Projects RSS feed

Active Directory w/ PowerShell Automation
10/04/25, 12:00

Set up a fully functional Active Directory lab on Windows Server 2022 to simulate a real-world enterprise environment for centralized authentication, policy enforcement, and security hardening. Joined multiple devices to the domain and structured Organizational Units (OUs) for granular control. Configured Group Policy Objects (GPOs) to enforce strong password policies, disable LM hash storage, require LDAP and SMB signing, and apply Microsoft’s security baselines using the MSCT. Automated workstation debloating with a custom PowerShell script and deployed essential software (Firefox, LibreOffice, VLC, VSCode, Discord, 7-Zip, Python) via Group Policy, creating a secure, efficient, and manageable domain infrastructure.

Active Directory Overview

Active Directory (AD) is a directory service developed by Microsoft that enables centralized management of users, devices, applications, and resources within a network. It provides authentication, authorization, and directory services, making it a core component of most enterprise IT infrastructures. AD allows IT administrators to efficiently manage permissions and access control across large-scale environments, supporting scalability and streamlined user management through services like Group Policy and single sign-on (SSO).

AD is widely used in enterprise networks due to its integration with Windows systems and its ability to enforce consistent security policies. However, because it serves as the backbone for access and identity management, securing Active Directory is critical. A compromised AD can give attackers broad control over an entire organization’s infrastructure, making it a prime target. Robust security practices are essential to protect against threats like privilege escalation, lateral movement, and domain compromise.

Install

To set up my Active Directory home lab, I installed Windows Server 2022 on a Lenovo ThinkCentre and assigned it a static IP address within my local network to ensure consistent communication and DNS resolution. After configuring the network settings, I added the Active Directory Domain Services (AD DS) role and promoted the server to a domain controller, creating a new forest and domain for the lab environment. This setup provided a solid foundation for practicing user and group management, Group Policy configuration, and domain administration in a real-world-like environment.

Configuration

In my Active Directory lab, I joined both virtual machines and a Lenovo ThinkPad to the domain to simulate a multi-device enterprise environment. This allowed centralized authentication and management, which is critical for enforcing consistent policies across users and devices.

I configured a DNS server on the domain controller to forward all DNS queries to a local Pi-Hole DNS server, allowing for network-wide ad blocking and enhanced threat protection through filtered DNS resolution.

I also created Organizational Units (OUs) to logically separate and manage different types of users and computers. This structure made it easier to delegate administrative tasks and apply targeted policies.

To enforce security and configuration standards, I set up Group Policy Objects (GPOs) within the OUs. These GPOs controlled settings like password policies, desktop restrictions, and software installation, providing a hands-on understanding of how organizations maintain control and consistency across their network.

Hardening AD

To harden Active Directory, I used the Microsoft Security Compliance Toolkit (MSCT) to apply Microsoft’s recommended security baselines and reviewed my Group Policy settings using the Policy Analyzer. This helped align my domain controller configuration with industry best practices and identify weak or misconfigured settings early in the process.

I applied the principle of Least Privilege by restricting domain admin access to only essential accounts and auditing all users with elevated permissions. I also implemented a Tiered Access Model (Tier 0, 1, 2) and Role-Based Access Control to better isolate administrative roles and reduce risk from lateral movement.

In terms of Identity and Access Management (IAM), I enforced strong password policies by setting a minimum password length of 12 characters, requiring complexity, and enforcing password history to prevent reuse. I also disabled the storage of LAN Manager (LM) hash values to protect against brute-force attacks on weaker password hashes, and enabled SMB signing to ensure the integrity of SMB communications and protect against man-in-the-middle attacks.

To further secure directory communications, I required LDAP signing on domain controllers to defend against replay and injection attacks targeting unsecured LDAP queries. Additionally, I mitigated common attack vectors like Kerberoasting by minimizing privileges for service accounts and securing them with complex passwords, while also removing publicly accessible shares to limit lateral movement opportunities.

Automation

To streamline client workstation deployment in my Active Directory environment, I used a custom PowerShell script to automate the debloating process across all domain-joined machines. The script targeted either specific machines or entire Organizational Units (OUs), remotely removing unnecessary preinstalled apps, disabling telemetry, Cortana, Xbox features, OneDrive, and other consumer-oriented services. This not only improved system performance but also reduced unnecessary network traffic and enhanced overall security by minimizing the attack surface.

You can find the script here!

To complement the debloating process, I used Group Policy to deploy a standardized software suite across all workstations, including Firefox, LibreOffice, VLC Media Player, VSCode, Discord, 7-Zip, and Python. Centralizing software installation through GPO helped ensure consistent configurations, saved time during setup, and simplified future maintenance and updates across the domain.

