From 0a7f3368a6f746e93f0be741bbb56195c5b0f9b9 Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Fri, 17 Apr 2026 19:47:17 -0700 Subject: [PATCH] sync: auto-sync from ACG-TECH03L at 2026-04-17 19:47:15 Author: Howard Enos Machine: ACG-TECH03L Timestamp: 2026-04-17 19:47:15 --- clients/at-trebesch/cloud/azure.md | 28 +++++++ clients/at-trebesch/cloud/m365.md | 52 ++++++++++++ clients/at-trebesch/issues/log.md | 19 +++++ clients/at-trebesch/network/dhcp.md | 31 +++++++ clients/at-trebesch/network/dns.md | 33 ++++++++ clients/at-trebesch/network/firewall.md | 47 +++++++++++ clients/at-trebesch/network/topology.md | 43 ++++++++++ clients/at-trebesch/network/vlans.md | 21 +++++ clients/at-trebesch/overview.md | 47 +++++++++++ ...026-04-17-initial-audit-DESKTOP-QNP3ON5.md | 81 +++++++++++++++++++ clients/at-trebesch/rmm/rmm.md | 34 ++++++++ clients/at-trebesch/security/antivirus.md | 26 ++++++ clients/at-trebesch/security/backup.md | 34 ++++++++ .../at-trebesch/servers/server_template.md | 49 +++++++++++ clients/at-trebesch/workstations.md | 81 +++++++++++++++++++ 15 files changed, 626 insertions(+) create mode 100644 clients/at-trebesch/cloud/azure.md create mode 100644 clients/at-trebesch/cloud/m365.md create mode 100644 clients/at-trebesch/issues/log.md create mode 100644 clients/at-trebesch/network/dhcp.md create mode 100644 clients/at-trebesch/network/dns.md create mode 100644 clients/at-trebesch/network/firewall.md create mode 100644 clients/at-trebesch/network/topology.md create mode 100644 clients/at-trebesch/network/vlans.md create mode 100644 clients/at-trebesch/overview.md create mode 100644 clients/at-trebesch/reports/2026-04-17-initial-audit-DESKTOP-QNP3ON5.md create mode 100644 clients/at-trebesch/rmm/rmm.md create mode 100644 clients/at-trebesch/security/antivirus.md create mode 100644 clients/at-trebesch/security/backup.md create mode 100644 clients/at-trebesch/servers/server_template.md create mode 100644 clients/at-trebesch/workstations.md diff --git a/clients/at-trebesch/cloud/azure.md b/clients/at-trebesch/cloud/azure.md new file mode 100644 index 0000000..4c7e869 --- /dev/null +++ b/clients/at-trebesch/cloud/azure.md @@ -0,0 +1,28 @@ +# Azure / Cloud Services + +## Azure Subscription +- Subscription Name: +- Subscription ID: +- Resource Group(s): +- Region: +- Monthly Spend (approx): + +## Virtual Machines +| VM Name | Size | OS | IP | Purpose | +|---------------|------------|------------|------------|-----------------| +| | | | | | + +## Networking +- Virtual Network: +- Address Space: +- Subnets: +- VPN Gateway to On-Prem: Yes/No +- ExpressRoute: Yes/No + +## Other Cloud Services + +| Service | Purpose | Admin URL | Notes | +|-----------------|------------------|------------------|-----------------| +| | | | | + +## Notes diff --git a/clients/at-trebesch/cloud/m365.md b/clients/at-trebesch/cloud/m365.md new file mode 100644 index 0000000..dc32af2 --- /dev/null +++ b/clients/at-trebesch/cloud/m365.md @@ -0,0 +1,52 @@ +# Microsoft 365 + +## Tenant Info +- Tenant Name: +- Tenant ID: +- Primary Domain: +- Admin Portal URL: https://admin.microsoft.com + +## Licensing +| License Type | Quantity | Assigned | Available | +|--------------------------|----------|----------|-----------| +| Microsoft 365 Business Basic | | | | +| Microsoft 365 Business Standard | | | | +| Microsoft 365 Business Premium | | | | +| Exchange Online Plan 1/2 | | | | +| Other | | | | + +## Exchange Online +- Mail Domain(s): +- MX Record Points To: +- SPF