Chapter 11: Building the Wall
Arc 3: Security Incident

"Building the Wall" — Network Security, Hardening & AD Deep Dive

A vendor security audit is coming. While preparing, you discover the Guest VLAN can reach the corporate network — and then you make the most critical discovery yet: the ghost account t.manning is not just active, it logged in yesterday.

Network Segmentation: Why VLANs Alone Aren't Enough

Network segmentation divides a flat network into isolated zones so that a compromise in one zone cannot spread to others. The primary tool for segmentation is the VLAN (Virtual Local Area Network) — a logical grouping of switch ports that creates separate broadcast domains.

But here is the critical misconception: VLANs alone do not provide security. VLANs separate broadcast domains, but if the core switch or router performs inter-VLAN routing, traffic can still flow between VLANs unless you explicitly block it with ACLs (Access Control Lists).

ConceptWhat It DoesWhat It Does NOT Do
VLAN Creates separate Layer 2 broadcast domains. Devices in different VLANs cannot communicate at Layer 2. Does NOT block Layer 3 (routed) traffic between VLANs. If the switch routes, VLANs can still talk.
Inter-VLAN ACL Filters routed traffic between VLANs based on source/destination IP, port, and protocol. Does NOT help if ACL rules are missing or misconfigured — the default is usually to permit all routed traffic.
Defense in Depth Layers multiple security controls so that the failure of any single control does not compromise the entire network. Does NOT work if every layer has the same gap — you need diverse, complementary controls.
The Meridian Problem: Meridian Dynamics created seven VLANs but never configured the inter-VLAN ACLs on the core switch. The VLANs gave a false sense of isolation. In reality, any device on any VLAN could reach any other VLAN through the Layer 3 switch — including the GUEST VLAN reaching the corporate network.

Defense in depth means layering controls: VLANs for Layer 2 separation, ACLs for Layer 3 filtering, firewalls for stateful inspection, network monitoring for detection, and endpoint security for the last line of defense. If any one layer fails, the others still protect you.

Firewall Rules: Stateful vs. Stateless

A firewall examines network traffic and decides whether to allow or deny each packet based on a set of rules. There are two fundamental approaches:

TypeHow It WorksProsCons
Stateless (Packet Filter) Examines each packet individually based on source/destination IP, port, and protocol. No memory of previous packets. Fast, low overhead, simple to configure for basic rules. Cannot track connections. Must explicitly allow return traffic. Vulnerable to spoofed packets.
Stateful Tracks the state of network connections (NEW, ESTABLISHED, RELATED). Return traffic is automatically allowed for established connections. More secure — only allows return traffic for connections that were initiated from the trusted side. Blocks unsolicited inbound. Higher resource usage. Connection table can be exhausted by SYN flood attacks.

Rule order matters. Firewalls process rules top to bottom and stop at the first match. A common best practice is:

  1. Explicit Deny rules first — block known-bad traffic immediately
  2. Explicit Allow rules — permit specific traffic you want
  3. Implicit Deny All at the bottom — anything not explicitly allowed is blocked (deny by default)
Always enable logging. Firewall logs are one of the most valuable data sources for incident response. Log both allowed and denied traffic — denied traffic shows what attackers are trying to reach; allowed traffic shows what they actually accessed.

Wireless Security: WPA2-Enterprise vs. WPA2-Personal

Wireless networks are inherently more exposed than wired — radio signals extend beyond building walls. Securing wireless requires both encryption and authentication.

FeatureWPA2-Personal (PSK)WPA2-Enterprise (802.1X)
Authentication Pre-Shared Key (password). Everyone uses the same password. Individual credentials via RADIUS server. Each user authenticates with their own username/password or certificate.
Key Management All users share the same master key. If one device is compromised, all traffic is at risk. Each user gets a unique session key. Compromising one user does not affect others.
Accountability Cannot identify which user is connected — all share the same PSK. Full user accountability — every connection is tied to a specific identity in the RADIUS server.
Revocation To revoke one user, you must change the PSK on every device. Disable the individual user account — their access is revoked without affecting anyone else.
Use Case Home networks, small offices, guest Wi-Fi. Corporate networks, any environment requiring individual accountability.

