Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 6.2.1
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiDeceptor 6.2.1 Administration Guide
    6.2.1
    6.2.1
    6.2.0
    6.1.1
    6.1.0
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.2
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.0
    4.1.1
    4.1.0
    4.0.2
    4.0.1
    4.0.0
    3.3.3
    3.3.2
    3.3.1
    3.3.0
    3.2.2
    3.2.1
    3.2.0
    3.1.1
    3.1.0
    3.0.2
    3.0.1
    3.0.0
    2.1.0
    2.0.0
    1.1.0
    1.0.1

    Custom Decoy Image

    Custom Decoy Image

    For most deployments, the built-in decoys provided with FortiDeceptor are sufficient and easy to deploy. However, you also have the option to create a decoy from your gold image using the custom decoy feature available with the subscription license.

    FortiDeceptor v6.2.1 supports the following OS types:

    OS

    OS version
    Windows

    Language

    Supported versions

    Notes
    English Windows 10 Supports custom MSSQL
    Windows 11 version 23H2
    • Supports custom MSSQL
    • FortiDeceptor v6.1.0 does not support Windows 11 version 24H2.
    French Windows 10 Supports custom MSSQL
    Windows Server

    Language

    Supported versions

    Notes
    English
    • Windows Server 2016
    • Windows Server 2019
    • Windows Server 2022
    • Supports custom MSSQL
    • Supports custom IIS Service
    French French Windows Server 2016
    • Supports custom MSSQL
    • Supports custom IIS Service
    RedHat Enterprise Linux
    • RedHat Enterprise Linux 7.9
    • RedHat Enterprise Linux 8.8
    • RedHat Enterprise Linux 8.10
    • RedHat Enterprise Linux 9.4

    Ubuntu

    • Ubuntu 20.04
    Overview of implementing Decoy Customization:
    1. Order the FortiDeceptor Custom Decoy Subscription for FortiDeceptor hardware appliance only.

      The Decoy Customization subscription is for FortiDeceptor hardware appliances only. This subscription license is already included in the FortiDeceptor VM bundle.

    2. Install FortiDeceptor.

      After installing FortiDeceptor with the Decoy Customization subscription, the Help menu in the toolbar will display an option for the Custom Decoy Image Cookbook.

    3. Follow the instructions in the Customization Cookbook. The high-level instructions are:
      1. Upload an ISO image.
      2. Install ARAE engine on image.
      3. Use the Deployment Wizard to install the customized decoy.

    Customize the deception base OS image

    Overview of customizing the deception base OS image:
    1. Import Windows ISO image.
    2. Customize VM image.
    3. Deploy custom image.

    Import Windows ISO image

    Note

    Only legacy models FDC-VM and FDC1KF with a perpetual license require a FortiDeceptor Custom Decoy Subscription. Current models FDC1KG, FDR1HG, and VMS include this feature as part of the VLAN bundle subscription.

    Customers who choose to activate a custom Windows installation must use a valid product key. They can bring their own Windows license or purchase Windows keys from Fortinet. Note that Fortinet sells keys for Windows 10 only.
    To import an ISO image using the Imported Images page:
    1. Go to Deception > Custom Decoy Image and click the Imported Images tab.

    2. Click Import New ISO Image.
    3. Click Choose a file or drag and drop an image file into that pane.
    To import an ISO image using the Customized Images page:
    1. Go to Deception > Custom Decoy Image and click the Customized Images tab.

    2. Click Import Image and Customize.
    3. Click Choose a file or drag and drop an image file into that pane.
    To delete an ISO image:
    1. Go to Deception > Custom Decoy Image and click the Imported Images tab.
    2. Select one or more images and then click Delete.

    Customize VM image

    To initialize the VM instance:
    1. Go to Deception > Custom Decoy Image and click the Customized Images tab.
    2. Click Import Image and Customize. The custom image wizard opens.
    3. In the Select an imported ISO image dropdown list, select an ISO image. Then click Next.
    4. In the Configuration step, specify the following and then click Next.

      Name

      Upper and lowercase letters and numbers totaling under 48 characters.

      CPU Cores

      1–4 cores.

      Memory

      1024–8192 MB.

      Storage

      25 GB or more

      Deploy Network

      Port1 Default
      PortX

      Select the deployment network.

