azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from ACG-TECH03L at 2026-04-17 19:47:15

Browse Source 
Author: Howard Enos
Machine: ACG-TECH03L
Timestamp: 2026-04-17 19:47:15
This commit is contained in:
Howard Enos
2026-04-17 19:47:17 -07:00
parent 3eb621a8b7
commit 0a7f3368a6
15 changed files with 626 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
clients/at-trebesch/cloud/azure.md Normal file
View File

@@ -0,0 +1,28 @@
# Azure / Cloud Services
## Azure Subscription
- Subscription Name:
- Subscription ID:
- Resource Group(s):
- Region:
- Monthly Spend (approx):
## Virtual Machines
| VM Name | Size | OS | IP | Purpose |
|---------------|------------|------------|------------|-----------------|
| | | | | |
## Networking
- Virtual Network:
- Address Space:
- Subnets:
- VPN Gateway to On-Prem: Yes/No
- ExpressRoute: Yes/No
## Other Cloud Services
<!-- AWS, Google Workspace, third-party SaaS -->
| Service | Purpose | Admin URL | Notes |
|-----------------|------------------|------------------|-----------------|
| | | | |
## Notes

52
clients/at-trebesch/cloud/m365.md Normal file
View File

@@ -0,0 +1,52 @@
# Microsoft 365
## Tenant Info
- Tenant Name:
- Tenant ID:
- Primary Domain:
- Admin Portal URL: https://admin.microsoft.com
## Licensing
| License Type | Quantity | Assigned | Available |
|--------------------------|----------|----------|-----------|
| Microsoft 365 Business Basic | | | |
| Microsoft 365 Business Standard | | | |
| Microsoft 365 Business Premium | | | |
| Exchange Online Plan 1/2 | | | |
| Other | | | |
## Exchange Online
- Mail Domain(s):
- MX Record Points To:
- SPF Record:
- DKIM Enabled: Yes/No
- DMARC Policy:
- Shared Mailboxes:
- Distribution Groups:
- Mail Flow Rules: Yes/No (describe below)
## SharePoint / OneDrive
- SharePoint Sites:
- External Sharing: Enabled/Disabled
- OneDrive Storage Limit:
## Teams
- Teams Phone System: Yes/No
- Calling Plan / Direct Routing:
- Auto Attendant:
## Entra ID (Azure AD)
- Hybrid Joined: Yes/No
- Azure AD Connect Server:
- Sync Schedule:
- Password Hash Sync: Yes/No
- MFA Enforced: Yes/No
- Conditional Access Policies:
## Security
- Defender for Office 365: Yes/No
- Safe Links: Yes/No
- Safe Attachments: Yes/No
- Audit Log Retention:
## Notes

19
clients/at-trebesch/issues/log.md Normal file
View File

@@ -0,0 +1,19 @@
# Issue Log
Record past issues and their resolutions here. This helps the AI learn from historical
troubleshooting and avoid repeating failed approaches.
## Template
### [DATE] - [Brief Description]
- **Reported By:**
- **Severity:** Low / Medium / High / Critical
- **Symptoms:**
- **Root Cause:**
- **Resolution:**
- **Time to Resolve:**
- **Lessons Learned:**
---
<!-- Add new issues above this line, newest first -->

31
clients/at-trebesch/network/dhcp.md Normal file
View File

@@ -0,0 +1,31 @@
# DHCP Configuration
## DHCP Server
- Server Name:
- Server IP:
- Failover Partner:
## Scopes
### Scope - [VLAN Name]
- Subnet:
- Range Start:
- Range End:
- Subnet Mask:
- Default Gateway:
- DNS Servers:
- Lease Duration:
- Exclusions:
<!-- Copy the block above for each DHCP scope -->
## Reservations
| Device Name | MAC Address | IP Address | Scope | Notes |
|-----------------|-------------------|-----------------|---------------|---------------|
| | | | | |
## DHCP Relay
- Relay agents configured on:
- Helper address:
## Notes

