INF261x: Enterprise Security Hands-on Lab

• The Virtual Teaching Assistant will guide you through 3 different incidents and the Dashboard will
monitor your progress.
• Please allow yourself about 4-8 hours to take the hands-on lab.
• This lab has been successfully completed when all the incidents have been solved. This will occur when all
the attacks have been stopped (displayed as green in the dashboard) and all the functionality is intact
(displayed as green in the dashboard) for 20 minutes, and the mandatory question for the third incident
has been answered correctly.

Rules
For this lab to run successfully there are several rules to which you must abide.

• DO NOT stop or remove the sshd or ssh agent services or the ssh process on any machines, as they are
used for grading and not for any malicious activity.
• DO NOT stop or remove any services or processes that include
" USER_EMULATION" in them on any machines as they are used for user emulation and not for any
malicious activity.
• DO NOT disable PowerShell for the user northwindtraders.com\Administrator on any machines!
• DO NOT disable NTLM on any machines as it is used for grading.
• The functionality of Windows 8.1 and Windows Server 2016 is monitored so disabling them will not count
as a fix for a problem. The status is visible on the Dashboard.
• You are allowed to install any software on the machines to fix a problem but take into account the
software license agreements and the time limit of the lab. You are also allowed to use Azure Security
Center if possible.
• The user northwindtraders.com\Alice should be able to login using the same default password since that
account is used for user emulation.

Directories that should not be removed, renamed or changed in any way:

In Windows 8.1:

• C:\Users\Alice\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup
• C:\Users\Emuldata
• C:\Users\Alice\.ssh
• C:\Users\Administrator\.ssh

In Windows Server 2016:

• C:\Users\Administrator\.ssh
• C:\Users\Emuldata
Dashboard
View the table for the Dashboard fields and descriptions.

Field Description
Target The name of the workstation or server
Vulnerabilities This shows how many cyber-attacks are directed to the
workstation/server and if they are successful or not. If the "Attack"
marker is red, then the attack against the target is successful. If the
"Attack" marker is green, then the attack against the target has
failed. NB! It can take a few minutes for the "Attack" marker to
change state after you have fixed the vulnerability.
Functionality This shows is the workstation's/server's functionality is intact. When
the functionality marker is green then the workstation/server is
usable. When the functionality marker is red then the
workstation/server is not usable.
Credentials This shows the login credentials for the workstation/server.
Achievements Different achievements will be listed under the "Achievement"
column. “Achievements“ are special actions done to achieve the
security of machine
Time to win The "Time win" clock will start counting down from 20 minutes
when all cyber-attacks against the workstation/server have been
disabled and the full functionality of the workstation/server is intact.
Lab Limitations
User emulations in this lab are meant to mimic that of real office employees and hackers, but they are
not actual people. In a real office environment there are usually a lot of employees and only one of
them could be the one who unknowingly and randomly executes malware, but in this lab, there is only
one who is constantly downloading and executing malware. Therefore, applying a best practice security
GPO into the domain could break the functionality of some emulation instances. The goal of this lab is to
try and find a solution to a problem by gradually finding security holes and fixing them in addition to
hardening different settings.

Grading
There are several different ways you will be graded during this lab.
• The functionality of the Windows 8.1 workstation and Windows Server 2016 will be graded automatically.
o To monitor the status of your workstation and server keep an eye on the Dashboard.
• The security of your systems will be graded automatically.
o To monitor which workstations or servers are being attacked keep an eye on the Dashboard and
the hacker chatroom at http://23.105.70.77:8080. (only accessible from inside the lab network)
• GAME END - When all the attacks are stopped (displayed as green in the Dashboard) and all the
functionality is intact (displayed as green in the dashboard) then a 20-minute counter will start for the
workstation and/or server. When both counters reach zero, the lab will end!

Users and credentials

• Windows 10 - username: Bob password: Sa1aKa1a
• Windows 8.1 Normal user: Alice password: Student123
• Windows 2016 admin user: Administrator password: Sa1aKa1a2
• Sales Portal web admin user: Manager password: taew8iDaveapho
• Sales Portal SSH user: student password: student
• Local Administrator user: Administrator password: Sa1aKa1a