802.1X is the IEEE standard for port-based Network Access Control. It works for both wired and wireless networks. The components are:

  • Supplicant — The client device requesting access
  • Authenticator — The switch or access point that controls access
  • Authentication Server — The RADIUS server that validates credentials (often integrated with Active Directory)
Meridian's Guest Wi-Fi Problem: The guest wireless network uses WPA2-Personal with a simple password printed on the lobby wall. Anyone in the parking lot can connect. Combined with the missing inter-VLAN ACL, this means an attacker on guest Wi-Fi can reach the corporate network — which is exactly what happened.

VPN: Remote Access and Split Tunneling

A VPN (Virtual Private Network) creates an encrypted tunnel over an untrusted network (like the internet) so that remote users can securely access internal resources as if they were on the corporate LAN.

TypePurposeExample
Remote Access VPN Connects individual users to the corporate network from any location. The user's device creates an encrypted tunnel to a VPN gateway. An employee working from home uses a VPN client to connect to the Meridian Dynamics network.
Site-to-Site VPN Connects two entire networks together over the internet. Replaces expensive leased lines with encrypted tunnels between routers or firewalls. Meridian's main office connects to a branch office via an IPsec tunnel between their firewalls.

Split tunneling is a configuration where only traffic destined for the corporate network goes through the VPN tunnel; all other traffic (web browsing, streaming, personal email) goes directly to the internet. This saves bandwidth but creates risk:

Split Tunneling Risk: With split tunneling enabled, a compromised home device could simultaneously have a direct internet connection (where the attacker controls it) and a VPN tunnel into the corporate network (where it can access internal resources). The VPN essentially bridges the attacker into your network. Full tunneling forces all traffic through the corporate network, allowing corporate firewalls and security tools to inspect everything.

DMZ: The Demilitarized Zone

A DMZ (Demilitarized Zone) is a network segment that sits between the internal (trusted) network and the external (untrusted) internet. It hosts services that must be accessible from the internet — web servers, email gateways, DNS servers — while keeping them isolated from the internal network.

There are two common DMZ architectures:

ArchitectureDesignSecurity Level
Single-Firewall DMZ One firewall with three interfaces: external, DMZ, and internal. The firewall controls traffic between all three zones. Good for small organizations. Single point of failure — if the firewall is compromised, all zones are exposed.
Two-Firewall DMZ The DMZ sits between an outer firewall (facing internet) and an inner firewall (facing internal network). An attacker must breach two firewalls to reach internal resources. Better for organizations with high security requirements. Ideally, the two firewalls are from different vendors so a vulnerability in one does not affect the other.

The key principle: the internal network should NEVER be directly reachable from the internet. External users connect to DMZ services, and DMZ services communicate with the internal network through tightly controlled firewall rules.

Meridian's DMZ (10.10.20.0/24): The web server MD-WEB01 should be in the DMZ, accessible from the internet on ports 80/443 only. However, because the inter-VLAN ACLs were not configured, MD-WEB01 in the DMZ can reach the internal SERVER VLAN freely — which is how the attacker moved laterally from the web server to the file server.

Active Directory Architecture Deep Dive

Active Directory (AD) is the backbone of Windows enterprise identity management. Understanding its hierarchy is essential for any IT administrator.

AD is organized in a strict hierarchy:

LevelWhat It IsMeridian Example
Forest The top-level container. A forest is the ultimate security boundary in AD. Objects in one forest cannot be accessed from another forest unless an explicit trust is created. meridian.local (the single forest)
Domain A logical grouping of objects (users, computers, groups) that share a common directory database, security policies, and trust relationships with other domains. meridian.local (single domain within the forest)
Organizational Unit (OU) A container within a domain used to organize objects and apply Group Policy. OUs can be nested. They are administrative boundaries, not security boundaries. OU=IT,OU=Meridian,DC=meridian,DC=local — contains IT department users like p.sharma, m.chen, t.manning

Domain Trusts

Trusts allow users in one domain to access resources in another domain. There are several types:

  • Parent-Child Trust — Automatically created when a child domain is added to an existing domain. Two-way transitive trust.
  • Forest Trust — Manually created between two separate forests. Can be one-way or two-way. Not transitive beyond the two forests.
  • One-Way Trust — Users in the trusted domain can access resources in the trusting domain, but not the reverse.
  • Two-Way Trust — Users in either domain can access resources in the other.

