This guide helps to prepare a class for the "Kaspersky Security for Virtualization 3.0. Light Agent" training. The guide describes the class setup in detail (virtual machines, their characteristics and interrelations) for technicians who just prepare the class, the guide contains step-by-step instructions on how to configure physical and virtual computers.
This guide helps to prepare a class for the "Kaspersky Security for Virtualization 3.0. Light Agent" training. The guide describes the class setup in detail (virtual machines, their characteristics and interrelations) for technicians who just prepare the class, the guide contains step-by-step instructions on how to configure physical and virtual computers.
This guide helps to prepare a class for the "Kaspersky Security for Virtualization 3.0. Light Agent" training. The guide describes the class setup in detail (virtual machines, their characteristics and interrelations) for technicians who just prepare the class, the guide contains step-by-step instructions on how to configure physical and virtual computers.
2 KASPERSKY LAB KL 031.30. Kaspersky Security for Virtualization 3.0. Light Agent Class Setup Guide
Chapter 1. Description 1.1 Guide Description This Guide helps to prepare a class for the "Kaspersky Security for Virtualization 3.0. Light Agent" training. The guide describes the class setup in detail (virtual machines, their characteristics and interrelations) for trainers who need to thoroughly understand the training environment. For technicians who just prepare the class and do not want or need to understand the training environment, the guide contains step-by-step instructions on how to configure physical and virtual computers. Additionally, the guide explains the reasons why the described configuration was selected and how the instruction can be changed depending on the available equipment. 1.2 Environment Description All labs will be done on virtual machines. The guide presumes that VMWare Workstation is used. An abstract ABC company is considered in the labs. Its computers belong to the abc.lab domain. Computers The following computers will be used in the labs: DCdomain controller and DNS server of the abc.lab domain. Is used in all labs as an infrastructure element, meaning, must be running, but actions are not performed there. Clienta users workstation from which he or she connects to an RDS virtual machine. RemoteFX demonstration requires the latest version of the RDP protocol that can be installed on Windows 7 SP1. We will use Windows 8 in our labs, where everything works out of the box Hyper-Vthe hypervisor where the virtual machines listed below are deployed; it also runs the roles necessary for Remote Desktop Services Routera virtual machine that connects the external network (VMware NAT) and virtual networks. Also performs the roles of a DHCP server and DNS relay. Security-Center (or SC)a computer whose main role is to be the Administration Server in the ABC company. It belongs to the ABC domain and has a static IP address. Mastera template virtual machine for the Remote Desktop Services collection SVM-FOa virtual machine, the Protection Server of Kaspersky Security for Virtualization. Will be used for demonstrating how the Light Agent switches between the Protection Servers if one of them malfunctions
3
Domain All computers belong to the ABC domain. Users The account of the domain administrator (ABC\Administrator) will be used on most of the computers. The ABC\Alex account will be used for accessing virtual machines belonging to the Remote Desktop Services pool. The password is Ka5per5Ky for all users Subnets Two subnets are configured for virtual machines in ABC company: 10.28.1.0/24 and 10.28.2.0/24. The former is designed for servers, the Administration Server will belong to it, and the latterfor Remote Desktop Services virtual machines. The domain controller should not run within Hyper-V to avoid connectivity issues, therefore the DC machine is configured within the VMware NAT network. It is necessary to change the default address for this network: open Edit | Virtual Network Editor, select the NAT interface (usually, VMNet8) and specify address 10.28.0.0/24. These specific addresses of subnets are not particularly important, but they were used when designing the course labs and are mentioned in the Lab Guide. The network schema is as follows
Operating systems The computers that perform server functions are running Windows 2012 Standard Edition. On other computers, Windows 8 Enterprise is installed.
4 KASPERSKY LAB KL 031.30. Kaspersky Security for Virtualization 3.0. Light Agent Class Setup Guide
Hardware requirements The host machine must have at least 12 GB RAM, preferably 16 GB. Another (and maybe even more important) bottleneck is the disk subsystem. A host machine with one HDD drive usually cannot ensure comfortable performance. An SSD drive or performance-oriented RAID configuration is preferred.
