Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Custom Decoy Image

For most deployments, the decoys included with FortiDeceptor are enough and are easier to deploy. However, you have the option to build a decoy from your gold image using the custom decoy feature that is included under the subscription license.

Some examples of using Decoy Customization include:

  • Windows 10/2016/2019 decoy joining AD.
  • Windows Server 2016/2019 Enterprises users with SQL Server, web applications using an IIS server, and more.
Note

This version only supports Decoy Customization for Windows 10 and Windows Server 2016/2019. Windows Server 2016/2019 supports customized MSSQL and IIS services.

Overview of implementing Decoy Customization:
  1. Order the FDC Custom Decoy Subscription for FDC HW appliance only.

    The Decoy Customization subscription is for FortiDeceptor hardware appliances only. This subscription license is already included in the FortiDeceptor VM bundle.

  2. Install FortiDeceptor.

    After installing FortiDeceptor with the Decoy Customization subscription, the Help menu in the toolbar will display an option for the Custom Decoy Image Cookbook.

  3. Follow the instructions in the Customization Cookbook. The high-level instructions are:
    1. Upload an ISO image.
    2. Install ARAE engine on image.
    3. Use the Deployment Wizard to install the customized decoy.

Customize the deception base OS image

Overview of customizing the deception base OS image:
  1. Import Windows ISO image.
  2. Customize VM image.
  3. Deploy custom image.

Import Windows ISO image

Before importing an ISO image into FortiDeceptor, ensure you have completed the following:

  • Purchased a FDC Custom Decoy Subscription

    The FDC Custom Decoy Subscription is for FortiDeceptor hardware appliances only. This subscription license is already included in the FortiDeceptor VM bundle.

  • Set up an ISO image with the licenses for your environment. For example, if you want to allow Active Domain (AD) accounts to access decoys, configure the settings on the AD servers, such as create dummy accounts, and so on.
To import an ISO image using the Imported Images page:
  1. Go to Deception > Custom Decoy Image and click the Imported Images tab.

  2. Click Import New ISO Image.
  3. Click Choose a file or drag and drop an image file into that pane.
To import an ISO image using the Customized Images page:
  1. Go to Deception > Custom Decoy Image and click the Customized Images tab.

  2. Click Import Image and Customize.
  3. Click Choose a file or drag and drop an image file into that pane.
To delete an ISO image:
  1. Go to Deception > Custom Decoy Image and click the Imported Images tab.
  2. Select one or more images and then click Delete.

Customize VM image

To initialize the VM instance:
  1. Go to Deception > Custom Decoy Image and click the Customized Images tab.
  2. Click Import Image and Customize. The custom image wizard opens.
  3. In the Select an imported ISO image dropdown list, select an ISO image. Then click Next.
  4. In the Configuration step, specify the following and then click Next.

    Name

    Upper and lowercase letters and numbers totaling under 48 characters.

    CPU Cores

    1–4 cores.

    Memory

    1024–8192 MB.

    Storage

    20–50 GB.

    Caution

    This configuration is applied to the VM instance for customizing the image, This configuration is not applied to decoys.

  5. In the Customize step, install the OS from the ISO image.

    Follow the prompts until the installation is complete.

To customize the VM:
  1. Ensure the OS is installed and then log in with an admin account.
  2. In Windows Explorer, locate the FDC_Toolkit folder and read the instructions in toolkit_README.txt.

  3. Configure the network using one of the following options.
    • Right-click set_network.bat and then click Run as Administrator.
    • Follow the instructions in net.json to configure the IP address, gateway, and DNS in Windows Control Panel > Network and Internet > Network Connections.

      Caution

      10.254.253.0/24 set by the script is the internal NAT IP address that is temporarily used by the customization VM to allow downloading files and accessing other network resources via the FortiDeceptor default route.

To customize the system for Windows 2016:
  1. Ensure your license is activated.
  2. If you are using Windows 2016, enter the following commands in the PowerShell window to prevent lure configuration failures in the Decoy Deployment wizard.

    secedit /export /cfg c:\secpol.cfg

    (gc C:\secpol.cfg).replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File C:\secpol.cfg

    secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY

    rm -force c:\secpol.cfg -confirm:$false

To customize the system for standalone Windows Server 2016:
  1. Go to Server Manager > Tools > Local Security Policy. The Local Security Policy directory opens.
  2. In the Security Settings folder, open the Password Policy folder, and double-click Password must meet complexity requirements.
  3. Select Disabled and then click OK.
  4. Open a Command Prompt as an Administrator and type the following command to update the group policy:

    gpupdate /force

    You should get the following response:

    C:Users\Administrator>gpupdate /force

    Updating policy...