AD Sites and Subnets

Sites represent the physical topology of your network. Each site is associated with one or more IP subnets. AD uses sites to optimize replication traffic and direct clients to the nearest domain controller. In a multi-site organization, replication between sites is compressed and scheduled to conserve WAN bandwidth.

AGDLP Nesting Strategy

The recommended approach for assigning permissions in Active Directory is the AGDLP pattern:

AGDLP Nesting Strategy
A Account (user or computer)
G Global Group (organize by role)
DL Domain Local Group (assign permission)
P Permission (on the resource)

Example: User p.sharma (Account) is a member of IT-Admins (Global Group). IT-Admins is a member of ServerAccess-FullControl (Domain Local Group). ServerAccess-FullControl has Full Control permission on the server share (Permission). This separation means you never assign permissions directly to users — always through groups.

Why AGDLP? Global groups organize users by role. Domain Local groups attach to resources. When a user changes roles, you move them between Global groups — you never touch the resource permissions. When a resource's access policy changes, you modify the Domain Local group — you never touch user accounts. Clean separation.

User Lifecycle Management

Every user account has a lifecycle — from creation to eventual deletion. Failing to manage any stage properly creates security gaps. The four stages are:

StageActionsKey Concern
Provisioning Create AD account, set initial password (force change at first logon), assign to appropriate OUs and security groups, configure email, provision workstation. Least privilege — only assign groups needed for the user's role. Do not copy permissions from another user blindly.
Modification Role changes: add new groups, remove old groups. Department transfers: move OU, update manager, update group memberships. Access reviews: verify current access is still appropriate. Permission creep — users accumulate permissions over time as they change roles but old permissions are never removed.
Deprovisioning Disable account (do NOT delete immediately), remove from all security groups, reset password to random value, move to "Disabled Users" OU, revoke VPN/remote access, disable email, forward mailbox to manager, document in ticketing system. Timeliness — deprovisioning must happen on the employee's last day, ideally within hours of notification from HR.
Deletion After retention period (typically 30-90 days), permanently delete the disabled account. Archive mailbox data per retention policy. Remove computer object if applicable. Compliance — some regulations require account data to be retained for specific periods before deletion.
The t.manning Problem — Why Offboarding Matters: Trent Manning, a Junior Systems Administrator, left Meridian Dynamics six months ago. His manager reported the departure to HR, but HR never filed an IT offboarding request. His account was never disabled. His password was never reset. He was never removed from the IT-Admins group. Six months later, his account is still active, still privileged, and — as you are about to discover — someone logged in with it yesterday. Worse, the password was changed two months after he left, meaning someone who is NOT Trent Manning now controls this account.
Offboarding Checklist Failures at Meridian:
  • Account NOT disabled on last day
  • Password NOT reset to random value
  • NOT removed from IT-Admins group (privileged access retained)
  • NOT moved to Disabled Users OU
  • VPN access NOT revoked
  • No automated account lifecycle process in place
  • No periodic access review to catch stale accounts

LDAP: Lightweight Directory Access Protocol

LDAP is the protocol used to query and modify Active Directory. Every object in AD has a Distinguished Name (DN) that uniquely identifies its location in the directory hierarchy.