Record: +- DKIM Enabled: Yes/No +- DMARC Policy: +- Shared Mailboxes: +- Distribution Groups: +- Mail Flow Rules: Yes/No (describe below) + +## SharePoint / OneDrive +- SharePoint Sites: +- External Sharing: Enabled/Disabled +- OneDrive Storage Limit: + +## Teams +- Teams Phone System: Yes/No +- Calling Plan / Direct Routing: +- Auto Attendant: + +## Entra ID (Azure AD) +- Hybrid Joined: Yes/No +- Azure AD Connect Server: +- Sync Schedule: +- Password Hash Sync: Yes/No +- MFA Enforced: Yes/No +- Conditional Access Policies: + +## Security +- Defender for Office 365: Yes/No +- Safe Links: Yes/No +- Safe Attachments: Yes/No +- Audit Log Retention: + +## Notes diff --git a/clients/at-trebesch/issues/log.md b/clients/at-trebesch/issues/log.md new file mode 100644 index 0000000..dd4b53e --- /dev/null +++ b/clients/at-trebesch/issues/log.md @@ -0,0 +1,19 @@ +# Issue Log + +Record past issues and their resolutions here. This helps the AI learn from historical +troubleshooting and avoid repeating failed approaches. + +## Template + +### [DATE] - [Brief Description] +- **Reported By:** +- **Severity:** Low / Medium / High / Critical +- **Symptoms:** +- **Root Cause:** +- **Resolution:** +- **Time to Resolve:** +- **Lessons Learned:** + +--- + + diff --git a/clients/at-trebesch/network/dhcp.md b/clients/at-trebesch/network/dhcp.md new file mode 100644 index 0000000..dc7ad3f --- /dev/null +++ b/clients/at-trebesch/network/dhcp.md @@ -0,0 +1,31 @@ +# DHCP Configuration + +## DHCP Server +- Server Name: +- Server IP: +- Failover Partner: + +## Scopes + +### Scope - [VLAN Name] +- Subnet: +- Range Start: +- Range End: +- Subnet Mask: +- Default Gateway: +- DNS Servers: +- Lease Duration: +- Exclusions: + + + +## Reservations +| Device Name | MAC Address | IP Address | Scope | Notes | +|-----------------|-------------------|-----------------|---------------|---------------| +| | | | | | + +## DHCP Relay +- Relay agents configured on: +- Helper address: + +## Notes diff --git a/clients/at-trebesch/network/dns.md b/clients/at-trebesch/network/dns.md new file mode 100644 index 0000000..7bf8186 --- /dev/null +++ b/clients/at-trebesch/network/dns.md @@ -0,0 +1,33 @@ +# DNS Configuration + +## Internal DNS Servers +| Server Name | IP Address | Role | +|-------------|-----------|-------------------| +| | | Primary | +| | | Secondary | + +## DNS Forwarders +- Forwarder 1: +- Forwarder 2: + +## Conditional Forwarders +| Domain | Forward To | Purpose | +|----------------------|-----------------|-------------------| +| | | | + +## Key DNS Records +| Record Type | Name | Value | Notes | +|-------------|------------------|------------------|------------------| +| A | | | | +| CNAME | | | | +| MX | | | | +| TXT | | | | + +## External DNS +- Registrar: +- Hosted At: +- Primary Domain: +- Management URL: + +## Notes + diff --git a/clients/at-trebesch/network/firewall.md b/clients/at-trebesch/network/firewall.md new file mode 100644 index 0000000..21d8c8e --- /dev/null +++ b/clients/at-trebesch/network/firewall.md @@ -0,0 +1,47 @@ +# Firewall Configuration + +## Device Info +- Vendor/Model: +- Firmware Version: +- Management IP: +- Management URL: +- HA Pair: Yes/No +- License Expiry: + +## Interfaces +| Interface | Zone | IP Address | VLAN | Description | +|-----------|-----------|-----------------|------|-------------------| +| WAN1 | WAN | | | Primary Internet | +| WAN2 | WAN | | | Backup Internet | +| LAN | LAN | | | | +| DMZ | DMZ | | | | + +## NAT Rules +| Name | Source | Destination | Port(s) | NAT To | +|-------------------|---------------|----------------|-------------|-----------------| +| | | | | | + +## Key Firewall Policies +| Name | Source Zone | Dest Zone | Service | Action | Notes | +|-------------------|--------------|---------------|-------------|--------|--------| +| | | | | | | + +## VPN +### Site-to-Site VPNs +| Peer Name | Peer IP | Local Subnet | Remote Subnet | Status | +|-------------------|--------------|----------------|---------------|--------| +| | | | | | + +### SSL/Client VPN +- Enabled: Yes/No +- Portal URL: +- Auth Method: +- IP Pool: +- Split Tunnel: Yes/No + +## Content Filtering +- Web Filter Profile: +- App Control Profile: +- DNS Filter: + +## Notes diff --git a/clients/at-trebesch/network/topology.md b/clients/at-trebesch/network/topology.md new file mode 100644 index 0000000..740cf09 --- /dev/null +++ b/clients/at-trebesch/network/topology.md @@ -0,0 +1,43 @@ +# Network Topology + +## Internet Connection +- ISP: +- Circuit Type: +- Speed (Down/Up): +- Public IP: +- Gateway: +- Modem Model: + +## Core Switch +- Model: +- IP Address: +- Management URL: +- Firmware Version: +- Location: + +## Additional Switches + +### Switch - [Name/Location] +- Model: +- IP Address: +- Port Count: +- PoE: Yes/No +- Uplink To: + +## Wireless +- Controller Model: +- Controller IP: +- Number of APs: +- AP Model(s): + +### Access Points + +- AP Name: +- Location: +- IP Address: +- Connected Switch/Port: + +## WAN / SD-WAN +- SD-WAN Vendor: +- Number of Sites: +- Hub Site: diff --git a/clients/at-trebesch/network/vlans.md b/clients/at-trebesch/network/vlans.md new file mode 100644 index 0000000..475f778 --- /dev/null +++ b/clients/at-trebesch/network/vlans.md @@ -0,0 +1,21 @@ +# VLANs + +## VLAN Table + +| VLAN ID | Name | Subnet | Gateway | DHCP Scope | Purpose | +|---------|---------------|-----------------|-----------------|------------------|------------------------| +| 1 | Default | | | | | +| 10 | Management | | | | Network devices | +| 20 | Servers | | | | Server infrastructure | +| 30 | Workstations | | | | End user devices | +| 40 | VoIP | | | | Phone system | +| 50 | WiFi-Corp | | | | Corporate wireless | +| 60 | WiFi-Guest | | | | Guest wireless | +| 100 | Security | | | | Cameras / access ctrl | + +## Inter-VLAN Routing +- Performed by: +- Routing device IP: + +## VLAN Notes + diff --git a/clients/at-trebesch/overview.md b/clients/at-trebesch/overview.md new file mode 100644 index 0000000..101f90e --- /dev/null +++ b/clients/at-trebesch/overview.md @@ -0,0 +1,47 @@ +# Client Overview + +## Company Name +AT Trebesch + +## Primary Contact +- Name: +- Phone: +- Email: + +## IT Contact +- Name: Howard Enos (MSP) +- Phone: +- Email: howard@azcomputerguru.com + +## Contract Details +- Service Level: +- Hours Covered: +- Contract Renewal Date: + +## Environment Summary +- Total Users: 1+ (`Owner` confirmed; verify others on next visit) +- Total Locations: 1 +- Domain Name: WORKGROUP (no AD) +- Primary Site Address: Tucson area (timezone US Mountain Standard Time, no DST) +- RMM Agent Count: 1 confirmed (Syncro + ScreenConnect + Splashtop all installed) +- Workstation Count: 1 confirmed (DESKTOP-QNP3ON5) — full inventory pending +- Server Count: 0 confirmed + +## Stack Summary (from 2026-04-17 audit of DESKTOP-QNP3ON5) + +| Category | Tooling | Notes | +|---|---|---| +| EDR / AV | Bitdefender Endpoint Security Tools 8.26.4.628 | Primary, all 4 services running | +| Secondary AV | Malwarebytes 5.5.4.252 | **CONFLICT** — running real-time alongside Bitdefender. Recommend uninstall or set to scheduled-only. | +| Backup | Carbonite 6.6.0 build 670 (Dec 2025) | Cloud backup, online | +| Remote Access | ScreenConnect 26.1.24 + Splashtop 3.8.0.4 | Both running. Splashtop likely from Syncro bundle. | +| RMM | Syncro 1.0.200.18380 | Agent installed | +| Office | Microsoft 365 Apps for business / Office 2024 Pro Plus | C2R 16.0.19822.20182 | +| OS | Windows 11 **Home** 25H2 | **Should be Pro** for any business workstation (BitLocker, GPO, etc.) | + +## Notes + +- All workstations currently on Windows 11 Home — flag for Pro upgrade as part of any new-machine refresh cycle. +- Workgroup environment, no AD. Local accounts only. +- "guru" local Administrator account exists on DESKTOP-QNP3ON5 (last logon 2025-10-18) — MSP backdoor, confirm current password is in vault. +- "localadmin" also exists alongside guru — pick one MSP-standard account, retire the other. diff --git a/clients/at-trebesch/reports/2026-04-17-initial-audit-DESKTOP-QNP3ON5.md b/clients/at-trebesch/reports/2026-04-17-initial-audit-DESKTOP-QNP3ON5.md new file mode 100644 index 0000000..bfe2977 --- /dev/null +++ b/clients/at-trebesch/reports/2026-04-17-initial-audit-DESKTOP-QNP3ON5.md @@ -0,0 +1,81 @@ +# DESKTOP-QNP3ON5 — initial audit findings (AT Trebesch) + +**Date:** 2026-04-17 +**Technician:** Howard Enos +**Machine:** DESKTOP-QNP3ON5 (Lenovo desktop, Owner) +**Audit script:** workstation_audit.ps1 v2.0.2 (schema 2.0) +**JSON artifact:** `clients/at-trebesch/diagnostics/DESKTOP-QNP3ON5_workstation_audit_2026-04-17.json` (when uploaded) + +## Critical — fix this week + +1. **`Owner` local account requires no password** — anyone with physical access gets a full admin shell. Fix: + ```powershell + Set-LocalUser -Name Owner -PasswordRequired $true + $p = Read-Host -AsSecureString "New password for Owner" + Set-LocalUser -Name Owner -Password $p + ``` + Hand the new password to the user directly. Store nothing in the script. + +2. **Two real-time AV engines installed and active** — Bitdefender Endpoint Security Tools 8.26.4.628 (primary) **and** Malwarebytes 5.5.4.252 are both registered with Security Center and running real-time. Two engines fight over file scans, cause file-lock errors, slow boot, and occasionally bluescreen. Confirm Bitdefender is the intended primary (it is, per our MSP standard) and either uninstall Malwarebytes or set it to scheduled/manual scan only. + +3. **Secure Boot DISABLED** — UEFI machine with TPM 2.0 ready. No reason to be off; turn on in BIOS. Also unblocks BitLocker enrollment if/when this machine moves to Win 11 Pro. + +4. **Windows 11 Home (not Pro)** — for a business workstation, Pro is the right SKU. Without Pro: + - No real BitLocker (only "Device Encryption" auto-mode tied to Microsoft account) + - No GPO, no Group Policy Editor + - No remote management of inactivity timeout, USB lockdown, etc. + - Limits Bitdefender / Defender hardening + + Recommend upgrade path: in-place upgrade to Win 11 Pro via license key (`changepk.exe`). Cost: ~$99/license retail, less via volume. + +## High — fix this month + +5. **Defender Tamper Protection OFF** — registry value 4 = explicitly disabled. Even though Defender is in passive mode, Tamper Protection prevents an attacker from twiddling Defender settings if they ever take over. Enable in Windows Security → Virus & threat protection → Manage settings. + +6. **Defender ASR rules: only 1 