    Computer policy update has completed successfully.

To customize the system for Server 2016 Domain Controller :
  1. In the Domain Controller, go to Server Manager > Tools > Group Policy Management.
  2. Right-click Default Domain Policy and click Edit. The Group Policy Management Editor opens.
  3. In the Computer Configuration folder, go to Policies > Windows Settings > Security Settings\Account Policies > Password Policy > Password must meet complexity requirements.
  4. Select Disabled and click OK.
  5. Open a Command Prompt as Administrator and type the following command to update the group policy:

    gpupdate /force

Optional: install the Microsoft SQL Server

The following SQL Server versions are supported.

If you are downloading with Internet Explorer, it is recommended you disable IE Enhanced Security Configuration.

Since there is no desktop for Windows Server core OS, you must download the installation file on another computer and then use SMB to install the SQL Server.

To install SQL server:
  1. Download and install the SQL server on another computer.

  2. When the SQL Server installation is complete, click Install SMSS to download and install the SQL Server Management Studio to manage and customize the SQL Server.

To further customize the SQL database:
  1. Download a sample database from https://github.com/Microsoft/sql-server-samples/releases/download/wide-world-importers-v1.0/WideWorldImporters-Full.bak.

  2. In the FortiDeceptor Customize Decoy console, open SQL Server Management Studio.
  3. Right-click the database object and select Restore Database.

  4. Locate and add the sample DB you downloaded.

  5. When the sample DB is restored, right-click that DB and select Properties to change access permission to make the decoy DB more attractive to attackers.

  6. Give Grant permission to Select and Connect.

  7. Close SQL Server Management Studio.
  8. Verify that your DB is up using the command netstat –an | findstr 1433.
  9. The listening port on the SQL Express Database is disabled by default. To enable the port:
    1. Click Start > Programs > Microsoft SQL Server 20XX and select SQL Server Configuration Manager.

    2. Select SQL Server Network Configuration.

    3. Double-click Protocols for SQLEXPRESS
    4. Right-click TCP/IP and select Properties. If necessary, first enable TCP/IP.

    5. Scroll down to IPAll and verify TCP Dynamic Ports is blank and that TCP Port is set to 1433.

    6. Click OK.

Optional: install Internet Information Service (IIS)

IIS 10 is supported on Windows Server 2016/2019.

To add the IIS role and service:
  1. Go to Server Manager >Dashboard.
  2. Click Manage > Add Roles and Features.

  3. On the Before you begin page, click Next.

  4. On the Select installation type page, click Next.

  5. On the Select destination server page, click Next.

  6. On the Select server roles page, click Web Server (IIS).

  7. In the pop-up dialog box, click Add Features.
  8. On the Select features page, click Next.

  9. On the Web Server Role (IIS) page, click Next.

  10. On the Select role services page, enable URL Authorization and Windows Authentication, then click Next.

  11. On the Confirm installation selections page, click Install.

  12. Wait for the installation to finish, then check the results and click Close.

Join a domain

Before joining a custom Windows OS to a domain, change its DNS server to the DNS server of the domain.

Note

This task is optional.

To join a domain:
  1. Go to Control Panel > System and Security > System and click Change settings.

  2. On the System Properties dialog box, click Change.

  3. Enter the Domain and click OK.

  4. Click Close and restart the computer to join the domain.

Install the FortiDeceptor customization toolkit

When system customization is complete, right-click FDC_CUS_toolkit.exe and select Run as Administrator and wait for the installation to finish.

Another option is to run the CLI command FDC_CUS_toolkit.exe as an administrator.

Save the custom image

When the customization status in the GUI displays Ready, click Start -> Power > Shut down to shut down Windows and then click Save to save this image.

If the Windows Server is connected to a domain, there may not be a Power option in the GUI. In this case, run the command shutdown /s /t 1 /f as administrator.

It might take several minutes to save the entire image. When the image is saved, the page lists the image in Customized Images.