Challenges

Group Policy Software Deployment Reliability
One challenge I encountered was ensuring consistent software deployment via Group Policy across all domain-joined machines. Some systems intermittently failed to install applications like LibreOffice or VSCode due to delayed Group Policy refresh cycles or user permissions blocking MSI execution during startup. This inconsistency created gaps in the workstation environment and added overhead to manually verify each installation.

To overcome this, I configured the GPO to install software at startup (rather than login), ensured the MSI packages were hosted on a reliable, accessible network share with the correct NTFS and share permissions, and used gpresult and event logs to troubleshoot failures. I also enabled verbose logging for the Group Policy client to identify machines that required additional attention, which ultimately led to a smoother, more predictable deployment process.

Remote Debloating Script Execution Permissions
Another hurdle involved remotely executing the debloating PowerShell script on domain-joined workstations, particularly when dealing with default Windows firewall settings and constrained PowerShell remoting policies. Initial attempts were blocked due to disabled WinRM services or insufficient admin rights on the target machines.

To address this, I created a startup script that enabled and configured WinRM via GPO, allowing secure remote sessions. I also scoped permissions carefully, ensuring only authorized admin accounts could execute debloat operations. By automating script execution through Organizational Units and leveraging the -WhatIf flag during testing, I safely rolled out changes and verified behavior before applying them across the domain.

Conclusion

In conclusion, building and hardening an Active Directory lab environment provided hands-on experience with enterprise-grade identity management, policy enforcement, and automation. By installing and configuring Windows Server 2022 as a domain controller, structuring OUs, and applying GPOs for security and software deployment, I created a scalable and secure foundation for centralized administration. Through debloating workstations with a custom PowerShell script and deploying essential software via Group Policy, I streamlined client setup while reducing attack surface and improving performance. Despite challenges with software deployment reliability and remote execution permissions, careful troubleshooting and automation ensured a successful and resilient implementation—equipping me with practical skills applicable to real-world enterprise IT environments.
Snort IDS/IPS Implementation
17/03/25, 11:30
Implement a Snort IDS/IPS solution within a home network using pfSense to enhance security and monitor network traffic for potential threats. Configure and fine-tune Snort for optimal performance and accuracy, ensuring real-time detection and prevention of malicious activity. Maintain ongoing updates and adjustments to keep the system effective against evolving security risks while minimizing false positives.

Snort Overview

Snort is an open-source IDS/IPS that analyzes network traffic in real-time to detect and prevent malicious activity. It logs potential threats, allowing for proactive responses, and can actively block harmful traffic. Snort protects against a range of attacks, including malware and unauthorized access, reducing the risk of data breaches and enhancing network security.

Install

Installed Snort through pfSense’s Package Manager and configured it to run real-time detection and prevention on the LAN interface.

Configuring Snort on the LAN interface helps detect internal threats like malware or unauthorized access. On a WAN interface, Snort would generate more false positives due to the high volume of benign external traffic, such as scans or bots. This increases alerts and network overhead, reducing performance and efficiency.

Configuring Rules

I’ve configured Snort with the following rules:
- Network-based signature rules:
  Focused on high-risk services like HTTP and SMB, targeting known attack patterns while minimizing overhead.
- Anomaly-based rules:
  Detect unusual traffic patterns (e.g., traffic spikes) to identify potential attacks without generating false positives.
- ICMP and port scan detection:
  Block common threats like DDoS and scanning attempts.
- Application layer rules:
  Monitor web protocols (HTTP, DNS) for attacks like SQL injection and XSS.
- Logging and alerting thresholds:
  Set to log suspicious events and generate alerts, ensuring precise detection without overwhelming the system.
Challenges

False Positives

When I first set up Snort, I was overwhelmed by false positives, which made it difficult to distinguish between actual threats and harmless traffic. The default ruleset was too broad, generating a high volume of alerts for common traffic patterns that weren’t malicious at all, adding to the noise.

To address this, I began by narrowing the ruleset to focus on higher-risk services and traffic I knew was more likely to be targeted by attackers. In addition, I implemented pass lists to filter out known legitimate traffic, ensuring that it wouldn’t trigger unnecessary alerts. I also took advantage of Snort’s thresholding feature to suppress repetitive alerts for benign traffic, gradually adjusting the thresholds to strike the right balance. This process involved some trial and error, but in the end, it helped reduce false positives and made Snort more manageable without sacrificing its ability to effectively detect genuine threats.

Network Traffic Overhead

Initially, I noticed Snort was causing lag on my network, especially during peak traffic periods. This was due to the strain of real-time packet inspection on my pfSense setup’s limited resources.