      Ensure the specified IP is not already in use and that the following settings align with the PortX configuration:

      • IP/Mask
      • Gateway
      • DNS

      Caution

      This configuration is applied to the VM instance for customizing the image, This configuration is not applied to decoys.

    5. In the Customize step, install the OS from the ISO image.

      Follow the prompts until the installation is complete.

    To customize the VM:
    1. Ensure the OS is installed and then log in with an admin account.
    2. In Windows Explorer, locate the FDC_Toolkit folder and read the instructions in toolkit_README.txt.

    3. Configure the network using one of the following options.
      • Right-click set_network.bat and then click Run as Administrator.
      • Follow the instructions in net.json to configure the IP address, gateway, and DNS in Windows Control Panel > Network and Internet > Network Connections.

        Caution

        10.254.253.0/24 set by the script is the internal NAT IP address that is temporarily used by the customization VM to allow downloading files and accessing other network resources via the FortiDeceptor default route.

    To customize the system for Windows 2016:
    1. Ensure your license is activated.
    2. If you are using Windows 2016, enter the following commands in the PowerShell window to prevent lure configuration failures in the Decoy Deployment wizard.

      secedit /export /cfg c:\secpol.cfg

      (gc C:\secpol.cfg).replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File C:\secpol.cfg

      secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY

      rm -force c:\secpol.cfg -confirm:$false

    To customize the system for standalone Windows Server 2016:
    1. Go to Server Manager > Tools > Local Security Policy. The Local Security Policy directory opens.
    2. In the Security Settings folder, go to Account Policies > Password Policy folder, and double-click Password must meet complexity requirements.
    3. Select Disabled and then click OK.
    4. Open a Command Prompt as an Administrator and type the following command to update the group policy:

      gpupdate /force

      You should get the following response:

      C:Users\Administrator>gpupdate /force

      Updating policy...

      Computer policy update has completed successfully.

    To customize the system for Server 2016 Domain Controller :
    1. In the Domain Controller, go to Server Manager > Tools > Group Policy Management.
    2. Right-click Default Domain Policy and click Edit. The Group Policy Management Editor opens.
    3. In the Computer Configuration folder, go to Policies > Windows Settings > Security Settings\Account Policies > Password Policy > Password must meet complexity requirements.
    4. Select Disabled and click OK.
    5. Open a Command Prompt as Administrator and type the following command to update the group policy:

      gpupdate /force

    Optional: Install the Microsoft SQL Server

    The following SQL Server versions are supported.

    If you are downloading with Internet Explorer, it is recommended you disable IE Enhanced Security Configuration.

    Since there is no desktop for Windows Server core OS, you must download the installation file on another computer and then use SMB to install the SQL Server.

    To install SQL server:
    1. Download and install the SQL server on another computer.

    2. When the SQL Server installation is complete, click Install SMSS to download and install the SQL Server Management Studio to manage and customize the SQL Server.

    To further customize the SQL database:
    1. Download a sample database from https://github.com/Microsoft/sql-server-samples/releases/download/wide-world-importers-v1.0/WideWorldImporters-Full.bak.

    2. In the FortiDeceptor Customize Decoy console, open SQL Server Management Studio.
    3. Right-click the database object and select Restore Database.

    4. Locate and add the sample DB you downloaded.

    5. When the sample DB is restored, right-click that DB and select Properties to change access permission to make the decoy DB more attractive to attackers.

    6. Give Grant permission to Select and Connect.

    7. Close SQL Server Management Studio.
    8. Verify that your DB is up using the command netstat –an | findstr 1433.
    9. The listening port on the SQL Express Database is disabled by default. To enable the port:

      1. Click Start > Programs > Microsoft SQL Server 20XX and select SQL Server Configuration Manager.

      2. Select SQL Server Network Configuration.

      3. Double-click Protocols for SQLEXPRESS

      4. Right-click TCP/IP and select Properties. If necessary, first enable TCP/IP.

      5. Scroll down to IPAll and verify TCP Dynamic Ports is blank and that TCP Port is set to 1433.

      6. Click OK.

    Optional: Install Internet Information Service (IIS)

    IIS 10 is supported on Windows Server 2016/2019/2022.

