Introduction
On Day 5 of the “MyDFIR 30-Day SOC Challenge,” I focused on expanding my lab environment by setting up an additional Windows Server 2022 VM. This server will act as a target machine, with Remote Desktop Protocol (RDP) exposed to the internet. The aim is to monitor it for any incoming traffic, including potential unauthorized login attempts, which will generate logs for future analysis.
Environment Configuration
Before deploying the Windows Server, I updated the logical diagram I created on Day 1. In this updated version, I removed the Windows Server from the VPC to ensure that if this server gets compromised, the VPC and its resources remain isolated and protected from potential attacks.
Steps for Setting Up the Windows Server VM
1. Server Deployment
- I accessed the Deploy New Server option on Vultr.
- Selected Cloud Compute (shared CPU), which was sufficient for my use case.
- For the operating system, I chose Windows Server 2022, and I opted for the cheapest available server at $24/month.
- Unlike earlier configurations, I did not assign this machine to the Virtual Private Cloud (VPC) to isolate it from the critical infrastructure of the other servers.
2. Firewall Configuration
I left the firewall group empty, intentionally allowing all traffic access to the server. This will help generate logs related to unauthorized access attempts from various IP addresses across the internet.
3. Naming the Server
ollowing the naming convention required for the MyDFIR challenge, I named the server mydfir-win-[handle], where I replaced [handle] with my actual username.
4. Server Launch and Access
- After deploying the server, I waited for its status to change to “Running.”
- Using the console within the Vultr interface, I logged into the server by selecting View Console and using the system-generated password.
5. Remote Desktop Access
To expose RDP, I copied the public IP address of the server and used Remote Desktop Connection to access it. This ensures the server is accessible from anywhere on the internet, a crucial step for generating logs and monitoring potential brute-force attacks.
Security Considerations
Although exposing RDP to the internet is typically a security risk, it’s done intentionally in this setup to gather data on unauthorized login attempts. This is essential for learning how to monitor, detect, and mitigate such attacks in real-world environments.
Next Steps
In future tasks, I will configure a Fleet server to centralize log collection and management from this newly deployed Windows Server, alongside other endpoints. This will allow for streamlined monitoring of security events across multiple machines.
Conclusion
By the end of Day 5, I successfully set up another Windows Server 2022 VM with RDP exposed to the internet. This machine is now live and ready to serve as a target for incoming traffic, which will later be analyzed to detect security threats. With this setup, I have a more robust lab environment for learning practical SOC analyst skills, focusing on log monitoring and incident detection.