5
Chapter 2. Class Setup Guide 2.1 DC 1. Create a virtual machine with the following minimal configuration: 1024 MB RAM 40 GB hard drive One network adapter (NAT) 2. Install Windows Server 2012 Standard: Computer nameDC IP address10.28.0.10 DNS server and gateway10.28.0.2 Local administrator passwordKa5per5Ky 3. Add the Active Directory Domain Services server role with the following parameters: New forest; Root domain named abc.lab; Password for the directory services restore modeKa5per5Ky; Other parametersby default. 4. Add domain users Alex with Ka5per5Ky password 5. Modify the domain policy In the Server Manager, select Tools | Group Policy Management, then on the shortcut menu of the Domains / abc.lab / Default domain policy object, click Edit Disable automatic Windows Updates (in Group Policy Object Editor, expand Computer Configuration, Administrative Templates, Windows Components, click Windows Update, double- click Configure Automatic Updates, and then click Disabled) Disable Windows Defender (in Group Policy Object Editor, expand Computer Configuration, Administrative Templates, Windows Components, click Windows Defender, double-click Turn off Windows Defender, and then click Enabled) Enable RDP redirection of RemoteFX USB Devices (in Group Policy Object Editor, expand Computer Configuration, Administrative Templates, Windows Components, click Remote Desktop Services, Remote Desktop Connection Client, RemoteFX USB Device Redirection, then set Allow RDP redirection of the supported RemoteFX USB Devices from this computer to Enabled and change RemoteFX USB Redirection Access Rights to Administrators and Users) Disable Windows Firewall for the domain profile (In Group Policy Object Editor: User Configuration, Policies, Windows Settings, Security Settings, Windows Firewall with Advanced Security)
6 KASPERSKY LAB KL 031.30. Kaspersky Security for Virtualization 3.0. Light Agent Class Setup Guide
Disable SmartScreen Filter for the Internet Zone (in Group Policy Object Editor: User Configuration, Policies, Administrative Templates, Windows Components, Internet Explorer, Internet Control Panel, Security Page, Internet Zone, Turn on SmartScreen Filter scan = Disabled) Disable Maximum Password Age: select Not Defined for this parameter (in Group Policy Object Editor: User Configuration, Policies, Windows Settings, Security Settings, Account Policies, Password Policy) 6. For the Administrator and Alex users, enable the Password never expires parameter 7. Reduce RAM to 860 MB (optional) 8. When all virtual machines are ready, turn off DC and make a snapshot named Ready 2.2 Client 1. Create a virtual machine with the following minimal configuration: 1 GB RAM 40 GB hard drive NAT network adapter 2. Install Windows 8 Enterprise Edition: Computer nameClient Network parameters: IP address10.28.0.110 Default gateway10.28.0.2 DNS server 10.28.0.10 Local administrator passwordKa5per5Ky 3. Join Client to ABC domain 4. Add route to the VDI subnet: Run PowerShell as administrator. Find out the ifIndex of the adapter Get-NetAdapter Carry out: New-NetRoute DestinationPrefix 10.28.2.0/24 NextHop 10.28.0.3 -ifIndex <adapter index> 5. Enable redirection of removable USB devices. Run the following command from an elevated command prompt: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbSelectDeviceByInterfaces" /v 101 /t REG_SZ /d {A5DCBF10-6530-11D2-901F-00C04FB951ED} /f 6. Turn off the machine and make a snapshot named Ready
7
2.3 Hyper-V 1. Create a virtual machine with the following minimal configuration: 2 CPU cores 8 GB RAM 150 GB hard drive Network adapter connected to VMware NAT 2. Install Windows Server 2012 Enterprise Edition: Computer nameHyper-V NAT network adapter parameters: IP address10.28.0.50 Default gateway10.28.0.2 DNS server 10.28.0.10 Local administrator passwordKa5per5Ky 3. Edit the configuration file of the virtual machine to enable installation of the Hyper-V role on the VMware Workstation hypervisor: Turn off Hyper-V In the folder of the Hyper-V virtual machine, open Hyper-V.vmx with Notepad and add the following string: hypervisor.cpuid.v0 = FALSE 4. Select