33
clients/at-trebesch/network/dns.md Normal file
View File

@@ -0,0 +1,33 @@
# DNS Configuration
## Internal DNS Servers
| Server Name | IP Address | Role |
|-------------|-----------|-------------------|
| | | Primary |
| | | Secondary |
## DNS Forwarders
- Forwarder 1:
- Forwarder 2:
## Conditional Forwarders
| Domain | Forward To | Purpose |
|----------------------|-----------------|-------------------|
| | | |
## Key DNS Records
| Record Type | Name | Value | Notes |
|-------------|------------------|------------------|------------------|
| A | | | |
| CNAME | | | |
| MX | | | |
| TXT | | | |
## External DNS
- Registrar:
- Hosted At:
- Primary Domain:
- Management URL:
## Notes
<!-- Split-brain DNS, special zones, etc. -->

47
clients/at-trebesch/network/firewall.md Normal file
View File

@@ -0,0 +1,47 @@
# Firewall Configuration
## Device Info
- Vendor/Model:
- Firmware Version:
- Management IP:
- Management URL:
- HA Pair: Yes/No
- License Expiry:
## Interfaces
| Interface | Zone | IP Address | VLAN | Description |
|-----------|-----------|-----------------|------|-------------------|
| WAN1 | WAN | | | Primary Internet |
| WAN2 | WAN | | | Backup Internet |
| LAN | LAN | | | |
| DMZ | DMZ | | | |
## NAT Rules
| Name | Source | Destination | Port(s) | NAT To |
|-------------------|---------------|----------------|-------------|-----------------|
| | | | | |
## Key Firewall Policies
| Name | Source Zone | Dest Zone | Service | Action | Notes |
|-------------------|--------------|---------------|-------------|--------|--------|
| | | | | | |
## VPN
### Site-to-Site VPNs
| Peer Name | Peer IP | Local Subnet | Remote Subnet | Status |
|-------------------|--------------|----------------|---------------|--------|
| | | | | |
### SSL/Client VPN
- Enabled: Yes/No
- Portal URL:
- Auth Method:
- IP Pool:
- Split Tunnel: Yes/No
## Content Filtering
- Web Filter Profile:
- App Control Profile:
- DNS Filter:
## Notes

43
clients/at-trebesch/network/topology.md Normal file
View File

@@ -0,0 +1,43 @@
# Network Topology
## Internet Connection
- ISP:
- Circuit Type:
- Speed (Down/Up):
- Public IP:
- Gateway:
- Modem Model:
## Core Switch
- Model:
- IP Address:
- Management URL:
- Firmware Version:
- Location:
## Additional Switches
<!-- Copy this block for each switch -->
### Switch - [Name/Location]
- Model:
- IP Address:
- Port Count:
- PoE: Yes/No
- Uplink To:
## Wireless
- Controller Model:
- Controller IP:
- Number of APs:
- AP Model(s):
### Access Points
<!-- Copy for each AP -->
- AP Name:
- Location:
- IP Address:
- Connected Switch/Port:
## WAN / SD-WAN
- SD-WAN Vendor:
- Number of Sites:
- Hub Site:

21
clients/at-trebesch/network/vlans.md Normal file
View File

@@ -0,0 +1,21 @@
# VLANs
## VLAN Table
| VLAN ID | Name | Subnet | Gateway | DHCP Scope | Purpose |
|---------|---------------|-----------------|-----------------|------------------|------------------------|
| 1 | Default | | | | |
| 10 | Management | | | | Network devices |
| 20 | Servers | | | | Server infrastructure |
| 30 | Workstations | | | | End user devices |
| 40 | VoIP | | | | Phone system |
| 50 | WiFi-Corp | | | | Corporate wireless |
| 60 | WiFi-Guest | | | | Guest wireless |
| 100 | Security | | | | Cameras / access ctrl |
## Inter-VLAN Routing
- Performed by:
- Routing device IP:
## VLAN Notes
<!-- Any special considerations, trunk ports, tagged/untagged config -->

