LAB - Explore Endpoint Security
LAB - Explore Endpoint Security
You will also explore two personal firewall systems that are common in Linux distributions. They are
IPtables and TCP wrappers. With IPtables, you can define policies that control the flow of IP packets in and
out of a Linux host. With TCP wrappers, you can define policies that control accessibility of individual
services on a Linux host. You will perform some simple configurations and verify the configurations using
both firewall options.
Refer to the Job Aid for important information about files that are provided on the DVD drive. The DVD
drive includes a text file of the commands that are long or include special characters. Copy and paste the
commands if you are having issues with the support of your keyboard (especially on the Linux-based VMs),
or to avoid typos when entering long or complex commands. For the Windows devices, the DVD drive also
includes files that enable you to access the Windows on-screen keyboard or add an international keyboard.
Note
After your lab initializes, it may take a few more minutes for ELSA and Sguil to initialize before you
can launch them from the Security Onion Desktop.
You are using a US English keyboard layout. This cannot be changed once the lab has initialized.
Change Keyboard Layout
Visit Device Help for info about changing the OS keyboard layout and screen resolution after lab
initialization.
You may navigate away from this page once you begin initializing the lab.
You will be notified once the devices are ready.
Initialize Lab
https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 1/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies
In this task, you will explore Windows Defender, which is an anti-malware product that is distributed as part
of the Windows operating system. The Inside-Win VM currently has Windows Defender disabled. Without
host-based protection, the VM is quite vulnerable to malware. You will start by copying a malicious file to the
Inside-Win hard drive. You will then enable Windows Defender, and then you will explore the results.
Step 1
Access the desktop of Inside-Win. Launch the file explorer and navigate to the D:\SECFND directory.
Step 2
The file reverseSh-235.exe contains malware which will spawn a connection to 209.165.200.235 if
executed. Drag and drop this file from the DVD drive to the Inside-Win desktop.
Step 3
In the next few steps, you will enable Windows Defender. The process is somewhat involved. It takes
the configuration of Group Policy to enable or disable Windows Defender. Start by launching the
Local Group Policy Editor. From the Windows Start menu, type group policy in the Search field and
https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 2/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies
select Edit Group Policy. There are two template errors, which are known issues. Click OK to
acknowledge each of the errors.
Step 4
In the Local Group Policy Editor, navigate to Local Computer Policy > Computer
Configuration > Administrative Templates > Windows Components > Windows Defender.
Step 5
In the right pane, find the Turn off Windows Defender setting, and double-click to edit the setting.
Step 6
Currently the setting is enabled, turning off Windows Defender. Select Disabled and click OK. Close
the Local Group Policy Editor window.
Step 7
Windows Defender is now enabled, but it isn't running yet. From the Windows Start Menu,
enter defender in the Search field and select Windows Defender.
Step 8
Windows Defender shows that the real-time protection is off and the virus and spyware definitions are
out of date. Click Start Now. Wait for the status to change to On and Up to date.
https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 3/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies
Step 9
Windows Defender will find the malicious file on the desktop fairly quickly. You can speed up the
process. Select the reverseSh-235.exe file on the desktop, right-click, and select Scan with
Windows Defender. The icon will disappear from the desktop.
Step 10
Select the History tab in Windows Defender. With Quarantined Items selected, click View details.
Step 11
There should be one detected item: Trojan:Win32/Swrort.A. Select it and view the details in the
lower pane. Note that it is classified as a Trojan, the recommendation is to remove it immediately, and
the specific file was C:\Users\admin\Desktop\reverseSH-235.exe. With the detected item selected,
click Remove. The file is permanently deleted.
Step 12
The file does still exist on the DVD-ROM. Since it is a ROM image, it is not writable. The file cannot
be deleted from the DVD-ROM. Attempt to drag-and-drop reverses-235.exe from the DVD-ROM to
the desktop one more time. Note that the action is interrupted. You can click Try Again a few times,
but the result will be the same. Click Cancel to cancel the copy attempt.
Step 13
Try to execute reverses-235.exe directly from the DVD-ROM. Note that, again, the action is blocked.
Click OK to confirm the warning.
https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 4/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies
Step 14
Anti-malware logs can be useful in an incident investigation. In the next few steps, you will examine
logs that can be retrieved from Windows Defender. Start by opening a command prompt as
administrator. From the Windows Start menu, right-click Command Prompt and select Run as
administrator. Click Yes to acknowledge the warning.
Step 15
Generate the Windows Defender logs. Enter the command cd "C:\Program Files\Windows
Defender" command. Enter the MpCmdRun -getfiles command.
Answer
Step 16
Step 17
A few files are in this Support directory, including a file with a name that starts with MPDetection,
which is followed by a date and time stamp and the .log extension. Right-click this file and select Edit
with Notepad++. Note the entries in the bottom of the log file that are associated with
the reverseSH-235.exe file. Close the window.
https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 5/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies
Step 18
The MPLog file has much more detail than MPDetection. Optionally you can open the log and
examine the information that is included there. When you are done, close the open windows on the
Inside-Win desktop.