Virtualization engine Open the settings of the virtual machine in VMware Workstation Click the processor and select Virtualize Intel VT-x/EPT or AMD-V/RVI 5. Power on the virtual machine 6. Join Hyper-V to ABC domain 7. Log on to the system under the ABC\Administrator account 8. Add the Hyper-V server role Proceed through all steps. Do not change anything except: Select the network adapter for the virtual switch 9. Pin the Hyper-V Manager shortcut to the taskbar 10. Create two virtual switches Open the Server Manager console, select Tools | Hyper-V Manager In the right pane, select Virtual Switch Manager Select New virtual network switch, then select Private and click Create Virtual Switch Rename the switch to Servers and click Apply Likewise, create another Private switch named VDI Rename the virtual switch created during the Hyper-V installation to External 11. Set up the Router computer (see below) 12. Deploy the Master virtual machine (see below)
8 KASPERSKY LAB KL 031.30. Kaspersky Security for Virtualization 3.0. Light Agent Class Setup Guide
13. Install Remote Desktop Services In the Add Roles and Features Wizard, select Remote Desktop Services installation Select Standard Deployment Select Virtual machine-based desktop deployment Add the following roles to the Hyper-V computer one by one: RD Connection Broker server RD Web Access server RD Virtualization Host server 14. Create a collection Make sure that the Router computer is configured and running Open Server Manager | Remote Desktop Services | Collections In the Collections section, click Tasks | Create Virtual Desktop Collection Type Lab for the collection name Select the Master computer for the template Select the time zone and domain name: abc.lab Specify the number of machines in the collection: 1. You can specify 2 if the resources are plentiful; however, re-creating the collection will take more time during the labs in this case Disable User profile disks 15. Set up the Master computer Power on the virtual machine Complete the initial setup wizard, similarly to an installation You will have to create a new user, for example, User2 (Optional) Delete User2 Join the Master computer to the domain 16. In the C:\Users\Public\Documents\Hyper-V\Virtual hard disks folder (virtual machine hard drives are stored here by default), create a directory named SVM-FO 17. Deploy SVM-FO virtual machine (is described in the Security-Center section) 18. Open the properties of the SVM-FO virtual machine and change the network to VDI 19. Shut down all virtual machines except for Router and Lab-0 (a virtual machine from the Remote Desktop Services collection). The Router should not be shut down, then it will start up as soon the Hyper-V computer starts. Shut down Hyper-V and make a snapshot named Ready. 2.4 Router 1. Vyatta Core is used for the router. Its distribution can be downloaded from http://www.vyatta.org/downloads (Virtualization ISO) 2. In the Hyper-V Manager console, create a virtual machine with the following configuration: NameRouter 128 MB RAM Network adapter connected to the External switch 1 GB hard disk Boot from the Vyatta Live CD iso image
9
3. Add two more cards Open the virtual machine settings On the Add Hardware tab, select Network Adapter Click Add Select the Servers virtual switch for the created network adapter Click Apply Similarly, add a network adapter connected to the VDI switch 4. Power on the virtual machine 5. Log on to the system using the vyatta login and vyatta password
6. Carry out the install-image command 7. To confirm image installation to the hard drive, type Yes 8. Reject RAID-1 mirroring if two disks are found: No
9. PartitioningAuto
10 KASPERSKY LAB KL 031.30. Kaspersky Security for Virtualization 3.0. Light Agent Class Setup Guide
10. Select the sda drive for the installation 11. Confirm destroying all data on it: Yes 12. Allocate all available disk space to the root directory: ENTER. The installer will create and mount the file system
13. Agree to the offered image name: ENTER 14. Agree to copying config.boot: ENTER 15. Specify the administrators password, for example, Ka5per5Ky