47
clients/at-trebesch/overview.md Normal file
View File

@@ -0,0 +1,47 @@
# Client Overview
## Company Name
AT Trebesch
## Primary Contact
- Name:
- Phone:
- Email:
## IT Contact
- Name: Howard Enos (MSP)
- Phone:
- Email: howard@azcomputerguru.com
## Contract Details
- Service Level:
- Hours Covered:
- Contract Renewal Date:
## Environment Summary
- Total Users: 1+ (`Owner` confirmed; verify others on next visit)
- Total Locations: 1
- Domain Name: WORKGROUP (no AD)
- Primary Site Address: Tucson area (timezone US Mountain Standard Time, no DST)
- RMM Agent Count: 1 confirmed (Syncro + ScreenConnect + Splashtop all installed)
- Workstation Count: 1 confirmed (DESKTOP-QNP3ON5) — full inventory pending
- Server Count: 0 confirmed
## Stack Summary (from 2026-04-17 audit of DESKTOP-QNP3ON5)
| Category | Tooling | Notes |
|---|---|---|
| EDR / AV | Bitdefender Endpoint Security Tools 8.26.4.628 | Primary, all 4 services running |
| Secondary AV | Malwarebytes 5.5.4.252 | **CONFLICT** — running real-time alongside Bitdefender. Recommend uninstall or set to scheduled-only. |
| Backup | Carbonite 6.6.0 build 670 (Dec 2025) | Cloud backup, online |
| Remote Access | ScreenConnect 26.1.24 + Splashtop 3.8.0.4 | Both running. Splashtop likely from Syncro bundle. |
| RMM | Syncro 1.0.200.18380 | Agent installed |
| Office | Microsoft 365 Apps for business / Office 2024 Pro Plus | C2R 16.0.19822.20182 |
| OS | Windows 11 **Home** 25H2 | **Should be Pro** for any business workstation (BitLocker, GPO, etc.) |
## Notes
- All workstations currently on Windows 11 Home — flag for Pro upgrade as part of any new-machine refresh cycle.
- Workgroup environment, no AD. Local accounts only.
- "guru" local Administrator account exists on DESKTOP-QNP3ON5 (last logon 2025-10-18) — MSP backdoor, confirm current password is in vault.
- "localadmin" also exists alongside guru — pick one MSP-standard account, retire the other.

81
clients/at-trebesch/reports/2026-04-17-initial-audit-DESKTOP-QNP3ON5.md Normal file
View File