A DN is read right to left (most general to most specific):

CN=Trent Manning,OU=IT,OU=Meridian,DC=meridian,DC=local

Breaking this down:

  • DC=meridian,DC=local — Domain Component: the domain (meridian.local)
  • OU=Meridian — Organizational Unit: top-level OU for the company
  • OU=IT — Organizational Unit: the IT department
  • CN=Trent Manning — Common Name: the specific user object

LDAP queries use a filter syntax to search for objects. Common examples:

  • (&(objectClass=user)(sAMAccountName=t.manning)) — Find the user with logon name t.manning
  • (&(objectClass=user)(memberOf=CN=IT-Admins,OU=Groups,OU=Meridian,DC=meridian,DC=local)) — Find all members of IT-Admins
  • (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) — Find all enabled user accounts
Security Note: LDAP (port 389) transmits data in plaintext. In a corporate environment, use LDAPS (port 636) which wraps LDAP in TLS encryption. An attacker on the Guest VLAN who can reach the DC could use unauthenticated LDAP queries to enumerate all users, groups, and organizational structure — which is exactly how they found t.manning.

PowerShell AD Module: Essential Commands

The ActiveDirectory PowerShell module is the primary tool for managing AD from the command line. Here are the commands you will use in the lab:

CommandPurposeExample
Get-ADUser Retrieve user account properties from AD. Get-ADUser t.manning -Properties *
Get-ADGroup Retrieve group object properties. Get-ADGroup "IT-Admins" -Properties *
Get-ADGroupMember List all members of a group. Get-ADGroupMember "IT-Admins"
Search-ADAccount Search for accounts by state — disabled, locked out, expired, inactive, password expired/never expires. Search-ADAccount -AccountDisabled
New-ADUser Create a new user account in AD. New-ADUser -Name "Jane Doe" -SamAccountName j.doe
Disable-ADAccount Disable a user account (set Enabled=False). Disable-ADAccount t.manning
Pro Tip: Search-ADAccount is your best friend for security audits. Use -AccountDisabled to verify terminated employees are disabled, -AccountInactive -TimeSpan 90 to find dormant accounts, and -PasswordNeverExpires to find accounts that violate password policy. Run these regularly.

VLAN Segmentation Map — Meridian Dynamics Network

Click any VLAN to see its details. The red paths show the broken isolation — Guest and IoT traffic can reach corporate resources.

User Lifecycle Flowchart

The full lifecycle of a user account in Active Directory. Click any stage for details.

Active Directory User Lifecycle
Hire
HR notifies IT
Create Account
New-ADUser
Assign Groups
Role-based
Active Use
Daily ops
Terminate
HR notifies IT
Disable
Disable-ADAccount
Remove Groups
Strip all
Archive
Mail & data
Delete
After retention

X-Ray Mode: VLAN Isolation Audit

Watch as the audit tests which VLANs can communicate with each other. The diagram highlights the active VLAN while the terminal shows ping test results. Two critical failures will be revealed.

Press Play to begin X-Ray walkthrough...

Security Lab: Vendor Audit Preparation & AD User Lifecycle Audit

Scenario: A vendor security audit is scheduled in two weeks. Priya Sharma asks you to audit the AD user lifecycle — check for stale accounts, verify offboarding procedures, and review privileged group memberships. While investigating, you make the most critical discovery of the entire storyline: the t.manning account is not just active — it logged in yesterday, and its password was changed after the employee left. Someone is actively using this ghost account.
1
Run Get-ADUser t.manning -Properties * to pull the full details on the ghost account. Look at Enabled, MemberOf, LastLogonDate, and PasswordLastSet.
Hint: Focus on whether the account is enabled and when the password was last changed
2
Run Get-ADGroupMember "IT-Admins" to see who has privileged access. Is t.manning still in this group?
Hint: A former employee should NOT be in any groups, let alone a privileged one
3
Run Get-ADUser t.manning -Properties LastLogonDate to check when the account was last used. This is the critical finding.
Hint: If the last logon is recent, someone is actively using this former employee's account
4
Run Search-ADAccount -AccountDisabled to see which accounts have been properly disabled. Is t.manning on this list?
Hint: t.manning should be on this list if offboarding was done correctly
5
Run Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 to find accounts that haven't been used in 90 days.
Hint: t.manning will NOT appear here because it was recently used — making it even more alarming
6
Run Disable-ADAccount t.manning to begin the emergency offboarding process. This is the immediate containment action.
Hint: In a real incident, you would also reset the password, remove group memberships, and escalate to CISO

Terminal — MD-DC01 (Domain Controller)