Kl 031.30 eng_class_setup_guide_1.2

1

Class Setup Guide

2 KASPERSKY LAB

KL 031.30. Kaspersky Security f or Virtualization 3.0. Light Agent

Class Setup Guide

Chapter 1. Description

1.1 Guide Description

This Guide helps to prepare a class for the "Kaspersky Security for Virtualization 3.0. Light Agent" training.

The guide describes the class setup in detail (virtual machines, their characteristics and interrelations) for trainers

who need to thoroughly understand the training environment.

For technicians who just prepare the class and do not want or need to understand the training environment, the guide

contains step-by-step instructions on how to configure physical and virtual computers.

Additionally, the guide explains the reasons why the described configuration was selected and how the instruction

can be changed depending on the available equipment.

1.2 Environment Description

All labs will be done on virtual machines. The guide presumes that VMWare Workstation is used.

An abstract ABC company is considered in the labs. Its computers belong to the abc.lab domain.

Computers

The following computers will be used in the labs:

— DC—domain controller and DNS server of the abc.lab domain. Is used in all labs as an infrastructure

element, meaning, must be running, but actions are not performed there.

— Client—a user’s workstation from which he or she connects to an RDS virtual machine. RemoteFX

demonstration requires the latest version of the RDP protocol that can be installed on Windows 7 SP1. We

will use Windows 8 in our labs, where everything works out of the box

— Hyper-V—the hypervisor where the virtual machines listed below are deployed; it also runs the roles

necessary for Remote Desktop Services

— Router—a virtual machine that connects the external network (VMware NAT) and virtual networks.

Also performs the roles of a DHCP server and DNS relay.

— Security-Center (or SC)—a computer whose main role is to be the Administration Server in the ABC

company. It belongs to the ABC domain and has a static IP address.

— Master—a template virtual machine for the Remote Desktop Services collection

— SVM-FO—a virtual machine, the Protection Server of Kaspersky Security for Virtualization. Will be

used for demonstrating how the Light Agent switches between the Protection Servers if one of them

malfunctions

3

Domain

All computers belong to the ABC domain.

Users

The account of the domain administrator (ABC\Administrator) will be used on most of the computers.

The ABC\Alex account will be used for accessing virtual machines belonging to the Remote Desktop Services pool.

The password is Ka5per5Ky for all users

Subnets

Two subnets are configured for virtual machines in ABC company: 10.28.1.0/24 and 10.28.2.0/24. The former is

designed for servers, the Administration Server will belong to it, and the latter—for Remote Desktop Services

virtual machines. The domain controller should not run within Hyper-V to avoid connectivity issues, therefore

the DC machine is configured within the VMware NAT network. It is necessary to change the default address for

this network: open Edit | Virtual Network Editor, select the NAT interface (usually, VMNet8) and specify address

10.28.0.0/24.

These specific addresses of subnets are not particularly important, but they were used when designing the course

labs and are mentioned in the Lab Guide.

The network schema is as follows

Operating systems

The computers that perform server functions are running Windows 2012 Standard Edition. On other computers,

Windows 8 Enterprise is installed.

4 KASPERSKY LAB


Class Setup Guide

Hardware requirements

The host machine must have at least 12 GB RAM, preferably 16 GB.

Another (and maybe even more important) bottleneck is the disk subsystem. A host machine with one HDD drive

usually cannot ensure comfortable performance. An SSD drive or performance-oriented RAID configuration is

preferred.

5

Chapter 2. Class Setup Guide

2.1 DC

1. Create a virtual machine with the following minimal configuration:

— 1024 MB RAM

— 40 GB hard drive

— One network adapter (NAT)

2. Install Windows Server 2012 Standard:

— Computer name—DC

— IP address—10.28.0.10

— DNS server and gateway—10.28.0.2

— Local administrator password—Ka5per5Ky

3. Add the Active Directory Domain Services server role with the following parameters:

— New forest;

— Root domain named abc.lab;

— Password for the directory services restore mode—Ka5per5Ky;

— Other parameters—by default.

4. Add domain users

— Alex with Ka5per5Ky password

5. Modify the domain policy

— In the Server Manager, select Tools | Group Policy Management, then on the shortcut menu of the

Domains / abc.lab / Default domain policy object, click Edit

— Disable automatic Windows Updates (in Group Policy Object Editor, expand Computer

Configuration, Administrative Templates , Windows Components , click Windows Update, double-

click Configure Automatic Updates , and then click Disabled)

— Disable Windows Defender (in Group Policy Object Editor, expand Computer Configuration,

Administrative Templates , Windows Components , click Windows Defender, double-click Turn

off Windows Defender, and then click Enabled)

— Enable RDP redirection of RemoteFX USB Devices (in Group Policy Object Editor, expand

Computer Configuration, Administrative Templates, Windows Components , click Remote

Desktop Services , Remote Desktop Connection Client, RemoteFX USB Device Redirection, then

set Allow RDP redirection of the supported RemoteFX USB Devices from this computer to

Enabled and change RemoteFX USB Redirection Access Rights to Administrators and Users)

— Disable Windows Firewall for the domain profile (In Group Policy Object Editor: User