To improve performance, I optimized Snort by configuring it to monitor only the LAN interface, which reduced the load from the high volume of external traffic on the WAN side. I also adjusted the logging level, cutting down on unnecessary details while still capturing critical alerts. These changes resulted in only an 8% increase in CPU usage and a 21% increase in RAM usage, allowing Snort to run more efficiently without disrupting network responsiveness.

Conclusion

In conclusion, implementing Snort as an IDS/IPS solution with pfSense significantly enhanced my home network security by providing real-time threat detection and prevention. Through careful configuration, I reduced false positives, optimized performance, and maintained effective threat detection. By focusing on high-risk services, using pass lists, and adjusting logging settings, I minimized unnecessary alerts while ensuring accuracy. Optimizing Snort for the LAN interface and adjusting system settings helped balance security with network performance. Moving forward, ongoing updates will be crucial to keep the system effective against emerging threats.
Recursive Pi-Hole DNS Server
15/03/25, 09:00

Deploy a recursive Pi-Hole DNS sinkhole on a Raspberry Pi to improve network security by blocking unwanted ads, tracking domains, and malicious websites. Configure Pi-Hole to filter DNS requests at the network level, preventing devices from accessing harmful or undesirable content. Regularly update blocklists and fine-tune settings to optimize performance, reduce security vulnerabilities, and ensure the protection of all connected devices from potential threats.

Pi-Hole Overview

Pi-Hole acts as a middleman between devices and the internet, filtering DNS requests and blocking access to unwanted content, such as ads, tracking scripts, and potentially harmful websites. By integrating Pi-Hole, the network is protected from domains known for phishing, malware, and other online threats, effectively reducing the risk of compromise. The implementation enhances privacy by preventing third-party tracking, while also optimizing network performance by reducing unnecessary content and resource usage.

Install

Flashed Raspberry Pi OS onto a Raspberry Pi, and then SSH’d into the Pi to intall Pi-Hole using an installation script, which simplifies the process by handling dependencies and configuration. Set a static IPv4 address to ensures that it consistently maintains the same address on the network, preventing any disruptions in DNS resolution.

Blocklists

To configure Pi-Hole blocklists effectively, I carefully selected a curated set of blocklists that specifically target malicious domains, ads, and trackers. I avoided redundancy by choosing lists with minimal overlap, ensuring each list served a distinct purpose, such as blocking malware or privacy trackers. I also prioritized high-quality, regularly updated lists to reduce network overhead and improve efficiency. By enabling only the most relevant blocklists and regularly reviewing and updating them, I minimized unnecessary DNS queries and kept the system running smoothly.

Unbound DNS

Unbound is a recursive DNS resolver that enhances security by directly resolving DNS queries without relying on third-party DNS servers. It helps prevent DNS spoofing and man-in-the-middle attacks by encrypting DNS queries with DNSSEC (Domain Name System Security Extensions) and ensuring query integrity.

In Pi-Hole, I configured Unbound as the upstream DNS resolver to provide an additional layer of security, allowing Pi-Hole to handle DNS requests locally and resolve them recursively. This setup reduces reliance on external DNS providers, improves privacy, and ensures faster, more secure DNS resolution within the home network.

Challenges

pfSense Setup

Configuring pfSense to redirect DNS queries to Unbound presented a challenge because pfSense’s default DNS resolver settings typically use external DNS servers. I needed to adjust the system to route DNS requests through Unbound running on the Pi-Hole, which required modifying the DNS settings in pfSense.

To resolve this, I configured pfSense to use the Raspberry Pi’s IP address (where Pi-Hole and Unbound were set up) as the primary DNS server, while ensuring that DNS forwarding and firewall rules were correctly set to allow proper communication between pfSense and the Pi-Hole server. This setup enabled Pi-Hole to filter and Unbound to resolve DNS queries securely.

Increased Overhead

One of the main challenges of using stricter blocklists in Pi-Hole is managing redundancy and the increased network overhead. Stricter blocklists, often with a broader scope, can lead to multiple lists blocking the same domains, which results in redundant entries and unnecessary DNS queries. This redundancy not only wastes resources but can also slow down DNS resolution, increasing network latency.

To resolve this, I focused on finding a balance between security and performance by carefully selecting high-quality, curated blocklists that target specific threats—such as malware, trackers, and ads—while minimizing overlap. I ensured that the lists were updated regularly to stay current with emerging threats, but avoided overloading Pi-Hole with excessive or redundant lists.