16. Allow GRUB modify the boot partition on the sda drive: ENTER 17. Carry out the poweroff command 18. Confirm: Yes 19. On the virtual machine menu, click Media | DVD Drive, then Eject
11
20. Power on the virtual machine 21. Log on to the system with the vyatta username and the password specified earlier 22. Use the configure command to enter the configuration mode 23. Configure network interfaces: set interfaces ethernet eth0 address 10.28.0.3/24 set interfaces ethernet eth1 address 10.28.1.1/24 set interfaces ethernet eth2 address 10.28.2.1/24 24. Configure the default gateway and DNS set system gateway-address 10.28.0.2 set system name-server 10.28.0.10 25. Save the settings commit save 26. Configure NAT: set nat source rule 10 set nat source rule 10 source address 10.28.1.0/24 set nat source rule 10 outbound-interface eth0 set nat source rule 10 translation address 10.28.0.3 set nat source rule 20 set nat source rule 20 source address 10.28.2.0/24 set nat source rule 20 outbound-interface eth0 set nat source rule 20 translation address 10.28.0.3 27. Configure DHCP:
12 KASPERSKY LAB KL 031.30. Kaspersky Security for Virtualization 3.0. Light Agent Class Setup Guide
set service dhcp-server shared-network-name Servers subnet 10.28.1.0/24 start 10.28.1.70 stop 10.28.1.99 set service dhcp-server shared-network-name Servers subnet 10.28.1.0/24 dns-server 10.28.0.10 set service dhcp-server shared-network-name Servers subnet 10.28.1.0/24 default-router 10.28.1.1 set service dhcp-server shared-network-name VDI subnet 10.28.2.0/24 start 10.28.2.100 stop 10.28.2.254 set service dhcp-server shared-network-name VDI subnet 10.28.2.0/24 dns-server 10.28.0.10 set service dhcp-server shared-network-name VDI subnet 10.28.2.0/24 default-router 10.28.2.1 28. Save the settings commit save 2.5 Security-Center 1. In the Hyper-V Manager console, create a virtual machine with the following minimal configuration: NameSecurity-Center 1536 MB RAM 40 GB hard drive Network adapter connected to the Servers switch 2. Install Windows Server 2012 Standard Edition: Computer nameSecurity-Center Network parameters: IP address10.28.1.20 Default gateway10.28.1.1 DNS server10.28.0.10 Local administrator passwordKa5per5Ky 3. Join Security-Center to the domain 4. Log on to the system under the ABC\Administrator account 5. Install Kaspersky Security Center 10 MR1 with the default settings; do not install plug-ins 6. Add Kaspersky Security Center icon to the taskbar 7. Create the following folder structure on the desktop: LAroot folder. Copy klcfginst.exe (the Protection Server plug-in) into it. Create two more folders within it: Agenta folder for the Light Agent. Copy the Light Agent distribution there SVMdownload the Protection Server image with its XML description from kaspersky.com and unpack into this folder 8. Install the Protection Server plug-in 9. Install the Protection Server NameSVM-FO Image folder path: C:\Users\Public\Documents\Hyper-V\Virtual hard disks\SVM-FO NetworkServers Password for the root userKa5per5Ky
13
10. Run the Download updates to the repository task. 11. Create and run a key installation task for specific computers; in the computer adding window, select Specify computer names manually or import from the list, then add SVM by IP address 12. Run the key installation task on the Protection Server 13. Create and run an Update task for the Protection Server in a similar manner 14. Delete the key installation and update tasks 15. Delete the Protection Server plug-in 16. Shut down SVM-FO and reduce RAM to 512 MB 2.6 Master 1. In the Hyper-V Manager console, create a virtual machine with the following minimal configuration: Name: Master 1024 MB RAM 40 GB hard drive Network adapter connected to the VDI switch 2. Install Windows 8 Enterprise Edition: Computer nameMaster Network settingsDHCP Local administrator passwordKa5per5Ky 3. Join the Master computer to the domain 4. Log on to the system under the ABC\Alex account 5. Copy the eicar_com.zip archive to the C:\Users\Alex.ABC\Downloads folder 6. Prepare a template: Run cmd as administrator. Carry out: Sysprep\sysprep.exe /generalize /oobe /shutdown /mode:vm