azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from GURU-5070 at 2026-06-11 08:41:42

Browse Source 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-11 08:41:42
This commit is contained in:
Mike Swanson
2026-06-11 08:41:56 -07:00
parent 25d2cf5148
commit 24bf954aaf
21 changed files with 633 additions and 626 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
clients/at-trebesch/README.md Normal file
View File

@@ -0,0 +1,3 @@
# Moved -> clients/attrebesch/
Consolidated 2026-06-11. "AT Trebesch" canonical slug = `attrebesch` (matches wiki + vault).
All docs now in `clients/attrebesch/`. Wiki: `wiki/clients/attrebesch.md`. Vault: `clients/attrebesch/`.

0
clients/at-trebesch/PROJECT_STATE.md → clients/attrebesch/PROJECT_STATE.md
View File

56
clients/at-trebesch/cloud/azure.md → clients/attrebesch/cloud/azure.md
View File

@@ -1,28 +1,28 @@
# Azure / Cloud Services # Azure / Cloud Services
## Azure Subscription ## Azure Subscription
- Subscription Name: - Subscription Name:
- Subscription ID: - Subscription ID:
- Resource Group(s): - Resource Group(s):
- Region: - Region:
- Monthly Spend (approx): - Monthly Spend (approx):
## Virtual Machines ## Virtual Machines
| VM Name | Size | OS | IP | Purpose | | VM Name | Size | OS | IP | Purpose |
|---------------|------------|------------|------------|-----------------| |---------------|------------|------------|------------|-----------------|
| | | | | | | | | | | |
## Networking ## Networking
- Virtual Network: - Virtual Network:
- Address Space: - Address Space:
- Subnets: - Subnets:
- VPN Gateway to On-Prem: Yes/No - VPN Gateway to On-Prem: Yes/No
- ExpressRoute: Yes/No - ExpressRoute: Yes/No
## Other Cloud Services ## Other Cloud Services
<!-- AWS, Google Workspace, third-party SaaS --> <!-- AWS, Google Workspace, third-party SaaS -->
| Service | Purpose | Admin URL | Notes | | Service | Purpose | Admin URL | Notes |
|-----------------|------------------|------------------|-----------------| |-----------------|------------------|------------------|-----------------|
| | | | | | | | | |
## Notes ## Notes

104
clients/at-trebesch/cloud/m365.md → clients/attrebesch/cloud/m365.md
View File

@@ -1,52 +1,52 @@
# Microsoft 365 # Microsoft 365
## Tenant Info ## Tenant Info
- Tenant Name: - Tenant Name:
- Tenant ID: - Tenant ID:
- Primary Domain: - Primary Domain:
- Admin Portal URL: https://admin.microsoft.com - Admin Portal URL: https://admin.microsoft.com
## Licensing ## Licensing
| License Type | Quantity | Assigned | Available | | License Type | Quantity | Assigned | Available |
|--------------------------|----------|----------|-----------| |--------------------------|----------|----------|-----------|
| Microsoft 365 Business Basic | | | | | Microsoft 365 Business Basic | | | |
| Microsoft 365 Business Standard | | | | | Microsoft 365 Business Standard | | | |
| Microsoft 365 Business Premium | | | | | Microsoft 365 Business Premium | | | |
| Exchange Online Plan 1/2 | | | | | Exchange Online Plan 1/2 | | | |
| Other | | | | | Other | | | |
## Exchange Online ## Exchange Online
- Mail Domain(s): - Mail Domain(s):
- MX Record Points To: - MX Record Points To:
- SPF Record: - SPF Record:
- DKIM Enabled: Yes/No - DKIM Enabled: Yes/No
- DMARC Policy: - DMARC Policy:
- Shared Mailboxes: - Shared Mailboxes:
- Distribution Groups: - Distribution Groups:
- Mail Flow Rules: Yes/No (describe below) - Mail Flow Rules: Yes/No (describe below)
## SharePoint / OneDrive ## SharePoint / OneDrive
- SharePoint Sites: - SharePoint Sites:
- External Sharing: Enabled/Disabled - External Sharing: Enabled/Disabled
- OneDrive Storage Limit: - OneDrive Storage Limit:
## Teams ## Teams
- Teams Phone System: Yes/No - Teams Phone System: Yes/No
- Calling Plan / Direct Routing: - Calling Plan / Direct Routing:
- Auto Attendant: - Auto Attendant:
## Entra ID (Azure AD) ## Entra ID (Azure AD)
- Hybrid Joined: Yes/No - Hybrid Joined: Yes/No
- Azure AD Connect Server: - Azure AD Connect Server:
- Sync Schedule: - Sync Schedule:
- Password Hash Sync: Yes/No - Password Hash Sync: Yes/No
- MFA Enforced: Yes/No - MFA Enforced: Yes/No
- Conditional Access Policies: - Conditional Access Policies:
## Security ## Security
- Defender for Office 365: Yes/No - Defender for Office 365: Yes/No
- Safe Links: Yes/No - Safe Links: Yes/No
- Safe Attachments: Yes/No - Safe Attachments: Yes/No
- Audit Log Retention: - Audit Log Retention:
## Notes ## Notes