    To add the IIS role and service:
    1. Go to Server Manager >Dashboard.
    2. Click Manage > Add Roles and Features.

    3. On the Before you begin page, click Next.

    4. On the Select installation type page, click Next.

    5. On the Select destination server page, click Next.

    6. On the Select server roles page, click Web Server (IIS).

    7. In the pop-up dialog box, click Add Features.
    8. On the Select features page, click Next.

    9. On the Web Server Role (IIS) page, click Next.

    10. On the Select role services page, enable URL Authorization and Windows Authentication, then click Next.

    11. On the Confirm installation selections page, click Install.

    12. Wait for the installation to finish, then check the results and click Close.

    Optional: Turn on Active Directory (AD) controller

    Note

    If an image is customized as an Active Directory (AD) controller and deployed as a decoy, any endpoint attempting to join this decoy domain will initiate an LDAP authentication request. This interaction will be detected and logged as an LDAP-related incident.
    1. Setup the new domain controller for the new domain forest.
    1. Install Active Directory Domain Services and DNS Servers
      1. Open the Server Manager go to Dashboard > Roles Summary > Add roles and features.

      2. Select Role-bases or Feature-based installation.

      3. Click Server Role and select Active Directory Domain Services and DNS, then click Next.
        Note

        Do not select DNS if you intend to use a standalone DNS server.

      4. Keep clicking Next until you reach the Confirmation page. Select Restart the destination server automatically if required, and click Install.

    2. Promote the server into a domain controller.
      1. Click the notification flag next to the Manage menu and click Promote this server to a domain controller. The configuration wizard opens.

      2. In Deployment Configuration, select Add a new forest and enter the Root domain name.

      3. In Domain Controller Options, enter a password for the domain.

      4. In Additional Options, enter a NetBIOS name for your domain ( the default name is recommended).

      5. In Paths, select the folder where your database, log files, and SYSVOL will be stored (the default folder is recommended), then click Next.

      6. Wait for a check-mark to appear and then click Install.

      7. The PC will restart.

    2. Set up the DNS server

    Configure the server according to your requirements. A standalone DNS server can be used.

    • To add more endpoints to this domain, you may want to configure the DNS forward rule to allow these endpoints to resolve public domains.
    • To use a standalone DNS server, DNS server should not be installed in Step 1.
    • The endpoint may use two DNS servers, one for the local domain, and another for public domains.
    3. Add Remote Desktop Users to the Allow log on through Remote Desktop Services Properties policy
    1. Open a command window as an administrator, then enter gpedit.msc to open the local group policy.

    2. Go to Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Policy Name: Allow log on through Remote Desktop Services.

    3. Select Add User or Group of Allow log on through Remote Desktop Services policy.

    4. Click Advanced.

    5. Click Find Now.

    6. Add Remote Desk User group.

    7. Remote Desktop Users is added.

    4. (Optional) Add AD Users to the Remote Desk User group
    1. Add Active Directory Users
      1. In the Server Manager, click Tools > Active Directory Users and Computers.

      2. Right-click the domain name and open the Users folder.

      3. Right-click the Users folder and select New > User.

      4. Enter the AD user name and click Next.

      5. Enter the AD user password and click Next.

        • Disable User must change password at next logon.
        • Enable User cannot change password and Password never expires.

      6. Click Finish.

      7. The AD Users are added.

    2. Add the new AD users to the Remote Desk User group.
      1. In the Server Manager, go to Tools > Active Directory Users and Computers >{domain name} > Builtin > Remote Desk User group.

      2. Double-click Remote Desk User group, click the Members tab and click Add.

      3. Click Advanced.

      4. Click Find Now and choose the AD users you would like to add to the Remote Desk User group.

      5. Click OK.

      6. The AD users are added to the Remote Desk User group. Click Apply.

    Custom OS Windows 11

    • Windows 11 23H2 is supported.
    • Windows 11 24H2 is not supported.

    The Windows 11 (64-bit) operating system is similar to the Windows 10 service. However, its graphical user interface (GUI) restricts CPU cores, memory, and storage. Since Windows 11 (64-bit) requires more resources, you may encounter the following messages:

    You may also be blocked on the following OOBE page.

