Fortinet white logo
Fortinet white logo

Administration Guide

Deploying tokens using AD GPO logon script

Deploying tokens using AD GPO logon script

FortiDeceptor generates a deception lure package based on the decoy service configuration. For example, deploying a Windows server decoy with the services RDP and SMB, and Linux desktop decoy with the services SSH and SAMBA generates a deception lure package named FDC_TokenPKG_XXXXXXXXX that contains the deception lure files.

The deception lure package is a zip file that has three directories containing all the relevant data and configuration for each OS.

The deception lure for each OS uses the same concept: binary files with several JSON files that provide the decoy fake access parameters for the lure.

There are two ways to assign logon scripts. The first is on the Profile tab of the user properties dialog in the Active Directory Users and Computers (ADUC). The second is via Group Policy Objects (GPO).

This section provides in-depth instructions on how to deploy Windows lures using the second option via AD GPO logon script.

The main idea for the GPO logon script distribution is:

  • Place the deception lure package in a network directory that is accessible to all endpoints.
  • Generate a batch file that runs under the logon script and runs each time the end user logs into the network domain.
  • The batch file copies the deception lure package to the endpoint and executes it.
  • After execution, the endpoint has the deception lure in place.
To prepare the GPO logon script:
  1. Download the deception lure package from the FortiDeceptor Admin Console.
  2. Unzip the downloaded file to a temporary location.
  3. Open the unzipped file and access the windows directory.
  4. Copy all the files and directories, except uninstall.bat, from the windows directory:
    • windows_token.exe
    • Config.json
    • res directory (if it is there)
    • Honeydocs directory (if it is there)
  5. On the AD server, go to \\%UserDNSDomain%\SysVol\domain\scripts

    In this example, the domain is FDC.COM so the location is \\FDC.COM\SysVol\FDC.COM\scripts.

  6. In the scripts directory, create a new directory and name it MyFiles.
  7. Copy windows_token.exe and the res directory to the MyFiles directory.
  8. Create a batch file named Lure.bat with the following commands. In this example, the domain is FDC.com.

    set SFolder=\\FDC.COM\SysVol\FDC.COM\scripts\MyFiles

    set DFolder=%UserProfile%

    xcopy /E /S /H /K /F /C /Y /I "%SFolder%" "%DFolder%\MyFiles"

    start /B /WAIT /MIN "windows_token" "%DFolder%\windows_token.exe" "--non-interactive"

    exit

    A similar script for token installation is:

    set SFolder=\\FDC.COM\SysVol\FDC.COM\scripts\MyFiles

    start /B /WAIT /MIN "windows_token" "%SFolder%\windows_token.exe" "--keep-files" "--non-interactive"

    exit

    Syntax example:

    windows_token.exe "[optional command]" "<optional parameters>"...

    Command
    • (blank): The default command both uninstalls previous lures (if applicable), and installs the new lures.
    • uninstall: Uninstalls all previous installed lures (if applicable) for the current user.
    Parameters

    --non-interactive: (Optional) Used with any command, this parameter prevents any user interface from being displayed while the command is being executed.

    --keep-files (Optional) Keep the installation files/directories. Otherwise, all files and directories in the current folder will be wiped out.

  9. (Optional) *The default installation process both uninstalls previous lures (if applicable), and installs the new lures.

    To uninstall tokens without installation:

    1. Copy windows_token.exe from the windows directory to the MyFiles\Uninstall directory.
    2. Create a batch file named uninstall_lure.bat with the following commands.

      In the following example, the domain is FDC.com:

      set SFolder=\\fdc.com\SYSVOL\fdc.com\scripts\MyFiles\Uninstall
      start /B /WAIT /MIN "uninstall_windows_token" "%SFolder%\windows_token.exe" "uninstall" "--non-interactive"
      exit
      

Configuring the GPO logon script

To configure the GPO logon script:
  1. Log into the AD server and open the Group Policy Management tool.

    You can also open this tool using the CLI gpmc.msc.

  2. Right-click the top-level domain object (in this example, FDC.COM) and select Create a GPO in this domain, and link it here.

    This creates a new group policy object.

  3. Enter a name for the new group policy object. Do not use a name that has any association with a deception technology.

  4. Right-click the new group policy object and select Edit.
  5. Go to User configuration > Policies > Windows Settings > Scripts (Logon/Logoff).
  6. In the right pane, double click the Logon script to configure the Logon script properties.

  7. In the Logon Properties dialog box, click Show Files.
  8. Copy the batch file Lure.bat that you have prepared.

  9. In the Logon Properties dialog box, click Add to open the Add a Scriptdialog box.
  10. Click Browse, locate the Lure.bat batch file and add it to Scripts (Logon/Logoff).

  11. Click Apply and then click OK to close this window.
To enforce the group policy:
  1. In the Group Policy Management console, select the new group policy object. In this example, FDC.COM.
  2. In the Scope tab, verify that FDC.COM is linked.
  3. In the Security Filtering section, add and remove the user groups to get the deception lure package through the logon script.
  4. In the left pane, right-click the FDC group policy object and select Enforced.