38
clients/at-trebesch/issues/log.md → clients/attrebesch/issues/log.md
View File

@@ -1,19 +1,19 @@
# Issue Log # Issue Log
Record past issues and their resolutions here. This helps the AI learn from historical Record past issues and their resolutions here. This helps the AI learn from historical
troubleshooting and avoid repeating failed approaches. troubleshooting and avoid repeating failed approaches.
## Template ## Template
### [DATE] - [Brief Description] ### [DATE] - [Brief Description]
- **Reported By:** - **Reported By:**
- **Severity:** Low / Medium / High / Critical - **Severity:** Low / Medium / High / Critical
- **Symptoms:** - **Symptoms:**
- **Root Cause:** - **Root Cause:**
- **Resolution:** - **Resolution:**
- **Time to Resolve:** - **Time to Resolve:**
- **Lessons Learned:** - **Lessons Learned:**
--- ---
<!-- Add new issues above this line, newest first --> <!-- Add new issues above this line, newest first -->

62
clients/at-trebesch/network/dhcp.md → clients/attrebesch/network/dhcp.md
View File

@@ -1,31 +1,31 @@
# DHCP Configuration # DHCP Configuration
## DHCP Server ## DHCP Server
- Server Name: - Server Name:
- Server IP: - Server IP:
- Failover Partner: - Failover Partner:
## Scopes ## Scopes
### Scope - [VLAN Name] ### Scope - [VLAN Name]
- Subnet: - Subnet:
- Range Start: - Range Start:
- Range End: - Range End:
- Subnet Mask: - Subnet Mask:
- Default Gateway: - Default Gateway:
- DNS Servers: - DNS Servers:
- Lease Duration: - Lease Duration:
- Exclusions: - Exclusions:
<!-- Copy the block above for each DHCP scope --> <!-- Copy the block above for each DHCP scope -->
## Reservations ## Reservations
| Device Name | MAC Address | IP Address | Scope | Notes | | Device Name | MAC Address | IP Address | Scope | Notes |
|-----------------|-------------------|-----------------|---------------|---------------| |-----------------|-------------------|-----------------|---------------|---------------|
| | | | | | | | | | | |
## DHCP Relay ## DHCP Relay
- Relay agents configured on: - Relay agents configured on:
- Helper address: - Helper address:
## Notes ## Notes

66
clients/at-trebesch/network/dns.md → clients/attrebesch/network/dns.md
View File