rule configured, all disabled** — apply Microsoft's Standard preset rules even in passive mode (sets a fallback baseline if Defender ever becomes primary). + +7. **`localadmin` + `guru` — two MSP backdoor accounts** on the same machine. Pick one as standard, retire the other. Confirm chosen account's password is current and in the SOPS vault. + +8. **Memory at 85% used** (2.3 GB free of 15.3 GB) with only 263 processes — investigate top procs (in JSON) for the offender. Likely candidate: Bitdefender + Malwarebytes overlap (item 2 above) or a leaking app. Reboot + monitor. + +9. **NETLOGON 3095 errors on a WORKGROUP machine** — multiple NETLOGON failures on 2026-04-14. NETLOGON should not be doing anything on a non-domain-joined PC. Verify: + ```powershell + Get-Service Netlogon | Format-List Name, Status, StartType + nltest /sc_query:WORKGROUP + ``` + If Netlogon is running or set to Auto, change to Manual + Stopped. + +## Medium — schedule + +10. **No screen lock / inactivity timeout configured** — set `MachineInactivityLimit = 900` (15 min) via local policy. +11. **USB storage unrestricted** — depending on what AT Trebesch handles, lock down via local policy. +12. **AutoPlay not disabled** — disable to reduce USB-borne malware risk. +13. **HOSTS file has 17 active entries** — unusual on a clean workgroup workstation. Pull from JSON and review what's there. Could be legit dev mappings, ad-blocker entries, or worth investigating further. +14. **Cached logons count = 10** — lower to 4 for security on a single-user workstation. +15. **NTLM LmCompatibilityLevel blank** — set explicitly to 5. +16. **TLS protocols all "OS Default"** — Win 11 25H2 defaults are reasonable; explicit policy is better but low priority. + +## Cleanup + +17. **Classic Shell 4.3.1** — abandoned (last release 2017). Replace with maintained fork "Open-Shell-Menu", or remove if Win 11 default Start menu is acceptable to user. +18. **ExplorerPatcher** — third-party shell mod, sometimes breaks after Windows feature updates and occasionally flagged by AV. Confirm intentional with user. Likely paired with Classic Shell for Win 10 look. +19. **Windows 11 Installation Assistant** — leftover from Win 10 → Win 11 upgrade. Safe to uninstall. +20. **Bluetooth Network Connection adapter** — usually unused. Disable adapter if not actively used. +21. **`Time source / Last sync` blank** — verify with `w32tm /query /status` from elevated prompt. Either parsing failure in the audit script or W32time service isn't healthy. + +## Working well — call out the wins + +- Bitdefender EDR running, all 4 services up +- Carbonite cloud backup installed (Dec 2025 build) +- Firewall enabled on all 3 profiles +- LSA Protection (RunAsPPL) enabled +- WDigest cleartext disabled +- 0 suspicious scheduled tasks, 0 IFEO debugger hijacks, 0 suspicious recently-modified files +- 0 Defender detections in last 30 days +- Updates current (KB5088467 + KB5083769 from 4/15) +- Disk healthy with 598 GB / 953 GB free + +## Audit script false positives noted (to fix in v2.0.3, NOT findings on this machine) + +- Section 38 flagged `SyncroOvermind` (legitimate Syncro RMM agent at `C:\ProgramData\Syncro\bin\`). Need to add Syncro to the path allowlist alongside the Defender Platform exception. +- Section 35 displayed `Full scan age: d` (cosmetic — empty value rendering when full scan never ran; JSON value is correctly null). diff --git a/clients/at-trebesch/rmm/rmm.md b/clients/at-trebesch/rmm/rmm.md new file mode 100644 