@@ -0,0 +1,81 @@
# DESKTOP-QNP3ON5 — initial audit findings (AT Trebesch)
**Date:** 2026-04-17
**Technician:** Howard Enos
**Machine:** DESKTOP-QNP3ON5 (Lenovo desktop, Owner)
**Audit script:** workstation_audit.ps1 v2.0.2 (schema 2.0)
**JSON artifact:** `clients/at-trebesch/diagnostics/DESKTOP-QNP3ON5_workstation_audit_2026-04-17.json` (when uploaded)
## Critical — fix this week
1. **`Owner` local account requires no password** — anyone with physical access gets a full admin shell. Fix:
```powershell
Set-LocalUser -Name Owner -PasswordRequired $true
$p = Read-Host -AsSecureString "New password for Owner"
Set-LocalUser -Name Owner -Password $p
```
Hand the new password to the user directly. Store nothing in the script.
2. **Two real-time AV engines installed and active** — Bitdefender Endpoint Security Tools 8.26.4.628 (primary) **and** Malwarebytes 5.5.4.252 are both registered with Security Center and running real-time. Two engines fight over file scans, cause file-lock errors, slow boot, and occasionally bluescreen. Confirm Bitdefender is the intended primary (it is, per our MSP standard) and either uninstall Malwarebytes or set it to scheduled/manual scan only.
3. **Secure Boot DISABLED** — UEFI machine with TPM 2.0 ready. No reason to be off; turn on in BIOS. Also unblocks BitLocker enrollment if/when this machine moves to Win 11 Pro.
4. **Windows 11 Home (not Pro)** — for a business workstation, Pro is the right SKU. Without Pro:
- No real BitLocker (only "Device Encryption" auto-mode tied to Microsoft account)
- No GPO, no Group Policy Editor
- No remote management of inactivity timeout, USB lockdown, etc.
- Limits Bitdefender / Defender hardening
Recommend upgrade path: in-place upgrade to Win 11 Pro via license key (`changepk.exe`). Cost: ~$99/license retail, less via volume.
## High — fix this month
5. **Defender Tamper Protection OFF** — registry value 4 = explicitly disabled. Even though Defender is in passive mode, Tamper Protection prevents an attacker from twiddling Defender settings if they ever take over. Enable in Windows Security → Virus & threat protection → Manage settings.
6. **Defender ASR rules: only 1 rule configured, all disabled** — apply Microsoft's Standard preset rules even in passive mode (sets a fallback baseline if Defender ever becomes primary).
7. **`localadmin` + `guru` — two MSP backdoor accounts** on the same machine. Pick one as standard, retire the other. Confirm chosen account's password is current and in the SOPS vault.
8. **Memory at 85% used** (2.3 GB free of 15.3 GB) with only 263 processes — investigate top procs (in JSON) for the offender. Likely candidate: Bitdefender + Malwarebytes overlap (item 2 above) or a leaking app. Reboot + monitor.
9. **NETLOGON 3095 errors on a WORKGROUP machine** — multiple NETLOGON failures on 2026-04-14. NETLOGON should not be doing anything on a non-domain-joined PC. Verify:
```powershell
Get-Service Netlogon | Format-List Name, Status, StartType
nltest /sc_query:WORKGROUP
```
If Netlogon is running or set to Auto, change to Manual + Stopped.
## Medium — schedule
10. **No screen lock / inactivity timeout configured** — set `MachineInactivityLimit = 900` (15 min) via local policy.
11. **USB storage unrestricted** — depending on what AT Trebesch handles, lock down via local policy.
12. **AutoPlay not disabled** — disable to reduce USB-borne malware risk.
13. **HOSTS file has 17 active entries** — unusual on a clean workgroup workstation. Pull from JSON and review what's there. Could be legit dev mappings, ad-blocker entries, or worth investigating further.
14. **Cached logons count = 10** — lower to 4 for security on a single-user workstation.
15. **NTLM LmCompatibilityLevel blank** — set explicitly to 5.
16. **TLS protocols all "OS Default"** — Win 11 25H2 defaults are reasonable; explicit policy is better but low priority.
## Cleanup
17. **Classic Shell 4.3.1** — abandoned (last release 2017). Replace with maintained fork "Open-Shell-Menu", or remove if Win 11 default Start menu is acceptable to user.
18. **ExplorerPatcher** — third-party shell mod, sometimes breaks after Windows feature updates and occasionally flagged by AV. Confirm intentional with user. Likely paired with Classic Shell for Win 10 look.
19. **Windows 11 Installation Assistant** — leftover from Win 10 → Win 11 upgrade. Safe to uninstall.
20. **Bluetooth Network Connection adapter** — usually unused. Disable adapter if not actively used.
21. **`Time source / Last sync` blank** — verify with `w32tm /query /status` from elevated prompt. Either parsing failure in the audit script or W32time service isn't healthy.
## Working well — call out the wins
- Bitdefender EDR running, all 4 services up
- Carbonite cloud backup installed (Dec 2025 build)
- Firewall enabled on all 3 profiles
- LSA Protection (RunAsPPL) enabled
- WDigest cleartext disabled
- 0 suspicious scheduled tasks, 0 IFEO debugger hijacks, 0 suspicious recently-modified files
- 0 Defender detections in last 30 days
- Updates current (KB5088467 + KB5083769 from 4/15)
- Disk healthy with 598 GB / 953 GB free
## Audit script false positives noted (to fix in v2.0.3, NOT findings on this machine)
- Section 38 flagged `SyncroOvermind` (legitimate Syncro RMM agent at `C:\ProgramData\Syncro\bin\`). Need to add Syncro to the path allowlist alongside the Defender Platform exception.
- Section 35 displayed `Full scan age: d` (cosmetic — empty value rendering when full scan never ran; JSON value is correctly null).