@@ -1,33 +1,33 @@
# DNS Configuration # DNS Configuration
## Internal DNS Servers ## Internal DNS Servers
| Server Name | IP Address | Role | | Server Name | IP Address | Role |
|-------------|-----------|-------------------| |-------------|-----------|-------------------|
| | | Primary | | | | Primary |
| | | Secondary | | | | Secondary |
## DNS Forwarders ## DNS Forwarders
- Forwarder 1: - Forwarder 1:
- Forwarder 2: - Forwarder 2:
## Conditional Forwarders ## Conditional Forwarders
| Domain | Forward To | Purpose | | Domain | Forward To | Purpose |
|----------------------|-----------------|-------------------| |----------------------|-----------------|-------------------|
| | | | | | | |
## Key DNS Records ## Key DNS Records
| Record Type | Name | Value | Notes | | Record Type | Name | Value | Notes |
|-------------|------------------|------------------|------------------| |-------------|------------------|------------------|------------------|
| A | | | | | A | | | |
| CNAME | | | | | CNAME | | | |
| MX | | | | | MX | | | |
| TXT | | | | | TXT | | | |
## External DNS ## External DNS
- Registrar: - Registrar:
- Hosted At: - Hosted At:
- Primary Domain: - Primary Domain:
- Management URL: - Management URL:
## Notes ## Notes
<!-- Split-brain DNS, special zones, etc. --> <!-- Split-brain DNS, special zones, etc. -->

94
clients/at-trebesch/network/firewall.md → clients/attrebesch/network/firewall.md
View File

@@ -1,47 +1,47 @@
# Firewall Configuration # Firewall Configuration
## Device Info ## Device Info
- Vendor/Model: - Vendor/Model:
- Firmware Version: - Firmware Version:
- Management IP: - Management IP:
- Management URL: - Management URL:
- HA Pair: Yes/No - HA Pair: Yes/No
- License Expiry: - License Expiry:
## Interfaces ## Interfaces
| Interface | Zone | IP Address | VLAN | Description | | Interface | Zone | IP Address | VLAN | Description |
|-----------|-----------|-----------------|------|-------------------| |-----------|-----------|-----------------|------|-------------------|
| WAN1 | WAN | | | Primary Internet | | WAN1 | WAN | | | Primary Internet |
| WAN2 | WAN | | | Backup Internet | | WAN2 | WAN | | | Backup Internet |
| LAN | LAN | | | | | LAN | LAN | | | |
| DMZ | DMZ | | | | | DMZ | DMZ | | | |
## NAT Rules ## NAT Rules
| Name | Source | Destination | Port(s) | NAT To | | Name | Source | Destination | Port(s) | NAT To |
|-------------------|---------------|----------------|-------------|-----------------| |-------------------|---------------|----------------|-------------|-----------------|
| | | | | | | | | | | |
## Key Firewall Policies ## Key Firewall Policies
| Name | Source Zone | Dest Zone | Service | Action | Notes | | Name | Source Zone | Dest Zone | Service | Action | Notes |
|-------------------|--------------|---------------|-------------|--------|--------| |-------------------|--------------|---------------|-------------|--------|--------|
| | | | | | | | | | | | | |
## VPN ## VPN
### Site-to-Site VPNs ### Site-to-Site VPNs
| Peer Name | Peer IP | Local Subnet | Remote Subnet | Status | | Peer Name | Peer IP | Local Subnet | Remote Subnet | Status |
|-------------------|--------------|----------------|---------------|--------| |-------------------|--------------|----------------|---------------|--------|
| | | | | | | | | | | |
### SSL/Client VPN ### SSL/Client VPN
- Enabled: Yes/No - Enabled: Yes/No
- Portal URL: - Portal URL:
- Auth Method: - Auth Method:
- IP Pool: - IP Pool:
- Split Tunnel: Yes/No - Split Tunnel: Yes/No
## Content Filtering ## Content Filtering
- Web Filter Profile: - Web Filter Profile:
- App Control Profile: - App Control Profile:
- DNS Filter: - DNS Filter:
## Notes ## Notes

86
clients/at-trebesch/network/topology.md → clients/attrebesch/network/topology.md
View File