In Deception > Customization, the Customized Images tab lists the custom images.

The Actions column has icons for you to view logs, apply the image, or delete the image.

Deploy custom image

To apply a custom image:
  1. Go to Deception > Custom Decoy Image and click the Customized Images tab.
  2. Select a custom image and click the Apply button or click the Apply icon beside a custom image.

    It might take a few minutes to apply the custom image. When applied, the custom image is listed in Deception > Deception OS.

     

To deploy decoys with custom images–generic image:
  1. Go to Deception > Deployment Wizard.
  2. Click a custom image and deploy it like a standard decoy.
  3. Select whether to domain users to access RDP and SMB.

    For normal users:

    For domain users:

    Note

    We highly recommend enabling RDP and SMB services for decoys joined in the domain and not set in any local lure accounts. Many domains have different policies for account name and password which may cause the decoy to fail to initialize.

To deploy decoys with custom images–SQL Server:
  1. Go to Deception > Deployment Wizard.
  2. Click a custom SQL server image.

  3. (Optional) Click Sample to download a sample .sql file.
  4. Click Upload SQL Schema to upload your own custom .sql file .

To generate SQL alerts:
  1. You can generate SQL alerts using the SQLCMD tool or using WideWorldImporters.
    • To use SQLCMD, run the following commands.

      sqlcmd -S "IP Address" -U "username" -P "password"

      use WideWorldImporters;

      SELECT name

      from SYSOBJECTS

      WHERE

      xtype = 'U'

      go

    • To use WideWorldImporters, run the following commands.

      use WideWorldImporters;

      select top 100 * from Sales.Orders;

      go

    The Incident > Analysis page displays the alerts for the SQL server attack.

To deploy decoys with custom images–IIS (HTTP/HTTPS):
  1. Go to Deception > Deployment Wizard.
  2. Click a custom IIS image.

To deploy decoys with custom images–NBNSSpoofSpotter:
  1. Go to Deception > Deployment Wizard.
  2. Click a custom NBNSSpoofSpotter image.

Note

NBNSSpoofSpotter feature detects attacks using the Responder tool and includes a link to https://github.com/SpiderLabs/Responder with more information about the attack.

Custom Decoy Image

For most deployments, the decoys included with FortiDeceptor are enough and are easier to deploy. However, you have the option to build a decoy from your gold image using the custom decoy feature that is included under the subscription license.

Some examples of using Decoy Customization include:

  • Windows 10/2016/2019 decoy joining AD.
  • Windows Server 2016/2019 Enterprises users with SQL Server, web applications using an IIS server, and more.
Note

This version only supports Decoy Customization for Windows 10 and Windows Server 2016/2019. Windows Server 2016/2019 supports customized MSSQL and IIS services.

Overview of implementing Decoy Customization:
  1. Order the FDC Custom Decoy Subscription for FDC HW appliance only.

    The Decoy Customization subscription is for FortiDeceptor hardware appliances only. This subscription license is already included in the FortiDeceptor VM bundle.

  2. Install FortiDeceptor.

    After installing FortiDeceptor with the Decoy Customization subscription, the Help menu in the toolbar will display an option for the Custom Decoy Image Cookbook.

  3. Follow the instructions in the Customization Cookbook. The high-level instructions are:
    1. Upload an ISO image.
    2. Install ARAE engine on image.
    3. Use the Deployment Wizard to install the customized decoy.

Customize the deception base OS image

Overview of customizing the deception base OS image:
  1. Import Windows ISO image.
  2. Customize VM image.
  3. Deploy custom image.

Import Windows ISO image

Before importing an ISO image into FortiDeceptor, ensure you have completed the following:

  • Purchased a FDC Custom Decoy Subscription

    The FDC Custom Decoy Subscription is for FortiDeceptor hardware appliances only. This subscription license is already included in the FortiDeceptor VM bundle.

  • Set up an ISO image with the licenses for your environment. For example, if you want to allow Active Domain (AD) accounts to access decoys, configure the settings on the AD servers, such as create dummy accounts, and so on.
To import an ISO image using the Imported Images page:
  1. Go to Deception > Custom Decoy Image and click the Imported Images tab.

  2. Click Import New ISO Image.
  3. Click Choose a file or drag and drop an image file into that pane.
To import an ISO image using the Customized Images page:
  1. Go to Deception > Custom Decoy Image and click the Customized Images tab.

