10.28.0.2
Local administrator passwordKa5per5Ky
3. Add the Active Directory Domain Services server role with the following parameters:
New forest;
Root domain named abc.lab;
Password for the directory services restore modeKa5per5Ky;
Other parametersby default.
4. Add domain users
Alex with Ka5per5Ky password
5. Modify the domain policy
In the Server Manager, select Tools | Group Policy Management, then on the shortcut menu of the
Domains / abc.lab / Default domain policy object, click Edit
Disable automatic Windows Updates (in Group Policy Object Editor, expand Computer
Configuration, Administrative Templates, Windows Components, click Windows Update, double-
click Configure Automatic Updates, and then click Disabled)
Disable Windows Defender (in Group Policy Object Editor, expand Computer Configuration,
Administrative Templates, Windows Components, click Windows Defender, double-click Turn
off Windows Defender, and then click Enabled)
Enable RDP redirection of RemoteFX USB Devices (in Group Policy Object Editor, expand
Computer Configuration, Administrative Templates, Windows Components, click Remote
Desktop Services, Remote Desktop Connection Client, RemoteFX USB Device Redirection, then
set Allow RDP redirection of the supported RemoteFX USB Devices from this computer to
Enabled and change RemoteFX USB Redirection Access Rights to Administrators and Users)
Disable Windows Firewall for the domain profile (In Group Policy Object Editor: User
Configuration, Policies, Windows Settings, Security Settings, Windows Firewall with Advanced
Security)

6 KASPERSKY LAB
Class Setup Guide

Disable SmartScreen Filter for the Internet Zone (in Group Policy Object Editor: User Configuration,
Policies, Administrative Templates, Windows Components, Internet Explorer, Internet Control
Panel, Security Page, Internet Zone, Turn on SmartScreen Filter scan = Disabled)
Disable Maximum Password Age: select Not Defined for this parameter (in Group Policy Object
Editor: User Configuration, Policies, Windows Settings, Security Settings, Account Policies,
Password Policy)
6. For the Administrator and Alex users, enable the Password never expires parameter
7. Reduce RAM to 860 MB (optional)
8. When all virtual machines are ready, turn off DC and make a snapshot named Ready
2.2 Client
1 GB RAM
40 GB hard drive
NAT network adapter
2. Install Windows 8 Enterprise Edition:
Computer nameClient
Network parameters:
Default gateway10.28.0.2
DNS server 10.28.0.10
3. Join Client to ABC domain
4. Add route to the VDI subnet:
Run PowerShell as administrator. Find out the ifIndex of the adapter
Get-NetAdapter
Carry out:
New-NetRoute DestinationPrefix 10.28.2.0/24 NextHop
10.28.0.3 -ifIndex <adapter index>
5. Enable redirection of removable USB devices. Run the following command from an elevated command
prompt:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
NT\Terminal Services\Client\UsbSelectDeviceByInterfaces" /v 101 /t
REG_SZ /d {A5DCBF10-6530-11D2-901F-00C04FB951ED} /f
6. Turn off the machine and make a snapshot named Ready

7

2.3 Hyper-V
2 CPU cores
8 GB RAM
150 GB hard drive
Network adapter connected to VMware NAT
2. Install Windows Server 2012 Enterprise Edition:
Computer nameHyper-V
NAT network adapter parameters:
DNS server 10.28.0.10
3. Edit the configuration file of the virtual machine to enable installation of the Hyper-V role on the VMware
Workstation hypervisor:
Turn off Hyper-V
In the folder of the Hyper-V virtual machine, open Hyper-V.vmx with Notepad and add the following
string: hypervisor.cpuid.v0 = FALSE
4. Select Virtualization engine
Open the settings of the virtual machine in VMware Workstation
Click the processor and select Virtualize Intel VT-x/EPT or AMD-V/RVI
5. Power on the virtual machine
6. Join Hyper-V to ABC domain
7. Log on to the system under the ABC\Administrator account
8. Add the Hyper-V server role
Proceed through all steps. Do not change anything except:
Select the network adapter for the virtual switch
9. Pin the Hyper-V Manager shortcut to the taskbar
10. Create two virtual switches
Open the Server Manager console, select Tools | Hyper-V Manager
In the right pane, select Virtual Switch Manager
Select New virtual network switch, then select Private and click Create Virtual Switch
Rename the switch to Servers and click Apply
Likewise, create another Private switch named VDI
Rename the virtual switch created during the Hyper-V installation to External
11. Set up the Router computer (see below)
12. Deploy the Master virtual machine (see below)

8 KASPERSKY LAB
Class Setup Guide

13. Install Remote Desktop Services
In the Add Roles and Features Wizard, select Remote Desktop Services installation
Select Standard Deployment
Select Virtual machine-based desktop deployment
Add the following roles to the Hyper-V computer one by one:
RD Connection Broker server
RD Web Access server
RD Virtualization Host server
14. Create a collection
Make sure that the Router computer is configured and running
Open Server Manager | Remote Desktop Services | Collections
In the Collections section, click Tasks | Create Virtual Desktop Collection
Type Lab for the collection name
Select the Master computer for the template
Select the time zone and domain name: abc.lab
Specify the number of machines in the collection: 1. You can specify 2 if the resources are plentiful;
however, re-creating the collection will take more time during the labs in this case
Disable User profile disks
15. Set up the Master computer
Power on the virtual machine
Complete the initial setup wizard, similarly to an installation
You will have to create a new user, for example, User2
(Optional) Delete User2
Join the Master computer to the domain
16. In the C:\Users\Public\Documents\Hyper-V\Virtual hard disks folder (virtual machine hard drives are
stored here by default), create a directory named SVM-FO
17. Deploy SVM-FO virtual machine (is described in the Security-Center section)
18. Open the properties of the SVM-FO virtual machine and change the network to VDI
19. Shut down all virtual machines except for Router and Lab-0 (a virtual machine from the Remote Desktop
Services collection). The Router should not be shut down, then it will start up as soon the Hyper-V
computer starts. Shut down Hyper-V and make a snapshot named Ready.
2.4 Router
1. Vyatta Core is used for the router. Its distribution can be downloaded from
http://www.vyatta.org/downloads (Virtualization ISO)
2. In the Hyper-V Manager console, create a virtual machine with the following configuration:
NameRouter
128 MB RAM
Network adapter connected to the External switch
1 GB hard disk
Boot from the Vyatta Live CD iso image