Deploying tokens using AD GPO logon script

Deploying tokens using AD GPO logon script

FortiDeceptor generates a deception lure package based on the decoy service configuration. For example, deploying a Windows server decoy with the services RDP and SMB, and Linux desktop decoy with the services SSH and SAMBA generates a deception lure package named FDC_TokenPKG_XXXXXXXXX that contains the deception lure files.

The deception lure package is a zip file that has three directories containing all the relevant data and configuration for each OS.

The deception lure for each OS uses the same concept: binary files with several JSON files that provide the decoy fake access parameters for the lure.

There are two ways to assign logon scripts. The first is on the Profile tab of the user properties dialog in the Active Directory Users and Computers (ADUC). The second is via Group Policy Objects (GPO).

This section provides in-depth instructions on how to deploy Windows lures using the second option via AD GPO logon script.

The main idea for the GPO logon script distribution is:

  • Place the deception lure package in a network directory that is accessible to all endpoints.
  • Generate a batch file that runs under the logon script and runs each time the end user logs into the network domain.
  • The batch file copies the deception lure package to the endpoint and executes it.
  • After execution, the endpoint has the deception lure in place.
To prepare the GPO logon script:
  1. Download the deception lure package from the FortiDeceptor Admin Console.
  2. Unzip the downloaded file to a temporary location.
  3. Open the unzipped file and access the windows directory.
  4. Copy all the files and directories, except uninstall.bat, from the windows directory:
    • windows_token.exe
    • Config.json
    • res directory (if it is there)
    • Honeydocs directory (if it is there)
  5. On the AD server, go to \\%UserDNSDomain%\SysVol\domain\scripts

    In this example, the domain is FDC.COM so the location is \\FDC.COM\SysVol\FDC.COM\scripts.

  6. In the scripts directory, create a new directory and name it MyFiles.
  7. Copy windows_token.exe and the res directory to the MyFiles directory.
  8. Create a batch file named Lure.bat with the following commands. In this example, the domain is FDC.com.

    set SFolder=\\FDC.COM\SysVol\FDC.COM\scripts\MyFiles

    set DFolder=%UserProfile%

    xcopy /E /S /H /K /F /C /Y /I "%SFolder%" "%DFolder%\MyFiles"

    start /B /WAIT /MIN "windows_token" "%DFolder%\windows_token.exe" "--non-interactive"

    exit

    A similar script for token installation is:

    set SFolder=\\FDC.COM\SysVol\FDC.COM\scripts\MyFiles

    start /B /WAIT /MIN "windows_token" "%SFolder%\windows_token.exe" "--keep-files" "--non-interactive"

    exit

    Syntax example:

    windows_token.exe "[optional command]" "<optional parameters>"...

    Command
    • (blank): The default command both uninstalls previous lures (if applicable), and installs the new lures.
    • uninstall: Uninstalls all previous installed lures (if applicable) for the current user.
    Parameters

    --non-interactive: (Optional) Used with any command, this parameter prevents any user interface from being displayed while the command is being executed.

    --keep-files (Optional) Keep the installation files/directories. Otherwise, all files and directories in the current folder will be wiped out.

  9. (Optional) *The default installation process both uninstalls previous lures (if applicable), and installs the new lures.

    To uninstall tokens without installation:

    1. Copy windows_token.exe from the windows directory to the MyFiles\Uninstall directory.
    2. Create a batch file named uninstall_lure.bat with the following commands.

      In the following example, the domain is FDC.com:

      set SFolder=\\fdc.com\SYSVOL\fdc.com\scripts\MyFiles\Uninstall
      start /B /WAIT /MIN "uninstall_windows_token" "%SFolder%\windows_token.exe" "uninstall" "--non-interactive"
      exit
      

Configuring the GPO logon script

To configure the GPO logon script:
  1. Log into the AD server and open the Group Policy Management tool.

    You can also open this tool using the CLI gpmc.msc.

  2. Right-click the top-level domain object (in this example, FDC.COM) and select Create a GPO in this domain, and link it here.

    This creates a new group policy object.

  3. Enter a name for the new group policy object. Do not use a name that has any association with a deception technology.

  4. Right-click the new group policy object and select Edit.
  5. Go to User configuration > Policies > Windows Settings > Scripts (Logon/Logoff).
  6. In the right pane, double click the Logon script to configure the Logon script properties.

  7. In the Logon Properties dialog box, click Show Files.
  8. Copy the batch file Lure.bat that you have prepared.

  9. In the Logon Properties dialog box, click Add to open the Add a Scriptdialog box.
  10. Click Browse, locate the Lure.bat batch file and add it to Scripts (Logon/Logoff).

  11. Click Apply and then click OK to close this window.
To enforce the group policy:
  1. In the Group Policy Management console, select the new group policy object. In this example, FDC.COM.
  2. In the Scope tab, verify that FDC.COM is linked.
  3. In the Security Filtering section, add and remove the user groups to get the deception lure package through the logon script.
  4. In the left pane, right-click the FDC group policy object and select Enforced.