index 0000000..819596b --- /dev/null +++ b/clients/at-trebesch/rmm/rmm.md @@ -0,0 +1,34 @@ +# RMM / Monitoring + +## RMM Solution +- Product: +- Console URL: +- Agent Version: + +## Agent Deployment +- Total Devices: +- Servers Monitored: +- Workstations Monitored: +- Network Devices Monitored: + +## Monitoring Policies +| Policy Name | Applies To | Alert Condition | Action | +|-------------------|----------------|-------------------------|---------------| +| Disk Space | All Servers | < 10% free | Alert + Ticket| +| CPU | All Servers | > 90% for 15 min | Alert | +| Service Monitor | All Servers | | | +| Backup Monitor | | | | +| Offline Alert | All Agents | Offline > 30 min | Alert | + +## Patch Management +- Patch Policy: +- Patch Window: +- Auto-approve: Yes/No +- Exclusions: + +## Scripting / Automation +| Script Name | Schedule | Purpose | +|---------------------|-------------|--------------------------| +| | | | + +## Notes diff --git a/clients/at-trebesch/security/antivirus.md b/clients/at-trebesch/security/antivirus.md new file mode 100644 index 0000000..d495dfc --- /dev/null +++ b/clients/at-trebesch/security/antivirus.md @@ -0,0 +1,26 @@ +# Endpoint Security / Antivirus + +## Solution +- Product: +- Console URL: +- License Count: +- License Expiry: +- Managed By: + +## Policy +- Real-time Protection: Yes/No +- Scheduled Scans: (frequency) +- Exclusions: + +## Deployment Status +- Total Endpoints: +- Protected: +- Missing Agent: +- Out of Date: + +## EDR / XDR +- EDR Enabled: Yes/No +- Product: +- Console URL: + +## Notes diff --git a/clients/at-trebesch/security/backup.md b/clients/at-trebesch/security/backup.md new file mode 100644 index 0000000..4ed13a4 --- /dev/null +++ b/clients/at-trebesch/security/backup.md @@ -0,0 +1,34 @@ +# Backup and Disaster Recovery + +## Backup Solution +- Product: +- Console URL: +- License/Subscription: + +## Backup Targets +| Target Name | Type | Location | Capacity | Encrypted | +|----------------|----------------|-----------------|--------------|-----------| +| | Local NAS | | | Yes/No | +| | Cloud | | | Yes/No | +| | Offsite | | | Yes/No | + +## Backup Jobs +| Job Name | Source | Target | Schedule | Retention | Status | +|-----------------|-------------------|------------|---------------|-------------|--------| +| | | | | | | + +## M365 Backup +- M365 Backup Product: +- Exchange Backed Up: Yes/No +- SharePoint Backed Up: Yes/No +- OneDrive Backed Up: Yes/No +- Teams Backed Up: Yes/No + +## Disaster Recovery Plan +- RTO Target: +- RPO Target: +- DR Site: +- Last DR Test Date: +- DR Test Result: + +## Notes diff --git a/clients/at-trebesch/servers/server_template.md b/clients/at-trebesch/servers/server_template.md new file mode 100644 index 0000000..d35ab32 --- /dev/null +++ b/clients/at-trebesch/servers/server_template.md @@ -0,0 +1,49 @@ +# Server: [SERVER NAME] + +## General Info +- Hostname: +- IP Address: +- OS: +- OS Version: +- Physical / Virtual: +- Host (if virtual): +- Location: +- Last Patched: + +## Hardware (if physical) +- Make/Model: +- CPU: +- RAM: +- Storage: +- Warranty Expiry: + +## Roles and Services + +- [ ] Domain Controller +- [ ] DNS Server +- [ ] DHCP Server +- [ ] File Server +- [ ] Print Server +- [ ] Application Server +- [ ] Database Server +- [ ] Backup Target +- [ ] RDS / Terminal Server +- [ ] Hyper-V Host + +## Shares (if file server) +| Share Name | Path | Permissions Group | Notes | +|---------------|-------------------|---------------------|----------------| +| | | | | + +## Applications