  2. Click Import Image and Customize.
  3. Click Choose a file or drag and drop an image file into that pane.
To delete an ISO image:
  1. Go to Deception > Custom Decoy Image and click the Imported Images tab.
  2. Select one or more images and then click Delete.

Customize VM image

To initialize the VM instance:
  1. Go to Deception > Custom Decoy Image and click the Customized Images tab.
  2. Click Import Image and Customize. The custom image wizard opens.
  3. In the Select an imported ISO image dropdown list, select an ISO image. Then click Next.
  4. In the Configuration step, specify the following and then click Next.

    Name

    Upper and lowercase letters and numbers totaling under 48 characters.

    CPU Cores

    1–4 cores.

    Memory

    1024–8192 MB.

    Storage

    20–50 GB.

    Caution

    This configuration is applied to the VM instance for customizing the image, This configuration is not applied to decoys.

  5. In the Customize step, install the OS from the ISO image.

    Follow the prompts until the installation is complete.

To customize the VM:
  1. Ensure the OS is installed and then log in with an admin account.
  2. In Windows Explorer, locate the FDC_Toolkit folder and read the instructions in toolkit_README.txt.

  3. Configure the network using one of the following options.
    • Right-click set_network.bat and then click Run as Administrator.
    • Follow the instructions in net.json to configure the IP address, gateway, and DNS in Windows Control Panel > Network and Internet > Network Connections.

      Caution

      10.254.253.0/24 set by the script is the internal NAT IP address that is temporarily used by the customization VM to allow downloading files and accessing other network resources via the FortiDeceptor default route.

To customize the system for Windows 2016:
  1. Ensure your license is activated.
  2. If you are using Windows 2016, enter the following commands in the PowerShell window to prevent lure configuration failures in the Decoy Deployment wizard.

    secedit /export /cfg c:\secpol.cfg

    (gc C:\secpol.cfg).replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File C:\secpol.cfg

    secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY

    rm -force c:\secpol.cfg -confirm:$false

To customize the system for standalone Windows Server 2016:
  1. Go to Server Manager > Tools > Local Security Policy. The Local Security Policy directory opens.
  2. In the Security Settings folder, open the Password Policy folder, and double-click Password must meet complexity requirements.
  3. Select Disabled and then click OK.
  4. Open a Command Prompt as an Administrator and type the following command to update the group policy:

    gpupdate /force

    You should get the following response:

    C:Users\Administrator>gpupdate /force

    Updating policy...

    Computer policy update has completed successfully.

To customize the system for Server 2016 Domain Controller :
  1. In the Domain Controller, go to Server Manager > Tools > Group Policy Management.
  2. Right-click Default Domain Policy and click Edit. The Group Policy Management Editor opens.
  3. In the Computer Configuration folder, go to Policies > Windows Settings > Security Settings\Account Policies > Password Policy > Password must meet complexity requirements.
  4. Select Disabled and click OK.
  5. Open a Command Prompt as Administrator and type the following command to update the group policy:

    gpupdate /force

Optional: install the Microsoft SQL Server

The following SQL Server versions are supported.

If you are downloading with Internet Explorer, it is recommended you disable IE Enhanced Security Configuration.

Since there is no desktop for Windows Server core OS, you must download the installation file on another computer and then use SMB to install the SQL Server.

To install SQL server:
  1. Download and install the SQL server on another computer.

  2. When the SQL Server installation is complete, click Install SMSS to download and install the SQL Server Management Studio to manage and customize the SQL Server.

To further customize the SQL database:
  1. Download a sample database from https://github.com/Microsoft/sql-server-samples/releases/download/wide-world-importers-v1.0/WideWorldImporters-Full.bak.

  2. In the FortiDeceptor Customize Decoy console, open SQL Server Management Studio.
  3. Right-click the database object and select Restore Database.

  4. Locate and add the sample DB you downloaded.

  5. When the sample DB is restored, right-click that DB and select Properties to change access permission to make the decoy DB more attractive to attackers.

  6. Give Grant permission to Select and Connect.

  7. Close SQL Server Management Studio.
  8. Verify that your DB is up using the command netstat –an | findstr 1433.
  9. The listening port on the SQL Express Database is disabled by default. To enable the port:
    1. Click Start > Programs > Microsoft SQL Server 20XX and select SQL Server Configuration Manager.