    To run Set Bypass TPM and SecureBoot check:
    1. Boot off of your Windows 11 install disk.
    2. Press SHIFT + F10 to launch the command prompt (If this does not work, you can try SHIFT + F10 +FN).
    3. Enter regedit and press Enter.

    4. Go to HKEY_LOCAL_MACHINE > SYSTEM> Setup. Right-click the folder to add a new key folder called LabConfig.

    5. Add new value named BypassTPMCheck.
    6. In the LabConfig folder, type REG_DWORD", set it to 1.

    7. In the LabConfig folder, add a new value called BypassSecureBootCheck then type REG_DWORD, and set it to 1.

      Tooltip

      You can set the RAM larger or equal to 4G during configuration, but If the RAM is less than 4G, you can add another new value called BypassRAMCheck to the LabConfig folder, and type REG_DWORD, and set to 1.

    To set the bypass network setup during OOBE:
    1. Press SHIFT + F10 or SHIFT +Fn+ F10 to launch the command prompt when asked to setup network
    2. Enter "OOBE\BYPASSNRO" and press Enter.

    Join a domain

    Before joining a custom Windows OS to a domain, change its DNS server to the DNS server of the domain.

    Note

    This task is optional.
    To join a domain:
    1. Go to Control Panel > System and Security > System and click Change settings.

    2. On the System Properties dialog box, click Change.

    3. Enter the Domain and click OK.

    4. Click Close and restart the computer to join the domain.

    Install the FortiDeceptor customization toolkit

    When system customization is complete, right-click FDC_CUS_toolkit.exe and select Run as Administrator and wait for the installation to finish.

    Another option is to run the CLI command FDC_CUS_toolkit.exe as an administrator.

    Save the custom image

    When the customization status in the GUI displays Ready, click Start -> Power > Shut down to shut down Windows and then click Save to save this image.

    If the Windows Server is connected to a domain, there may not be a Power option in the GUI. In this case, run the command shutdown /s /t 1 /f as administrator.

    It might take several minutes to save the entire image. When the image is saved, the page lists the image in Customized Images.

    In Deception > Customization, the Customized Images tab lists the custom images.

    The Actions column has icons for you to view logs, apply the image, or delete the image.

    Deploy custom image

    To apply a custom image:
    1. Go to Deception > Custom Decoy Image and click the Customized Images tab.
    2. Select a custom image and click the Apply button or click the Apply icon beside a custom image.

      It might take a few minutes to apply the custom image. When applied, the custom image is listed in Deception > Deception OS.

    To deploy decoys with custom images–generic image:
    1. Go to Deception > Deployment Wizard.
    2. Click a custom image and deploy it like a standard decoy.
    3. Select whether to domain users to access RDP and SMB.

      For normal users:

      For domain users:

      Note

      We highly recommend enabling RDP and SMB services for decoys joined in the domain and not set in any local lure accounts. Many domains have different policies for account name and password which may cause the decoy to fail to initialize.

    To deploy decoys with custom images–SQL Server:
    1. Go to Deception > Deployment Wizard.
    2. Click a custom SQL server image.

    3. (Optional) Click Sample to download a sample .sql file.
    4. Click Upload SQL Schema to upload your own custom .sql file .

    To generate SQL alerts:
    1. You can generate SQL alerts using the SQLCMD tool or using WideWorldImporters.
      • To use SQLCMD, run the following commands.

        sqlcmd -S "IP Address" -U "username" -P "password"

        use WideWorldImporters;

        SELECT name

        from SYSOBJECTS

        WHERE

        xtype = 'U'

        go

      • To use WideWorldImporters, run the following commands.

        use WideWorldImporters;

        select top 100 * from Sales.Orders;

        go

      The Incident > Analysis page displays the alerts for the SQL server attack.

    To deploy decoys with custom images–IIS (HTTP/HTTPS):
    1. Go to Deception > Deployment Wizard.
    2. Click a custom IIS image.

    To deploy decoys with custom images–NBNSSpoofSpotter:
    1. Go to Deception > Deployment Wizard.
    2. Click a custom NBNSSpoofSpotter image.