Installed +| Application | Version | Purpose | License | +|-------------------|------------|----------------------|---------------| +| | | | | + +## Backup +- Backup Method: +- Backup Schedule: +- Backup Target: +- Last Verified Restore: + +## Notes diff --git a/clients/at-trebesch/workstations.md b/clients/at-trebesch/workstations.md new file mode 100644 index 0000000..6d9e74a --- /dev/null +++ b/clients/at-trebesch/workstations.md @@ -0,0 +1,81 @@ +# Workstations — AT Trebesch + +Inventory built from on-machine audit runs. Last updated 2026-04-17. + +## Summary + +| PC Name | User/Role | OS | Edition | Domain | BitLocker | Last Audit | +|---|---|---|---|---|---|---| +| DESKTOP-QNP3ON5 | Owner | Win 11 25H2 | **Home** | WORKGROUP | None (decrypted) | 2026-04-17 | + +## DESKTOP-QNP3ON5 + +**Hardware** +- Lenovo (model 91D00000US) +- Serial: MZ025MVK +- BIOS: M68KT23A +- CPU: AMD Ryzen 7 250 w/ Radeon 780M Graphics (8 cores / 16 threads) +- RAM: 15.3 GB +- Storage: 953 GB KIOXIA KBG6AZNV1T02 LA SSD (NVMe), 598 GB free, healthy +- Chassis: Desktop, no battery + +**OS / Activation** +- Windows 11 Home 25H2 (build 26200), 64-bit +- Installed 2025-10-12 +- License: Licensed (StatusCode 1), partial key 6F4JW + +**Network** +- Ethernet: Realtek PCIe GbE — UP, 1 Gbps, 10.0.0.15 +- Wi-Fi: Realtek RTL8852BE WiFi 6 — disconnected +- Bluetooth NIC enabled (unused — recommend disable) +- Saved Wi-Fi profiles: ComputerGuru, Scurda2 + +**Local accounts (enabled)** +| Name | Last Logon | PasswordRequired | Notes | +|---|---|---|---| +| Owner | 2026-04-15 | **False** | **PASSWORD NOT REQUIRED — fix immediately** | +| guru | 2025-10-18 | True | MSP backdoor, in Administrators | +| localadmin | (never logged) | True | Second MSP backdoor, in Administrators | + +**Local Administrators:** Administrator (disabled), guru, localadmin, Owner + +**Security posture (highlights)** +- BitLocker: Off, drive fully decrypted (Win Home limits BitLocker to "Device Encryption" only) +- Secure Boot: **DISABLED** (UEFI capable, TPM 2.0 ready — turn on) +- TPM: present + ready +- WinRE: enabled +- Firewall: enabled on all 3 profiles +- LSA Protection (RunAsPPL): enabled (good) +- WDigest cleartext: disabled (good) +- Cached logons: 10 (recommend lower to 4) +- NTLM LmCompatibilityLevel: blank (defaults to 3, recommend explicit 5) +- UAC: enabled (default settings) +- RDP: disabled +- USB storage: unrestricted +- AutoPlay: not disabled + +**Antivirus posture** +- Bitdefender Endpoint Security Tools 8.26.4.628 — primary EDR, 4 services running +- Malwarebytes 5.5.4.252 — **CONFLICT, also real-time. Pick one.** +- Defender: Passive Mode (correct, deferring to Bitdefender), but Tamper Protection disabled +- Defender ASR rules: 1 configured, 0 in Block mode + +**Apps of note** +- Office 365 Apps Pro Plus (Office 2024) +- Carbonite 6.6.0 (Dec 2025 build) +- Classic Shell 4.3.1 — abandoned project, replace with Open-Shell-Menu or remove +- ExplorerPatcher 26100.4946.69.6 — Win10-style shell mod +- Lenovo System Update 5.08.03.59 +- AMD Software 26.3.1 +- Canon MX490 series MP Drivers 1.02 (printer) +- Windows 11 Installation Assistant — leftover, can uninstall + +**Performance** +- Memory at 85.1% used (2.3 GB free of 15.3 GB) — investigate top procs in audit JSON +- Uptime: 2.6 days (boot 2026-04-14) +- 263 processes running + +**Updates** +- KB5083769, KB5082417, KB5088467 (4/14-4/15 cycle) installed +- 1 pending update +- 0 WU failures in last 30d