@@ -1,43 +1,43 @@
# Network Topology # Network Topology
## Internet Connection ## Internet Connection
- ISP: - ISP:
- Circuit Type: - Circuit Type:
- Speed (Down/Up): - Speed (Down/Up):
- Public IP: - Public IP:
- Gateway: - Gateway:
- Modem Model: - Modem Model:
## Core Switch ## Core Switch
- Model: - Model:
- IP Address: - IP Address:
- Management URL: - Management URL:
- Firmware Version: - Firmware Version:
- Location: - Location:
## Additional Switches ## Additional Switches
<!-- Copy this block for each switch --> <!-- Copy this block for each switch -->
### Switch - [Name/Location] ### Switch - [Name/Location]
- Model: - Model:
- IP Address: - IP Address:
- Port Count: - Port Count:
- PoE: Yes/No - PoE: Yes/No
- Uplink To: - Uplink To:
## Wireless ## Wireless
- Controller Model: - Controller Model:
- Controller IP: - Controller IP:
- Number of APs: - Number of APs:
- AP Model(s): - AP Model(s):
### Access Points ### Access Points
<!-- Copy for each AP --> <!-- Copy for each AP -->
- AP Name: - AP Name:
- Location: - Location:
- IP Address: - IP Address:
- Connected Switch/Port: - Connected Switch/Port:
## WAN / SD-WAN ## WAN / SD-WAN
- SD-WAN Vendor: - SD-WAN Vendor:
- Number of Sites: - Number of Sites:
- Hub Site: - Hub Site:

42
clients/at-trebesch/network/vlans.md → clients/attrebesch/network/vlans.md
View File

@@ -1,21 +1,21 @@
# VLANs # VLANs
## VLAN Table ## VLAN Table
| VLAN ID | Name | Subnet | Gateway | DHCP Scope | Purpose | | VLAN ID | Name | Subnet | Gateway | DHCP Scope | Purpose |
|---------|---------------|-----------------|-----------------|------------------|------------------------| |---------|---------------|-----------------|-----------------|------------------|------------------------|
| 1 | Default | | | | | | 1 | Default | | | | |
| 10 | Management | | | | Network devices | | 10 | Management | | | | Network devices |
| 20 | Servers | | | | Server infrastructure | | 20 | Servers | | | | Server infrastructure |
| 30 | Workstations | | | | End user devices | | 30 | Workstations | | | | End user devices |
| 40 | VoIP | | | | Phone system | | 40 | VoIP | | | | Phone system |
| 50 | WiFi-Corp | | | | Corporate wireless | | 50 | WiFi-Corp | | | | Corporate wireless |
| 60 | WiFi-Guest | | | | Guest wireless | | 60 | WiFi-Guest | | | | Guest wireless |
| 100 | Security | | | | Cameras / access ctrl | | 100 | Security | | | | Cameras / access ctrl |
## Inter-VLAN Routing ## Inter-VLAN Routing
- Performed by: - Performed by:
- Routing device IP: - Routing device IP:
## VLAN Notes ## VLAN Notes
<!-- Any special considerations, trunk ports, tagged/untagged config --> <!-- Any special considerations, trunk ports, tagged/untagged config -->