Similar to Windows Defender, the Windows Firewall is included in the base Windows OS. Also like Windows
Defender, the Windows Firewall was disabled on the Inside-Win VM. In this section of the lab exercise, you
will explore the functionality of the Windows Firewall.
Step 19
Access the desktop of Inside-Kali. Open a terminal window and ping Inside-Win (10.10.6.10). The
ping should succeed. Use <Ctrl-C> to stop the ping.
Answer
Step 20
Return to the Inside-Win desktop. From the Windows Start menu, type firewall in the search field
and select Windows Firewall. Be careful not to select Windows Firewall with Advanced Security.
https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 6/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies
Step 21
You should now be at the Windows Firewall in the Control Panel. Windows Firewall is currently off.
Click Use recommended settings. The Windows Firewall should now be on. It is configured for both
Private and Public networks, but the current active network is Private.
Answer
Step 22
Return to the Inside-Kali desktop. Attempt the ping again. It should fail this time. After a few seconds,
use <Ctrl-C> to stop the ping application.
Answer
The Windows Firewall is blocking the ICMP echo requests as they arrive at Inside-Win. They are
not processed by the TCP/IP stack. Hence, no ICMP echo replies are generated.
Step 23
You will configure firewall settings for the FileZilla Server on Inside-Win in the next two steps. Return
to the Inside-Win desktop. Select the Allow an app or feature through Windows Firewall link on
https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 7/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies
the left side of the Windows Firewall window.
Step 24
Find FileZilla Server in the list. Note that it is currently enabled for both Private and Public networks.
Uncheck Public for FileZilla Server. Click OK.
Answer
Step 25
Verify that the current network connection is configured as a private network. Right-click the network
status icon on the right side of the Windows task bar and select Open Network and Sharing
Center. Verify that the active network is a Private Network. Leave this window open. You will refer to
it again soon.
Answer
Step 26
Verify that FileZilla Server access is allowed through the firewall from the current private network
connection. Return to the desktop of Inside-Kali. FTP to Inside-Win (10.10.6.10). The connection
should succeed. Log in as anonymous.
Answer
https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 8/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies
220 Please visit https://filezilla-project.org/
Name (10.10.6.10:root): anonymous
331 Password required for anonymous
Password: AnyPassIsAccepted
230 Logged on
Remote system type is UNIX.
ftp>
Step 27
Issue the dir command and verify that a directory is received. Use the get command to retrieve
the OneKB.bin file. This should succeed. Use the quit command to terminate the connection.
Answer
ftp> dir
200 Port command successful
150 Opening data channel for directory listing of "/"
drwxr-xr-x 1 ftp ftp 0 Apr 05 2016 etc
drwxr-xr-x 1 ftp ftp 0 Apr 05 2016 files
-rw-r--r-- 1 ftp ftp 104857600 May 22 2013 OneHundredMB.bin
-rw-r--r-- 1 ftp ftp 1024 May 22 2013 OneKB.bin
-rw-r--r-- 1 ftp ftp 1048576 May 22 2013 OneMB.bin
drwxr-xr-x 1 ftp ftp 0 Apr 05 2016 private
-rw-r--r-- 1 ftp ftp 10485760 May 22 2013 TenMB.bin
226 Successfully transferred "/"
ftp> quit
221 Goodbye
Step 28
Change the configuration of the Inside-Win network connection to public. Return to the Inside-Win
desktop. Use a standard left-click the network status icon on the right side of the Windows task bar,
and will an information panel will pop up. Select Network Settings from the panel.
https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 9/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies
Step 29
In the NETWORK & INTERNET window, verify that the Ethernet connection is selected, and then
click Ethernet No Internet in the right-hand pane.
Answer
Step 30
The ETHERNET window opens. Under the Make this PC discoverable heading, slide the switch
from On to Off.
Answer
https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 10/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies
Step 31
Close the Settings window and return to the Network and Sharing window. Verify that the network
connection is now considered to be a public network.
Answer
Step 32
Close the Network and Sharing window and return to the Windows Firewall on the Control Panel.
Verify that the firewall status shows that it is not connected to a private network, but now is connected
to a guest or public network.
Answer
https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 11/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies
Step 33
You configured the Windows Firewall to only allow connectivity to the FileZilla Server when on private
networks. Demonstrate that the Inside-Kali VM can no longer access FTP on Inside-Win. Access the
desktop of Inside-Kali. Attempt to issue the ftp 10.10.6.10 command a second time. The
connection will not be allowed. The attempt will eventually time out, but you can use <Ctrl-C> to
terminate it sooner.
Answer
In this task, you will explore some simple configurations of both IPtables and TCPwrappers on the Inside-
Srv. You will use IPtables to control access to TCP ports 80 and 443, which are the two ports that the
Apache HTTP daemon listens to. You use TCP wrappers to control access to the SSH daemon. In both
cases, you will test accessibility to the Inside-Srv from Inside-Kali and Inside-Win.
Step 34
https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 12/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies
Access the Inside-Win desktop. Launch the Firefox browser. Verify that you can browse http://inside-
srv.abc.private.