Configuration, Policies , Windows Settings , Security Settings , Windows Firewall with Advanced

Security)

6 KASPERSKY LAB


Class Setup Guide

— Disable SmartScreen Filter for the Internet Zone (in Group Policy Object Editor: User Configuration,

Policies , Administrative Templates , Windows Components , Internet Explorer, Internet Control

Panel, Security Page, Internet Zone, Turn on SmartScreen Filter scan = Disabled)

— Disable Maximum Password Age: select Not Defined for this parameter (in Group Policy Object

Editor: User Configuration, Policies , Windows Settings , Security Settings , Account Policies ,

Password Policy)

6. For the Administrator and Alex users, enable the Password never expires parameter

7. Reduce RAM to 860 MB (optional)

8. When all virtual machines are ready, turn off DC and make a snapshot named Ready

2.2 Client


— 1 GB RAM


— NAT network adapter

2. Install Windows 8 Enterprise Edition:

— Computer name—Client

— Network parameters:

IP address—10.28.0.110

Default gateway—10.28.0.2

DNS server —10.28.0.10


3. Join Client to ABC domain

4. Add route to the VDI subnet:

— Run PowerShell as administrator. Find out the ifIndex of the adapter

Get-NetAdapter

— Carry out:

New-NetRoute –DestinationPrefix 10.28.2.0/24 –NextHop

10.28.0.3 -ifIndex <adapter index>

5. Enable redirection of removable USB devices . Run the following command from an elevated command

prompt:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows

NT\Terminal Services\Client\UsbSelectDeviceByInterfaces" /v 101 /t

REG_SZ /d “{A5DCBF10-6530-11D2-901F-00C04FB951ED}” /f

6. Turn off the machine and make a snapshot named Ready

7

2.3 Hyper-V


— 2 CPU cores

— 8 GB RAM


— Network adapter connected to VMware NAT

2. Install Windows Server 2012 Enterprise Edition:

— Computer name—Hyper-V

— NAT network adapter parameters:



DNS server —10.28.0.10


3. Edit the configuration file of the virtual machine to enable installation of the Hyper-V role on the VMware

Workstation hypervisor:

— Turn off Hyper-V

— In the folder of the Hyper-V virtual machine, open Hyper-V.vmx with Notepad and add the following

string: hypervisor.cpuid.v0 = “FALSE”

4. Select Virtualization engine

— Open the settings of the virtual machine in VMware Workstation

— Click the processor and select Virtualize Intel VT-x/EPT or AMD-V/RVI

5. Power on the virtual machine

6. Join Hyper-V to ABC domain

7. Log on to the system under the ABC\Administrator account

8. Add the Hyper-V server role

— Proceed through all steps. Do not change anything except:

Select the network adapter for the virtual switch

9. Pin the Hyper-V Manager shortcut to the taskbar

10. Create two virtual switches

— Open the Server Manager console, select Tools | Hyper-V Manager

— In the right pane, select Virtual Switch Manager

— Select New virtual network switch, then select Private and click Create Virtual Switch

— Rename the switch to Servers and click Apply

— Likewise, create another Private switch named VDI

— Rename the virtual switch created during the Hyper-V installation to External

11. Set up the Router computer (see below)

12. Deploy the Master virtual machine (see below)

8 KASPERSKY LAB


Class Setup Guide

13. Install Remote Desktop Services

— In the Add Roles and Features Wizard, select Remote Desktop Services installation

— Select Standard Deployment

— Select Virtual machine-based desktop deployment

— Add the following roles to the Hyper-V computer one by one:

RD Connection Broker server

RD Web Access server

RD Virtualization Host server

14. Create a collection

— Make sure that the Router computer is configured and running

— Open Server Manager | Remote Desktop Services | Collections

— In the Collections section, click Tasks | Create Virtual Desktop Collection

— Type Lab for the collection name

— Select the Master computer for the template

— Select the time zone and domain name: abc.lab

— Specify the number of machines in the collection: 1. You can specify 2 if the resources are plentiful;

however, re-creating the collection will take more time during the labs in this case

— Disable User profile disks

15. Set up the Master computer

— Power on the virtual machine

— Complete the initial setup wizard, similarly to an installation

— You will have to create a new user, for example, User2

— (Optional) Delete User2

— Join the Master computer to the domain

16. In the C:\Users\Public\Documents\Hyper-V\Virtual hard disks folder (virtual machine hard drives are

stored here by default), create a directory named SVM-FO

17. Deploy SVM-FO virtual machine (is described in the Security-Center section)

18. Open the properties of the SVM-FO virtual machine and change the network to VDI

19. Shut down all virtual machines except for Router and Lab-0 (a virtual machine from the Remote Desktop

Services collection). The Router should not be shut down, then it will start up as soon the Hyper-V

computer starts. Shut down Hyper-V and make a snapshot named Ready.