94
clients/at-trebesch/overview.md → clients/attrebesch/overview.md
View File

@@ -1,47 +1,47 @@
# Client Overview # Client Overview
## Company Name ## Company Name
AT Trebesch AT Trebesch
## Primary Contact ## Primary Contact
- Name: - Name:
- Phone: - Phone:
- Email: - Email:
## IT Contact ## IT Contact
- Name: Howard Enos (MSP) - Name: Howard Enos (MSP)
- Phone: - Phone:
- Email: howard@azcomputerguru.com - Email: howard@azcomputerguru.com
## Contract Details ## Contract Details
- Service Level: - Service Level:
- Hours Covered: - Hours Covered:
- Contract Renewal Date: - Contract Renewal Date:
## Environment Summary ## Environment Summary
- Total Users: 1+ (`Owner` confirmed; verify others on next visit) - Total Users: 1+ (`Owner` confirmed; verify others on next visit)
- Total Locations: 1 - Total Locations: 1
- Domain Name: WORKGROUP (no AD) - Domain Name: WORKGROUP (no AD)
- Primary Site Address: Tucson area (timezone US Mountain Standard Time, no DST) - Primary Site Address: Tucson area (timezone US Mountain Standard Time, no DST)
- RMM Agent Count: 1 confirmed (Syncro + ScreenConnect + Splashtop all installed) - RMM Agent Count: 1 confirmed (Syncro + ScreenConnect + Splashtop all installed)
- Workstation Count: 1 confirmed (DESKTOP-QNP3ON5) — full inventory pending - Workstation Count: 1 confirmed (DESKTOP-QNP3ON5) — full inventory pending
- Server Count: 0 confirmed - Server Count: 0 confirmed
## Stack Summary (from 2026-04-17 audit of DESKTOP-QNP3ON5) ## Stack Summary (from 2026-04-17 audit of DESKTOP-QNP3ON5)
| Category | Tooling | Notes | | Category | Tooling | Notes |
|---|---|---| |---|---|---|
| EDR / AV | Bitdefender Endpoint Security Tools 8.26.4.628 | Primary, all 4 services running | | EDR / AV | Bitdefender Endpoint Security Tools 8.26.4.628 | Primary, all 4 services running |
| Secondary AV | Malwarebytes 5.5.4.252 | **CONFLICT** — running real-time alongside Bitdefender. Recommend uninstall or set to scheduled-only. | | Secondary AV | Malwarebytes 5.5.4.252 | **CONFLICT** — running real-time alongside Bitdefender. Recommend uninstall or set to scheduled-only. |
| Backup | Carbonite 6.6.0 build 670 (Dec 2025) | Cloud backup, online | | Backup | Carbonite 6.6.0 build 670 (Dec 2025) | Cloud backup, online |
| Remote Access | ScreenConnect 26.1.24 + Splashtop 3.8.0.4 | Both running. Splashtop likely from Syncro bundle. | | Remote Access | ScreenConnect 26.1.24 + Splashtop 3.8.0.4 | Both running. Splashtop likely from Syncro bundle. |
| RMM | Syncro 1.0.200.18380 | Agent installed | | RMM | Syncro 1.0.200.18380 | Agent installed |
| Office | Microsoft 365 Apps for business / Office 2024 Pro Plus | C2R 16.0.19822.20182 | | Office | Microsoft 365 Apps for business / Office 2024 Pro Plus | C2R 16.0.19822.20182 |
| OS | Windows 11 **Home** 25H2 | **Should be Pro** for any business workstation (BitLocker, GPO, etc.) | | OS | Windows 11 **Home** 25H2 | **Should be Pro** for any business workstation (BitLocker, GPO, etc.) |
## Notes ## Notes
- All workstations currently on Windows 11 Home — flag for Pro upgrade as part of any new-machine refresh cycle. - All workstations currently on Windows 11 Home — flag for Pro upgrade as part of any new-machine refresh cycle.
- Workgroup environment, no AD. Local accounts only. - Workgroup environment, no AD. Local accounts only.
- "guru" local Administrator account exists on DESKTOP-QNP3ON5 (last logon 2025-10-18) — MSP backdoor, confirm current password is in vault. - "guru" local Administrator account exists on DESKTOP-QNP3ON5 (last logon 2025-10-18) — MSP backdoor, confirm current password is in vault.
- "localadmin" also exists alongside guru — pick one MSP-standard account, retire the other. - "localadmin" also exists alongside guru — pick one MSP-standard account, retire the other.