Step 35
Access the desktop of Inside-Kali. Launch the Iceweasel browser. Verify that you can
browse http://inside-srv.abc.private.
Step 36
Access the Inside-Srv desktop. Launch a Terminal window. Use the iptables command to append a
rule that will drop inbound packets that are destined to TCP port 80.
Answer
The -A argument instructs iptables to append a rule to the end of the rule list.
There are three chains that are supported by IPtables. INPUT is for inbound packets. OUTPUT is
for outbound packets that are generated by the local host. FORWARD is for packets that are
routed through the host. The FORWARD chain is only appropriate when IP forwarding is configured
on the host.
The -p argument specifies the protocol and the --dport argument specifies the destination port.
The -j argument specifies what to do with matching packets. Options include DROP, REJECT,
and ACCEPT. DROP will silently drop a packet, while REJECT will drop the packet and send an
ICMP unreachable message back to the sender.
Step 37
Test the current behavior. Attempt to refresh the browser on both Inside-Win and Inside-Kali. In both
cases, the refresh should spin. It will eventually time out. You don't have to wait for the timeout.
https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 13/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies
Step 38
Return to the Inside-Srv desktop. Rules are interpreted in order. Insert a new rule in position 1
that permits packets to TCP port 80 as long as they are sourced from 10.10.6.11.
Answer
Step 39
root@inside-srv:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 10.10.6.11 anywhere tcp dpt:http
DROP tcp -- anywhere anywhere tcp dpt:http
Two rules should be defined for the INPUT chain and no rules for FORWARD or OUTPUT.
The first rule should permit HTTP access for 10.10.6.11 and the second rule should deny HTTP
access for all other systems.
If you made a mistake, you can delete rules from a chain with the -D argument and specifying the
rule number. For example, iptables -D INPUT 1 .
Step 40
With the ACCEPT rule for 10.10.6.11 (Inside-Kali) preceding the DROP rule for all hosts, Inside-Kali
should be able to browse http://inside-srv.abc.private, but Inside-Win should not. A refresh from
Inside-Kali should complete quickly. A refresh from Inside-Win should spin for a while and eventually
timeout.
https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 14/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies
Step 41
The rules only affect port 80 for HTTP access. Apache is also listening on TCP port 443 for HTTPS
(SSL/TLS) access. Attempt to browse https://inside-srv.abc.private from both Inside-Win and
Inside-Kali. The attempt should succeed from both systems.
Step 42
Return to the Inside-Srv desktop. Add rules in the opposite orientation for HTTPS. That is, append a
rule to the end of the list that denies access to TCP port 443 from all sources, and add a rule that
permits access to TCP port 443 from Inside-Win (10.10.6.10).
Answer
Step 43
Verify the current rule list using the -L argument. You can also specify the INPUT chain to avoid
having the OUTPUT and FORWARD chains included in the output.
Answer
The two specific ACCEPT rules for 10.10.6.10 and 10.10.6.11 must be before the two general
DROP rules.
If you made a mistake, you can delete rules from a chain with the -D argument and specifying the
rule number. For example, iptables -D INPUT 1 .
https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 15/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies
Step 44
Retest access to https://inside-srv.abc.private from both Inside-Win and Inside-Kali. In this case,
the refresh should succeed from Inside-Win but fail from Inside-Kali.
Step 45
Step 46
Step 47
Double-click the hosts.deny file to open it in Leafpad. The default hosts.deny file only contains
comments (lines starting with #). Add a rule on a new line, after the comments, that specifies all
clients for the SSH daemon.
sshd : ALL
Step 48
https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 16/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies
Step 49
Double-click the hosts.allow file to open it in Leafpad. Add a rule on a new line after the comment
that specifies specifically 10.10.6.10 for the SSH daemon.
sshd : 10.10.6.10
Step 50
Step 51
Test SSH access from Inside-Kali. Attempt the ssh 10.10.4.20 command from a terminal window.
The attempt should fail.
Answer
Step 52
Test SSH access from Inside-Win. Launch PuTTY from the Windows Start menu. Enter 10.10.4.20 in
the Host Name (or IP address) field. Leave the port at 22 and the connection type at SSH.
Click Open. The connection should be successful. Authenticate as root using the
password Cisco123!.
Answer
The programs included with the Kali GNU/Linux system are free software;
https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 17/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Step 53
Use the exit command to terminate the SSH session and close the PuTTY window.
Note that the policy that you configured with both IPtables and TCP wrappers is of a permit unless explicitly
denied variety. Usually it is very difficult to quantify all the traffic that should be denied, while it is easier to
quantify the services that are intended to be provided by a server. Therefore, when implementing firewall
policy, a deny unless explicitly permitted policy is usually preferred. The examples show some of the
capability and behavior of the two personal firewalls. Both IPtables and TCP wrappers have many more
features and functionality than was demonstrated here.
https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 18/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies
https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 19/20
10/24/23, 7:35 AM Explore Endpoint Security | Understanding Endpoint Security Technologies
https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_23/pages/10 20/20