    Note

    NBNSSpoofSpotter feature detects attacks using the Responder tool and includes a link to https://github.com/SpiderLabs/Responder with more information about the attack.
    To Deploy decoys with custom images-SWIFT Lite2

    1. Go to Deception > Deployment Wizard.

    2. Click SWIFT Lite2 service.

    3. Upload the MT Files.

    Previous
    Next

    On This Page

    Customize the deception base OS image
    Import Windows ISO image
    Customize VM image
    Install the Microsoft SQL Server
    Install Internet Information Service (IIS)
    Custom OS Windows 11
    Join a domain
    Install the FortiDeceptor customization toolkit
    Deploy custom image

    Custom Decoy Image

    Custom Decoy Image

    For most deployments, the built-in decoys provided with FortiDeceptor are sufficient and easy to deploy. However, you also have the option to create a decoy from your gold image using the custom decoy feature available with the subscription license.

    FortiDeceptor v6.2.1 supports the following OS types:

    OS

    OS version
    Windows

    Language

    Supported versions

    Notes
    English Windows 10 Supports custom MSSQL
    Windows 11 version 23H2
    • Supports custom MSSQL
    • FortiDeceptor v6.1.0 does not support Windows 11 version 24H2.
    French Windows 10 Supports custom MSSQL
    Windows Server

    Language

    Supported versions

    Notes
    English
    • Windows Server 2016
    • Windows Server 2019
    • Windows Server 2022
    • Supports custom MSSQL
    • Supports custom IIS Service
    French French Windows Server 2016
    • Supports custom MSSQL
    • Supports custom IIS Service
    RedHat Enterprise Linux
    • RedHat Enterprise Linux 7.9
    • RedHat Enterprise Linux 8.8
    • RedHat Enterprise Linux 8.10
    • RedHat Enterprise Linux 9.4

    Ubuntu

    • Ubuntu 20.04
    Overview of implementing Decoy Customization:
    1. Order the FortiDeceptor Custom Decoy Subscription for FortiDeceptor hardware appliance only.

      The Decoy Customization subscription is for FortiDeceptor hardware appliances only. This subscription license is already included in the FortiDeceptor VM bundle.

    2. Install FortiDeceptor.

      After installing FortiDeceptor with the Decoy Customization subscription, the Help menu in the toolbar will display an option for the Custom Decoy Image Cookbook.

    3. Follow the instructions in the Customization Cookbook. The high-level instructions are:
      1. Upload an ISO image.
      2. Install ARAE engine on image.
      3. Use the Deployment Wizard to install the customized decoy.

    Customize the deception base OS image

    Overview of customizing the deception base OS image:
    1. Import Windows ISO image.
    2. Customize VM image.
    3. Deploy custom image.

    Import Windows ISO image

    Note

    Only legacy models FDC-VM and FDC1KF with a perpetual license require a FortiDeceptor Custom Decoy Subscription. Current models FDC1KG, FDR1HG, and VMS include this feature as part of the VLAN bundle subscription.

    Customers who choose to activate a custom Windows installation must use a valid product key. They can bring their own Windows license or purchase Windows keys from Fortinet. Note that Fortinet sells keys for Windows 10 only.
    To import an ISO image using the Imported Images page:
    1. Go to Deception > Custom Decoy Image and click the Imported Images tab.

    2. Click Import New ISO Image.
    3. Click Choose a file or drag and drop an image file into that pane.
    To import an ISO image using the Customized Images page:
    1. Go to Deception > Custom Decoy Image and click the Customized Images tab.

    2. Click Import Image and Customize.
    3. Click Choose a file or drag and drop an image file into that pane.
    To delete an ISO image:
    1. Go to Deception > Custom Decoy Image and click the Imported Images tab.
    2. Select one or more images and then click Delete.

    Customize VM image

    To initialize the VM instance:
    1. Go to Deception > Custom Decoy Image and click the Customized Images tab.
    2. Click Import Image and Customize. The custom image wizard opens.
    3. In the Select an imported ISO image dropdown list, select an ISO image. Then click Next.
    4. In the Configuration step, specify the following and then click Next.

      Name

      Upper and lowercase letters and numbers totaling under 48 characters.

      CPU Cores

      1–4 cores.

      Memory

      1024–8192 MB.

      Storage

      25 GB or more

      Deploy Network

      Port1 Default
      PortX

      Select the deployment network.