    2. Select SQL Server Network Configuration.

    3. Double-click Protocols for SQLEXPRESS
    4. Right-click TCP/IP and select Properties. If necessary, first enable TCP/IP.

    5. Scroll down to IPAll and verify TCP Dynamic Ports is blank and that TCP Port is set to 1433.

    6. Click OK.

Optional: install Internet Information Service (IIS)

IIS 10 is supported on Windows Server 2016/2019.

To add the IIS role and service:
  1. Go to Server Manager >Dashboard.
  2. Click Manage > Add Roles and Features.

  3. On the Before you begin page, click Next.

  4. On the Select installation type page, click Next.

  5. On the Select destination server page, click Next.

  6. On the Select server roles page, click Web Server (IIS).

  7. In the pop-up dialog box, click Add Features.
  8. On the Select features page, click Next.

  9. On the Web Server Role (IIS) page, click Next.

  10. On the Select role services page, enable URL Authorization and Windows Authentication, then click Next.

  11. On the Confirm installation selections page, click Install.

  12. Wait for the installation to finish, then check the results and click Close.

Join a domain

Before joining a custom Windows OS to a domain, change its DNS server to the DNS server of the domain.

Note

This task is optional.

To join a domain:
  1. Go to Control Panel > System and Security > System and click Change settings.

  2. On the System Properties dialog box, click Change.

  3. Enter the Domain and click OK.

  4. Click Close and restart the computer to join the domain.

Install the FortiDeceptor customization toolkit

When system customization is complete, right-click FDC_CUS_toolkit.exe and select Run as Administrator and wait for the installation to finish.

Another option is to run the CLI command FDC_CUS_toolkit.exe as an administrator.

Save the custom image

When the customization status in the GUI displays Ready, click Start -> Power > Shut down to shut down Windows and then click Save to save this image.

If the Windows Server is connected to a domain, there may not be a Power option in the GUI. In this case, run the command shutdown /s /t 1 /f as administrator.

It might take several minutes to save the entire image. When the image is saved, the page lists the image in Customized Images.

In Deception > Customization, the Customized Images tab lists the custom images.

The Actions column has icons for you to view logs, apply the image, or delete the image.

Deploy custom image

To apply a custom image:
  1. Go to Deception > Custom Decoy Image and click the Customized Images tab.
  2. Select a custom image and click the Apply button or click the Apply icon beside a custom image.

    It might take a few minutes to apply the custom image. When applied, the custom image is listed in Deception > Deception OS.

     

To deploy decoys with custom images–generic image:
  1. Go to Deception > Deployment Wizard.
  2. Click a custom image and deploy it like a standard decoy.
  3. Select whether to domain users to access RDP and SMB.

    For normal users:

    For domain users:

    Note

    We highly recommend enabling RDP and SMB services for decoys joined in the domain and not set in any local lure accounts. Many domains have different policies for account name and password which may cause the decoy to fail to initialize.

To deploy decoys with custom images–SQL Server:
  1. Go to Deception > Deployment Wizard.
  2. Click a custom SQL server image.

  3. (Optional) Click Sample to download a sample .sql file.
  4. Click Upload SQL Schema to upload your own custom .sql file .

To generate SQL alerts:
  1. You can generate SQL alerts using the SQLCMD tool or using WideWorldImporters.
    • To use SQLCMD, run the following commands.

      sqlcmd -S "IP Address" -U "username" -P "password"

      use WideWorldImporters;

      SELECT name

      from SYSOBJECTS

      WHERE

      xtype = 'U'

      go

    • To use WideWorldImporters, run the following commands.

      use WideWorldImporters;

      select top 100 * from Sales.Orders;

      go

    The Incident > Analysis page displays the alerts for the SQL server attack.

To deploy decoys with custom images–IIS (HTTP/HTTPS):
  1. Go to Deception > Deployment Wizard.
  2. Click a custom IIS image.

To deploy decoys with custom images–NBNSSpoofSpotter:
  1. Go to Deception > Deployment Wizard.
  2. Click a custom NBNSSpoofSpotter image.

Note

NBNSSpoofSpotter feature detects attacks using the Responder tool and includes a link to https://github.com/SpiderLabs/Responder with more information about the attack.