9

3. Add two more cards
Open the virtual machine settings
On the Add Hardware tab, select Network Adapter
Click Add
Select the Servers virtual switch for the created network adapter
Click Apply
Similarly, add a network adapter connected to the VDI switch
5. Log on to the system using the vyatta login and vyatta password

6. Carry out the install-image command
7. To confirm image installation to the hard drive, type Yes
8. Reject RAID-1 mirroring if two disks are found: No

9. PartitioningAuto

10 KASPERSKY LAB
Class Setup Guide

10. Select the sda drive for the installation
11. Confirm destroying all data on it: Yes
12. Allocate all available disk space to the root directory: ENTER. The installer will create and mount the file
system

13. Agree to the offered image name: ENTER
14. Agree to copying config.boot: ENTER
15. Specify the administrators password, for example, Ka5per5Ky

16. Allow GRUB modify the boot partition on the sda drive: ENTER
17. Carry out the poweroff command
18. Confirm: Yes
19. On the virtual machine menu, click Media | DVD Drive, then Eject

11

21. Log on to the system with the vyatta username and the password specified earlier
22. Use the configure command to enter the configuration mode
23. Configure network interfaces:
set interfaces ethernet eth0 address 10.28.0.3/24
24. Configure the default gateway and DNS
set system gateway-address 10.28.0.2
set system name-server 10.28.0.10
25. Save the settings
commit
save
26. Configure NAT:
set nat source rule 10
set nat source rule 10 source address 10.28.1.0/24
set nat source rule 10 outbound-interface eth0
set nat source rule 10 translation address 10.28.0.3
set nat source rule 20
set nat source rule 20 source address 10.28.2.0/24
set nat source rule 20 outbound-interface eth0
set nat source rule 20 translation address 10.28.0.3
27. Configure DHCP:

12 KASPERSKY LAB
Class Setup Guide

set service dhcp-server shared-network-name Servers subnet 10.28.1.0/24 start 10.28.1.70 stop
10.28.1.99
set service dhcp-server shared-network-name Servers subnet 10.28.1.0/24 dns-server 10.28.0.10
set service dhcp-server shared-network-name Servers subnet 10.28.1.0/24 default-router 10.28.1.1
set service dhcp-server shared-network-name VDI subnet 10.28.2.0/24 start 10.28.2.100 stop
10.28.2.254
set service dhcp-server shared-network-name VDI subnet 10.28.2.0/24 dns-server 10.28.0.10
set service dhcp-server shared-network-name VDI subnet 10.28.2.0/24 default-router 10.28.2.1
28. Save the settings
commit
save
2.5 Security-Center
1. In the Hyper-V Manager console, create a virtual machine with the following minimal configuration:
NameSecurity-Center
1536 MB RAM
40 GB hard drive
Network adapter connected to the Servers switch
2. Install Windows Server 2012 Standard Edition:
Computer nameSecurity-Center
Network parameters:
DNS server10.28.0.10
3. Join Security-Center to the domain
4. Log on to the system under the ABC\Administrator account
5. Install Kaspersky Security Center 10 MR1 with the default settings; do not install plug-ins
6. Add Kaspersky Security Center icon to the taskbar
7. Create the following folder structure on the desktop:
LAroot folder. Copy klcfginst.exe (the Protection Server plug-in) into it. Create two more folders
within it:
Agenta folder for the Light Agent. Copy the Light Agent distribution there
SVMdownload the Protection Server image with its XML description from kaspersky.com and
unpack into this folder
8. Install the Protection Server plug-in
9. Install the Protection Server
NameSVM-FO
Image folder path: C:\Users\Public\Documents\Hyper-V\Virtual hard disks\SVM-FO
NetworkServers
Password for the root userKa5per5Ky

13

10. Run the Download updates to the repository task.
11. Create and run a key installation task for specific computers; in the computer adding window, select
Specify computer names manually or import from the list, then add SVM by IP address
12. Run the key installation task on the Protection Server
13. Create and run an Update task for the Protection Server in a similar manner
14. Delete the key installation and update tasks
15. Delete the Protection Server plug-in
16. Shut down SVM-FO and reduce RAM to 512 MB
2.6 Master
1. In the Hyper-V Manager console, create a virtual machine with the following minimal configuration:
Name: Master
1024 MB RAM
40 GB hard drive
Network adapter connected to the VDI switch
2. Install Windows 8 Enterprise Edition:
Computer nameMaster
Network settingsDHCP
3. Join the Master computer to the domain
4. Log on to the system under the ABC\Alex account
5. Copy the eicar_com.zip archive to the C:\Users\Alex.ABC\Downloads folder
6. Prepare a template:
Run cmd as administrator.
Carry out:
Sysprep\sysprep.exe /generalize /oobe /shutdown /mode:vm

KL 031.30 Eng Class Setup Guide 1.2

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

KL 031.30 Eng Class Setup Guide 1.2

Uploaded by

Copyright:

Available Formats

1

Class Setup Guide

You might also like