      Ensure the specified IP is not already in use and that the following settings align with the PortX configuration:

      • IP/Mask
      • Gateway
      • DNS

      Caution

      This configuration is applied to the VM instance for customizing the image, This configuration is not applied to decoys.

    5. In the Customize step, install the OS from the ISO image.

      Follow the prompts until the installation is complete.

    To customize the VM:
    1. Ensure the OS is installed and then log in with an admin account.
    2. In Windows Explorer, locate the FDC_Toolkit folder and read the instructions in toolkit_README.txt.

    3. Configure the network using one of the following options.
      • Right-click set_network.bat and then click Run as Administrator.
      • Follow the instructions in net.json to configure the IP address, gateway, and DNS in Windows Control Panel > Network and Internet > Network Connections.

        Caution

        10.254.253.0/24 set by the script is the internal NAT IP address that is temporarily used by the customization VM to allow downloading files and accessing other network resources via the FortiDeceptor default route.

    To customize the system for Windows 2016:
    1. Ensure your license is activated.
    2. If you are using Windows 2016, enter the following commands in the PowerShell window to prevent lure configuration failures in the Decoy Deployment wizard.

      secedit /export /cfg c:\secpol.cfg

      (gc C:\secpol.cfg).replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File C:\secpol.cfg

      secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY

      rm -force c:\secpol.cfg -confirm:$false

    To customize the system for standalone Windows Server 2016:
    1. Go to Server Manager > Tools > Local Security Policy. The Local Security Policy directory opens.
    2. In the Security Settings folder, go to Account Policies > Password Policy folder, and double-click Password must meet complexity requirements.
    3. Select Disabled and then click OK.
    4. Open a Command Prompt as an Administrator and type the following command to update the group policy:

      gpupdate /force

      You should get the following response:

      C:Users\Administrator>gpupdate /force

      Updating policy...

      Computer policy update has completed successfully.

    To customize the system for Server 2016 Domain Controller :
    1. In the Domain Controller, go to Server Manager > Tools > Group Policy Management.
    2. Right-click Default Domain Policy and click Edit. The Group Policy Management Editor opens.
    3. In the Computer Configuration folder, go to Policies > Windows Settings > Security Settings\Account Policies > Password Policy > Password must meet complexity requirements.
    4. Select Disabled and click OK.
    5. Open a Command Prompt as Administrator and type the following command to update the group policy:

      gpupdate /force

    Optional: Install the Microsoft SQL Server

    The following SQL Server versions are supported.

    If you are downloading with Internet Explorer, it is recommended you disable IE Enhanced Security Configuration.

    Since there is no desktop for Windows Server core OS, you must download the installation file on another computer and then use SMB to install the SQL Server.

    To install SQL server:
    1. Download and install the SQL server on another computer.

    2. When the SQL Server installation is complete, click Install SMSS to download and install the SQL Server Management Studio to manage and customize the SQL Server.

    To further customize the SQL database:
    1. Download a sample database from https://github.com/Microsoft/sql-server-samples/releases/download/wide-world-importers-v1.0/WideWorldImporters-Full.bak.

    2. In the FortiDeceptor Customize Decoy console, open SQL Server Management Studio.
    3. Right-click the database object and select Restore Database.

    4. Locate and add the sample DB you downloaded.

    5. When the sample DB is restored, right-click that DB and select Properties to change access permission to make the decoy DB more attractive to attackers.

    6. Give Grant permission to Select and Connect.

    7. Close SQL Server Management Studio.
    8. Verify that your DB is up using the command netstat –an | findstr 1433.
    9. The listening port on the SQL Express Database is disabled by default. To enable the port:

      1. Click Start > Programs > Microsoft SQL Server 20XX and select SQL Server Configuration Manager.

      2. Select SQL Server Network Configuration.

      3. Double-click Protocols for SQLEXPRESS

      4. Right-click TCP/IP and select Properties. If necessary, first enable TCP/IP.

      5. Scroll down to IPAll and verify TCP Dynamic Ports is blank and that TCP Port is set to 1433.

      6. Click OK.

    Optional: Install Internet Information Service (IIS)

    IIS 10 is supported on Windows Server 2016/2019/2022.

    To add the IIS role and service:
    1. Go to Server Manager >Dashboard.
    2. Click Manage > Add Roles and Features.

