Mitigation using windows Remote Command
1. Configure the endpoint
1.1 Verify the endpoint domains and permissions.
FortiDeceptor will use the administrator account of the AD domain to access Windows endpoints. Please ensure the Windows endpoints are connected to the AD domain and the administrator account of AD domain can access the endpoints.
The administrator can also be a domain local admin with permission to disable the endpoint network interfaces. |
1.2 Open the Windows SMB port
By default, Windows blocks the SMB port 445. To open the port run the following command in PowerShell:
Set-NetFirewallRule -Name FPS-SMB-In-TCP -Enabled True
1.3 Enable SMB
If the Firewall is enabled by the A/D GPO, you will need to add the FortiDeceptor management IP to the exclusion list. |
- Type
wf. msc
in the Windows search box. - Click Inbound Rules in the navigation pane.
- Scroll down to File and Printer Sharing (Echo Request - ICMPv4-In).
- Enable the options in both Private and Domain profile
2. Configure FortiDeceptor
- In FortiDeceptor, go to Fabric > Quarantine Integration and click + Quarantine Integration with new device.
- Configure the integration settings ensuring the user has sufficient privileges to manage NICs.
- (Optional) Click Credentials Test and then click Start to test the connection.