162
clients/at-trebesch/reports/2026-04-17-initial-audit-DESKTOP-QNP3ON5.md → clients/attrebesch/reports/2026-04-17-initial-audit-DESKTOP-QNP3ON5.md
View File

@@ -1,81 +1,81 @@
# DESKTOP-QNP3ON5 — initial audit findings (AT Trebesch) # DESKTOP-QNP3ON5 — initial audit findings (AT Trebesch)
**Date:** 2026-04-17 **Date:** 2026-04-17
**Technician:** Howard Enos **Technician:** Howard Enos
**Machine:** DESKTOP-QNP3ON5 (Lenovo desktop, Owner) **Machine:** DESKTOP-QNP3ON5 (Lenovo desktop, Owner)
**Audit script:** workstation_audit.ps1 v2.0.2 (schema 2.0) **Audit script:** workstation_audit.ps1 v2.0.2 (schema 2.0)
**JSON artifact:** `clients/at-trebesch/diagnostics/DESKTOP-QNP3ON5_workstation_audit_2026-04-17.json` (when uploaded) **JSON artifact:** `clients/at-trebesch/diagnostics/DESKTOP-QNP3ON5_workstation_audit_2026-04-17.json` (when uploaded)
## Critical — fix this week ## Critical — fix this week
1. **`Owner` local account requires no password** — anyone with physical access gets a full admin shell. Fix: 1. **`Owner` local account requires no password** — anyone with physical access gets a full admin shell. Fix:
```powershell ```powershell
Set-LocalUser -Name Owner -PasswordRequired $true Set-LocalUser -Name Owner -PasswordRequired $true
$p = Read-Host -AsSecureString "New password for Owner" $p = Read-Host -AsSecureString "New password for Owner"
Set-LocalUser -Name Owner -Password $p Set-LocalUser -Name Owner -Password $p
``` ```
Hand the new password to the user directly. Store nothing in the script. Hand the new password to the user directly. Store nothing in the script.
2. **Two real-time AV engines installed and active** — Bitdefender Endpoint Security Tools 8.26.4.628 (primary) **and** Malwarebytes 5.5.4.252 are both registered with Security Center and running real-time. Two engines fight over file scans, cause file-lock errors, slow boot, and occasionally bluescreen. Confirm Bitdefender is the intended primary (it is, per our MSP standard) and either uninstall Malwarebytes or set it to scheduled/manual scan only. 2. **Two real-time AV engines installed and active** — Bitdefender Endpoint Security Tools 8.26.4.628 (primary) **and** Malwarebytes 5.5.4.252 are both registered with Security Center and running real-time. Two engines fight over file scans, cause file-lock errors, slow boot, and occasionally bluescreen. Confirm Bitdefender is the intended primary (it is, per our MSP standard) and either uninstall Malwarebytes or set it to scheduled/manual scan only.
3. **Secure Boot DISABLED** — UEFI machine with TPM 2.0 ready. No reason to be off; turn on in BIOS. Also unblocks BitLocker enrollment if/when this machine moves to Win 11 Pro. 3. **Secure Boot DISABLED** — UEFI machine with TPM 2.0 ready. No reason to be off; turn on in BIOS. Also unblocks BitLocker enrollment if/when this machine moves to Win 11 Pro.
4. **Windows 11 Home (not Pro)** — for a business workstation, Pro is the right SKU. Without Pro: 4. **Windows 11 Home (not Pro)** — for a business workstation, Pro is the right SKU. Without Pro:
- No real BitLocker (only "Device Encryption" auto-mode tied to Microsoft account) - No real BitLocker (only "Device Encryption" auto-mode tied to Microsoft account)
- No GPO, no Group Policy Editor - No GPO, no Group Policy Editor
- No remote management of inactivity timeout, USB lockdown, etc. - No remote management of inactivity timeout, USB lockdown, etc.
- Limits Bitdefender / Defender hardening - Limits Bitdefender / Defender hardening
Recommend upgrade path: in-place upgrade to Win 11 Pro via license key (`changepk.exe`). Cost: ~$99/license retail, less via volume. Recommend upgrade path: in-place upgrade to Win 11 Pro via license key (`changepk.exe`). Cost: ~$99/license retail, less via volume.