    3. On the Before you begin page, click Next.

    4. On the Select installation type page, click Next.

    5. On the Select destination server page, click Next.

    6. On the Select server roles page, click Web Server (IIS).

    7. In the pop-up dialog box, click Add Features.
    8. On the Select features page, click Next.

    9. On the Web Server Role (IIS) page, click Next.

    10. On the Select role services page, enable URL Authorization and Windows Authentication, then click Next.

    11. On the Confirm installation selections page, click Install.

    12. Wait for the installation to finish, then check the results and click Close.

    Optional: Turn on Active Directory (AD) controller

    Note

    If an image is customized as an Active Directory (AD) controller and deployed as a decoy, any endpoint attempting to join this decoy domain will initiate an LDAP authentication request. This interaction will be detected and logged as an LDAP-related incident.
    1. Setup the new domain controller for the new domain forest.
    1. Install Active Directory Domain Services and DNS Servers
      1. Open the Server Manager go to Dashboard > Roles Summary > Add roles and features.

      2. Select Role-bases or Feature-based installation.

      3. Click Server Role and select Active Directory Domain Services and DNS, then click Next.
        Note

        Do not select DNS if you intend to use a standalone DNS server.

      4. Keep clicking Next until you reach the Confirmation page. Select Restart the destination server automatically if required, and click Install.

    2. Promote the server into a domain controller.
      1. Click the notification flag next to the Manage menu and click Promote this server to a domain controller. The configuration wizard opens.

      2. In Deployment Configuration, select Add a new forest and enter the Root domain name.

      3. In Domain Controller Options, enter a password for the domain.

      4. In Additional Options, enter a NetBIOS name for your domain ( the default name is recommended).

      5. In Paths, select the folder where your database, log files, and SYSVOL will be stored (the default folder is recommended), then click Next.

      6. Wait for a check-mark to appear and then click Install.

      7. The PC will restart.

    2. Set up the DNS server

    Configure the server according to your requirements. A standalone DNS server can be used.

    • To add more endpoints to this domain, you may want to configure the DNS forward rule to allow these endpoints to resolve public domains.
    • To use a standalone DNS server, DNS server should not be installed in Step 1.
    • The endpoint may use two DNS servers, one for the local domain, and another for public domains.
    3. Add Remote Desktop Users to the Allow log on through Remote Desktop Services Properties policy
    1. Open a command window as an administrator, then enter gpedit.msc to open the local group policy.

    2. Go to Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Policy Name: Allow log on through Remote Desktop Services.

    3. Select Add User or Group of Allow log on through Remote Desktop Services policy.

    4. Click Advanced.

    5. Click Find Now.

    6. Add Remote Desk User group.

    7. Remote Desktop Users is added.

    4. (Optional) Add AD Users to the Remote Desk User group
    1. Add Active Directory Users
      1. In the Server Manager, click Tools > Active Directory Users and Computers.

      2. Right-click the domain name and open the Users folder.

      3. Right-click the Users folder and select New > User.

      4. Enter the AD user name and click Next.

      5. Enter the AD user password and click Next.

        • Disable User must change password at next logon.
        • Enable User cannot change password and Password never expires.

      6. Click Finish.

      7. The AD Users are added.

    2. Add the new AD users to the Remote Desk User group.
      1. In the Server Manager, go to Tools > Active Directory Users and Computers >{domain name} > Builtin > Remote Desk User group.

      2. Double-click Remote Desk User group, click the Members tab and click Add.

      3. Click Advanced.

      4. Click Find Now and choose the AD users you would like to add to the Remote Desk User group.

      5. Click OK.

      6. The AD users are added to the Remote Desk User group. Click Apply.

    Custom OS Windows 11

    • Windows 11 23H2 is supported.
    • Windows 11 24H2 is not supported.

    The Windows 11 (64-bit) operating system is similar to the Windows 10 service. However, its graphical user interface (GUI) restricts CPU cores, memory, and storage. Since Windows 11 (64-bit) requires more resources, you may encounter the following messages:

    You may also be blocked on the following OOBE page.

    To run Set Bypass TPM and SecureBoot check:
    1. Boot off of your Windows 11 install disk.
    2. Press SHIFT + F10 to launch the command prompt (If this does not work, you can try SHIFT + F10 +FN).
    3. Enter regedit and press Enter.