2.4 Router

1. Vyatta Core is used for the router. Its distribution can be downloaded from

http://www.vyatta.org/downloads (Virtualization ISO)

2. In the Hyper-V Manager console, create a virtual machine with the following configuration:

— Name—Router

— 128 MB RAM

— Network adapter connected to the External switch

— 1 GB hard disk

— Boot from the Vyatta Live CD iso image

http://www.vyatta.org/downloads

9

3. Add two more cards

— Open the virtual machine settings

— On the Add Hardware tab, select Network Adapter

— Click Add

— Select the Servers virtual switch for the created network adapter

— Click Apply

— Similarly, add a network adapter connected to the VDI switch


5. Log on to the system using the vyatta login and vyatta password

6. Carry out the install-image command

7. To confirm image installation to the hard drive, type Yes

8. Reject RAID-1 mirroring if two disks are found: No

9. Partitioning—Auto

10 KASPERSKY LAB


Class Setup Guide

10. Select the sda drive for the installation

11. Confirm destroying all data on it: Yes

12. Allocate all available disk space to the root directory: ENTER. The installer will create and mount the file

system

13. Agree to the offered image name: ENTER

14. Agree to copying config.boot: ENTER

15. Specify the administrator’s password, for example, Ka5per5Ky

16. Allow GRUB modify the boot partition on the sda drive: ENTER

17. Carry out the poweroff command

18. Confirm: Yes

19. On the virtual machine menu, click Media | DVD Drive, then Eject

11


21. Log on to the system with the vyatta username and the password specified earlier

22. Use the configure command to enter the configuration mode

23. Configure network interfaces:

— set interfaces ethernet eth0 address 10.28.0.3/24



24. Configure the default gateway and DNS

— set system gateway-address 10.28.0.2

— set system name-server 10.28.0.10

25. Save the settings

— commit

— save

26. Configure NAT:

— set nat source rule 10

— set nat source rule 10 source address 10.28.1.0/24

— set nat source rule 10 outbound-interface eth0

— set nat source rule 10 translation address 10.28.0.3

— set nat source rule 20

— set nat source rule 20 source address 10.28.2.0/24

— set nat source rule 20 outbound-interface eth0

— set nat source rule 20 translation address 10.28.0.3

27. Configure DHCP:

12 KASPERSKY LAB


Class Setup Guide

— set service dhcp-server shared-network-name Servers subnet 10.28.1.0/24 start 10.28.1.70 stop

10.28.1.99

— set service dhcp-server shared-network-name Servers subnet 10.28.1.0/24 dns-server 10.28.0.10

— set service dhcp-server shared-network-name Servers subnet 10.28.1.0/24 default-router 10.28.1.1

— set service dhcp-server shared-network-name VDI subnet 10.28.2.0/24 start 10.28.2.100 stop

10.28.2.254

— set service dhcp-server shared-network-name VDI subnet 10.28.2.0/24 dns-server 10.28.0.10

— set service dhcp-server shared-network-name VDI subnet 10.28.2.0/24 default-router 10.28.2.1

28. Save the settings

— commit

— save

2.5 Security-Center

1. In the Hyper-V Manager console, create a virtual machine with the following minimal configuration:

— Name—Security-Center

— 1536 MB RAM


— Network adapter connected to the Servers switch

2. Install Windows Server 2012 Standard Edition:

— Computer name—Security-Center

— Network parameters:



DNS server—10.28.0.10


3. Join Security-Center to the domain

4. Log on to the system under the ABC\Administrator account

5. Install Kaspersky Security Center 10 MR1 with the default settings; do not install plug-ins

6. Add Kaspersky Security Center icon to the taskbar

7. Create the following folder structure on the desktop:

— LA—root folder. Copy klcfginst.exe (the Protection Server plug-in) into it. Create two more folders

within it:

Agent—a folder for the Light Agent. Copy the Light Agent distribution there

SVM—download the Protection Server image with its XML description from kaspersky.com and

unpack into this folder

8. Install the Protection Server plug-in

9. Install the Protection Server

— Name—SVM-FO

— Image folder path: C:\Users\Public\Documents\Hyper-V\Virtual hard disks\SVM-FO

— Network—Servers

— Password for the root user—Ka5per5Ky

13

10. Run the Download updates to the repository task.

11. Create and run a key installation task for specific computers; in the computer adding window, select

Specify computer names manually or import from the list, then add SVM by IP address

12. Run the key installation task on the Protection Server

13. Create and run an Update task for the Protection Server in a similar manner

14. Delete the key installation and update tasks

15. Delete the Protection Server plug-in

16. Shut down SVM-FO and reduce RAM to 512 MB

2.6 Master

1. In the Hyper-V Manager console, create a virtual machine with the following minimal configuration:

— Name: Master

— 1024 MB RAM


— Network adapter connected to the VDI switch

2. Install Windows 8 Enterprise Edition:

— Computer name—Master

— Network settings—DHCP


3. Join the Master computer to the domain

4. Log on to the system under the ABC\Alex account

5. Copy the eicar_com.zip archive to the C:\Users\Alex.ABC\Downloads folder

6. Prepare a template:

— Run cmd as administrator.

— Carry out: Sysprep\sysprep.exe /generalize /oobe /shutdown /mode:vm

Kl 031.30 eng_class_setup_guide_1.2

Technology

Transcript of Kl 031.30 eng_class_setup_guide_1.2