34
clients/at-trebesch/rmm/rmm.md Normal file
View File

@@ -0,0 +1,34 @@
# RMM / Monitoring
## RMM Solution
- Product:
- Console URL:
- Agent Version:
## Agent Deployment
- Total Devices:
- Servers Monitored:
- Workstations Monitored:
- Network Devices Monitored:
## Monitoring Policies
| Policy Name | Applies To | Alert Condition | Action |
|-------------------|----------------|-------------------------|---------------|
| Disk Space | All Servers | < 10% free | Alert + Ticket|
| CPU | All Servers | > 90% for 15 min | Alert |
| Service Monitor | All Servers | | |
| Backup Monitor | | | |
| Offline Alert | All Agents | Offline > 30 min | Alert |
## Patch Management
- Patch Policy:
- Patch Window:
- Auto-approve: Yes/No
- Exclusions:
## Scripting / Automation
| Script Name | Schedule | Purpose |
|---------------------|-------------|--------------------------|
| | | |
## Notes

26
clients/at-trebesch/security/antivirus.md Normal file
View File

@@ -0,0 +1,26 @@
# Endpoint Security / Antivirus
## Solution
- Product:
- Console URL:
- License Count:
- License Expiry:
- Managed By:
## Policy
- Real-time Protection: Yes/No
- Scheduled Scans: (frequency)
- Exclusions:
## Deployment Status
- Total Endpoints:
- Protected:
- Missing Agent:
- Out of Date:
## EDR / XDR
- EDR Enabled: Yes/No
- Product:
- Console URL:
## Notes

34
clients/at-trebesch/security/backup.md Normal file
View File

@@ -0,0 +1,34 @@
# Backup and Disaster Recovery
## Backup Solution
- Product:
- Console URL:
- License/Subscription:
## Backup Targets
| Target Name | Type | Location | Capacity | Encrypted |
|----------------|----------------|-----------------|--------------|-----------|
| | Local NAS | | | Yes/No |
| | Cloud | | | Yes/No |
| | Offsite | | | Yes/No |
## Backup Jobs
| Job Name | Source | Target | Schedule | Retention | Status |
|-----------------|-------------------|------------|---------------|-------------|--------|
| | | | | | |
## M365 Backup
- M365 Backup Product:
- Exchange Backed Up: Yes/No
- SharePoint Backed Up: Yes/No
- OneDrive Backed Up: Yes/No
- Teams Backed Up: Yes/No
## Disaster Recovery Plan
- RTO Target:
- RPO Target:
- DR Site:
- Last DR Test Date:
- DR Test Result:
## Notes

49
clients/at-trebesch/servers/server_template.md Normal file
View File

@@ -0,0 +1,49 @@
# Server: [SERVER NAME]
## General Info
- Hostname:
- IP Address:
- OS:
- OS Version:
- Physical / Virtual:
- Host (if virtual):
- Location:
- Last Patched:
## Hardware (if physical)
- Make/Model:
- CPU:
- RAM:
- Storage:
- Warranty Expiry:
## Roles and Services
<!-- List all roles this server performs -->
- [ ] Domain Controller
- [ ] DNS Server
- [ ] DHCP Server
- [ ] File Server
- [ ] Print Server
- [ ] Application Server
- [ ] Database Server
- [ ] Backup Target
- [ ] RDS / Terminal Server
- [ ] Hyper-V Host
## Shares (if file server)
| Share Name | Path | Permissions Group | Notes |
|---------------|-------------------|---------------------|----------------|
| | | | |
## Applications Installed
| Application | Version | Purpose | License |
|-------------------|------------|----------------------|---------------|
| | | | |
## Backup
- Backup Method:
- Backup Schedule:
- Backup Target:
- Last Verified Restore:
## Notes