Conclusion

In conclusion, deploying a recursive Pi-Hole DNS sinkhole on a Raspberry Pi significantly improved network security by blocking unwanted ads, trackers, and malicious websites. By carefully configuring Pi-Hole with targeted, high-quality blocklists and integrating Unbound as a local DNS resolver, I was able to enhance privacy and prevent potential online threats. Despite challenges with pfSense configuration and managing network overhead from stricter blocklists, these were effectively addressed to ensure optimal performance and reliability. This setup not only strengthened the security of all connected devices but also streamlined the network’s DNS resolution, providing a safer and more efficient browsing experience.
pfSense Network + VLANs
12/03/25, 12:30
Design a secure, performant, and scalable home network that simulates a small-scale enterprise network using robust open-source technologies. Ensure compliancy with fundamental security frameworks to secure against threat vectors. Continuously optimize the network to ensure high-availability, security, and scale-up to meet growing needs.

Network Overview

Topology

The network uses a star topology where all devices connect to a central router. This configuration was chosen for its simplicity, scalability, and ease of administration. In this topology:
- pfSense Router: Acts as the core router, firewall, and VPN gateway.
- Managed Switches: Two interlinked switches extend the wired connectivity of the network, thereby increasing performance, and security.
- Wireless Access Points: The wireless network is extended by using routers that are configured as wireless APs, in a mesh network configuration that ensures high-speed coverage across the house.
IP Addressing Scheme

A hybrid IP addressing scheme is implemented, with:
- Static IPs for critical infrastructure like the router, switches, and key network servers.
- Dynamic IPs (DHCP) for less critical devices like personal computers, IoT devices, and other peripherals, offering flexibility and ease of management.
Network Infrastructure

pfSense

Incorporated pfSense because it offers a high level of control and security. As an open-source firewall and router solution, it provides advanced features like VPN support, traffic management, and comprehensive network monitoring. Being free and highly customizable, pfSense allows me to optimize my network’s performance and security in ways that the default router software couldn’t. It’s been an invaluable tool for enhancing both the protection and efficiency of my network.

IoT VLAN

Placed Internet of Things (IoT) devices in a segmented Virtual Local Area Network (VLAN) enhances security by isolating them from the main network, reducing the attack surface. This containment limits the potential impact of a compromised IoT device, preventing lateral movement to critical systems. It also allows for more granular control over traffic, enabling stricter access controls and monitoring for suspicious activity.

Challenges

ISP Modem

During setup, the ISP modem could not be configured in bridge mode, causing a double NAT issue with the pfSense router. This prevented public facing services such as the CCTV cameras from functioning properly, or being accessed through their mobile app.

To resolve this, an advanced DMZ configuration was set up on the pfSense router through the modem’s web-based interface. This allowed the pfSense router to bypass the double NAT issue by making the router a public facing device, and therefore issuing the WAN interface with my network’s public IP address. This ensured that the pfSense router managed all routing and traffic without interference from the ISP modem’s NAT, restoring functionality to the CCTV cameras.

Interlinked Switches

Configuring the interlinked managed switches posed a challenge, mainly with preventing network loops. Without proper configuration, the switches could create loops, leading to network instability. The key solution was enabling Spanning Tree Protocol (STP) to prevent redundant paths from forming.

Additionally, the switch port connecting to the secondary switch was configured as a trunk port, allowing multiple VLANs to pass between the switches without issues. Once STP was properly configured and the trunk port set up, redundant links were blocked, eliminating loops and ensuring stable, efficient communication across the network.

Security Principles

Secure by Design

Security is integrated from the start by using pfSense as the core router and firewall, providing built-in traffic filtering, logging, and VPN services. The network’s segmentation into VLANs (like isolating IoT devices) ensures that security considerations are baked into the design from the ground up, reducing vulnerabilities.

Separation of Duties

The network is structured with different roles assigned to specific devices, such as the pfSense router/firewall handling traffic filtering and VPN services, while managed switches ensure network performance and segmentation. Each network component is responsible for a specific function, minimizing the risk of a single point of failure or compromise.

Defense in Depth

Multiple layers of security are employed throughout the network. pfSense provides firewall protection and VPN capabilities, mesh Wi-Fi access points offer seamless but secure wireless connectivity, and the use of VLANs for IoT devices adds an additional layer of isolation. These layered defenses ensure that even if one part of the network is compromised, other protections remain intact.

Conclusion

The home network design successfully created a secure, scalable, and high-performance environment using a star topology, with pfSense as the core router and firewall. Key security measures, including network segmentation with VLANs and a defense-in-depth strategy, ensure robust protection against threats. Challenges like ISP modem configuration and switch management were addressed with solutions such as advanced DMZ setup and STP, ensuring network stability and performance. Overall, the project demonstrates the effectiveness of integrating security from the start while leveraging open-source technologies for a future-proof network.