    4. Go to HKEY_LOCAL_MACHINE > SYSTEM> Setup. Right-click the folder to add a new key folder called LabConfig.

    5. Add new value named BypassTPMCheck.
    6. In the LabConfig folder, type REG_DWORD", set it to 1.

    7. In the LabConfig folder, add a new value called BypassSecureBootCheck then type REG_DWORD, and set it to 1.

      Tooltip

      You can set the RAM larger or equal to 4G during configuration, but If the RAM is less than 4G, you can add another new value called BypassRAMCheck to the LabConfig folder, and type REG_DWORD, and set to 1.

    To set the bypass network setup during OOBE:
    1. Press SHIFT + F10 or SHIFT +Fn+ F10 to launch the command prompt when asked to setup network
    2. Enter "OOBE\BYPASSNRO" and press Enter.

    Join a domain

    Before joining a custom Windows OS to a domain, change its DNS server to the DNS server of the domain.

    Note

    This task is optional.
    To join a domain:
    1. Go to Control Panel > System and Security > System and click Change settings.

    2. On the System Properties dialog box, click Change.

    3. Enter the Domain and click OK.

    4. Click Close and restart the computer to join the domain.

    Install the FortiDeceptor customization toolkit

    When system customization is complete, right-click FDC_CUS_toolkit.exe and select Run as Administrator and wait for the installation to finish.

    Another option is to run the CLI command FDC_CUS_toolkit.exe as an administrator.

    Save the custom image

    When the customization status in the GUI displays Ready, click Start -> Power > Shut down to shut down Windows and then click Save to save this image.

    If the Windows Server is connected to a domain, there may not be a Power option in the GUI. In this case, run the command shutdown /s /t 1 /f as administrator.

    It might take several minutes to save the entire image. When the image is saved, the page lists the image in Customized Images.

    In Deception > Customization, the Customized Images tab lists the custom images.

    The Actions column has icons for you to view logs, apply the image, or delete the image.

    Deploy custom image

    To apply a custom image:
    1. Go to Deception > Custom Decoy Image and click the Customized Images tab.
    2. Select a custom image and click the Apply button or click the Apply icon beside a custom image.

      It might take a few minutes to apply the custom image. When applied, the custom image is listed in Deception > Deception OS.

    To deploy decoys with custom images–generic image:
    1. Go to Deception > Deployment Wizard.
    2. Click a custom image and deploy it like a standard decoy.
    3. Select whether to domain users to access RDP and SMB.

      For normal users:

      For domain users:

      Note

      We highly recommend enabling RDP and SMB services for decoys joined in the domain and not set in any local lure accounts. Many domains have different policies for account name and password which may cause the decoy to fail to initialize.

    To deploy decoys with custom images–SQL Server:
    1. Go to Deception > Deployment Wizard.
    2. Click a custom SQL server image.

    3. (Optional) Click Sample to download a sample .sql file.
    4. Click Upload SQL Schema to upload your own custom .sql file .

    To generate SQL alerts:
    1. You can generate SQL alerts using the SQLCMD tool or using WideWorldImporters.
      • To use SQLCMD, run the following commands.

        sqlcmd -S "IP Address" -U "username" -P "password"

        use WideWorldImporters;

        SELECT name

        from SYSOBJECTS

        WHERE

        xtype = 'U'

        go

      • To use WideWorldImporters, run the following commands.

        use WideWorldImporters;

        select top 100 * from Sales.Orders;

        go

      The Incident > Analysis page displays the alerts for the SQL server attack.

    To deploy decoys with custom images–IIS (HTTP/HTTPS):
    1. Go to Deception > Deployment Wizard.
    2. Click a custom IIS image.

    To deploy decoys with custom images–NBNSSpoofSpotter:
    1. Go to Deception > Deployment Wizard.
    2. Click a custom NBNSSpoofSpotter image.

    Note

    NBNSSpoofSpotter feature detects attacks using the Responder tool and includes a link to https://github.com/SpiderLabs/Responder with more information about the attack.
    To Deploy decoys with custom images-SWIFT Lite2

    1. Go to Deception > Deployment Wizard.

    2. Click SWIFT Lite2 service.

    3. Upload the MT Files.

    Previous
    Next