81
clients/at-trebesch/workstations.md Normal file
View File

@@ -0,0 +1,81 @@
# Workstations — AT Trebesch
Inventory built from on-machine audit runs. Last updated 2026-04-17.
## Summary
| PC Name | User/Role | OS | Edition | Domain | BitLocker | Last Audit |
|---|---|---|---|---|---|---|
| DESKTOP-QNP3ON5 | Owner | Win 11 25H2 | **Home** | WORKGROUP | None (decrypted) | 2026-04-17 |
## DESKTOP-QNP3ON5
**Hardware**
- Lenovo (model 91D00000US)
- Serial: MZ025MVK
- BIOS: M68KT23A
- CPU: AMD Ryzen 7 250 w/ Radeon 780M Graphics (8 cores / 16 threads)
- RAM: 15.3 GB
- Storage: 953 GB KIOXIA KBG6AZNV1T02 LA SSD (NVMe), 598 GB free, healthy
- Chassis: Desktop, no battery
**OS / Activation**
- Windows 11 Home 25H2 (build 26200), 64-bit
- Installed 2025-10-12
- License: Licensed (StatusCode 1), partial key 6F4JW
**Network**
- Ethernet: Realtek PCIe GbE — UP, 1 Gbps, 10.0.0.15
- Wi-Fi: Realtek RTL8852BE WiFi 6 — disconnected
- Bluetooth NIC enabled (unused — recommend disable)
- Saved Wi-Fi profiles: ComputerGuru, Scurda2
**Local accounts (enabled)**
| Name | Last Logon | PasswordRequired | Notes |
|---|---|---|---|
| Owner | 2026-04-15 | **False** | **PASSWORD NOT REQUIRED — fix immediately** |
| guru | 2025-10-18 | True | MSP backdoor, in Administrators |
| localadmin | (never logged) | True | Second MSP backdoor, in Administrators |
**Local Administrators:** Administrator (disabled), guru, localadmin, Owner
**Security posture (highlights)**
- BitLocker: Off, drive fully decrypted (Win Home limits BitLocker to "Device Encryption" only)
- Secure Boot: **DISABLED** (UEFI capable, TPM 2.0 ready — turn on)
- TPM: present + ready
- WinRE: enabled
- Firewall: enabled on all 3 profiles
- LSA Protection (RunAsPPL): enabled (good)
- WDigest cleartext: disabled (good)
- Cached logons: 10 (recommend lower to 4)
- NTLM LmCompatibilityLevel: blank (defaults to 3, recommend explicit 5)
- UAC: enabled (default settings)
- RDP: disabled
- USB storage: unrestricted
- AutoPlay: not disabled
**Antivirus posture**
- Bitdefender Endpoint Security Tools 8.26.4.628 — primary EDR, 4 services running
- Malwarebytes 5.5.4.252 — **CONFLICT, also real-time. Pick one.**
- Defender: Passive Mode (correct, deferring to Bitdefender), but Tamper Protection disabled
- Defender ASR rules: 1 configured, 0 in Block mode
**Apps of note**
- Office 365 Apps Pro Plus (Office 2024)
- Carbonite 6.6.0 (Dec 2025 build)
- Classic Shell 4.3.1 — abandoned project, replace with Open-Shell-Menu or remove
- ExplorerPatcher 26100.4946.69.6 — Win10-style shell mod
- Lenovo System Update 5.08.03.59
- AMD Software 26.3.1
- Canon MX490 series MP Drivers 1.02 (printer)
- Windows 11 Installation Assistant — leftover, can uninstall
**Performance**
- Memory at 85.1% used (2.3 GB free of 15.3 GB) — investigate top procs in audit JSON
- Uptime: 2.6 days (boot 2026-04-14)
- 263 processes running
**Updates**
- KB5083769, KB5082417, KB5088467 (4/14-4/15 cycle) installed
- 1 pending update
- 0 WU failures in last 30d