## High — fix this month ## High — fix this month
5. **Defender Tamper Protection OFF** — registry value 4 = explicitly disabled. Even though Defender is in passive mode, Tamper Protection prevents an attacker from twiddling Defender settings if they ever take over. Enable in Windows Security → Virus & threat protection → Manage settings. 5. **Defender Tamper Protection OFF** — registry value 4 = explicitly disabled. Even though Defender is in passive mode, Tamper Protection prevents an attacker from twiddling Defender settings if they ever take over. Enable in Windows Security → Virus & threat protection → Manage settings.
6. **Defender ASR rules: only 1 rule configured, all disabled** — apply Microsoft's Standard preset rules even in passive mode (sets a fallback baseline if Defender ever becomes primary). 6. **Defender ASR rules: only 1 rule configured, all disabled** — apply Microsoft's Standard preset rules even in passive mode (sets a fallback baseline if Defender ever becomes primary).
7. **`localadmin` + `guru` — two MSP backdoor accounts** on the same machine. Pick one as standard, retire the other. Confirm chosen account's password is current and in the SOPS vault. 7. **`localadmin` + `guru` — two MSP backdoor accounts** on the same machine. Pick one as standard, retire the other. Confirm chosen account's password is current and in the SOPS vault.
8. **Memory at 85% used** (2.3 GB free of 15.3 GB) with only 263 processes — investigate top procs (in JSON) for the offender. Likely candidate: Bitdefender + Malwarebytes overlap (item 2 above) or a leaking app. Reboot + monitor. 8. **Memory at 85% used** (2.3 GB free of 15.3 GB) with only 263 processes — investigate top procs (in JSON) for the offender. Likely candidate: Bitdefender + Malwarebytes overlap (item 2 above) or a leaking app. Reboot + monitor.
9. **NETLOGON 3095 errors on a WORKGROUP machine** — multiple NETLOGON failures on 2026-04-14. NETLOGON should not be doing anything on a non-domain-joined PC. Verify: 9. **NETLOGON 3095 errors on a WORKGROUP machine** — multiple NETLOGON failures on 2026-04-14. NETLOGON should not be doing anything on a non-domain-joined PC. Verify:
```powershell ```powershell
Get-Service Netlogon | Format-List Name, Status, StartType Get-Service Netlogon | Format-List Name, Status, StartType
nltest /sc_query:WORKGROUP nltest /sc_query:WORKGROUP
``` ```
If Netlogon is running or set to Auto, change to Manual + Stopped. If Netlogon is running or set to Auto, change to Manual + Stopped.
## Medium — schedule ## Medium — schedule
10. **No screen lock / inactivity timeout configured** — set `MachineInactivityLimit = 900` (15 min) via local policy. 10. **No screen lock / inactivity timeout configured** — set `MachineInactivityLimit = 900` (15 min) via local policy.
11. **USB storage unrestricted** — depending on what AT Trebesch handles, lock down via local policy. 11. **USB storage unrestricted** — depending on what AT Trebesch handles, lock down via local policy.
12. **AutoPlay not disabled** — disable to reduce USB-borne malware risk. 12. **AutoPlay not disabled** — disable to reduce USB-borne malware risk.
13. **HOSTS file has 17 active entries** — unusual on a clean workgroup workstation. Pull from JSON and review what's there. Could be legit dev mappings, ad-blocker entries, or worth investigating further. 13. **HOSTS file has 17 active entries** — unusual on a clean workgroup workstation. Pull from JSON and review what's there. Could be legit dev mappings, ad-blocker entries, or worth investigating further.
14. **Cached logons count = 10** — lower to 4 for security on a single-user workstation. 14. **Cached logons count = 10** — lower to 4 for security on a single-user workstation.
15. **NTLM LmCompatibilityLevel blank** — set explicitly to 5. 15. **NTLM LmCompatibilityLevel blank** — set explicitly to 5.
16. **TLS protocols all "OS Default"** — Win 11 25H2 defaults are reasonable; explicit policy is better but low priority. 16. **TLS protocols all "OS Default"** — Win 11 25H2 defaults are reasonable; explicit policy is better but low priority.
## Cleanup ## Cleanup
17. **Classic Shell 4.3.1** — abandoned (last release 2017). Replace with maintained fork "Open-Shell-Menu", or remove if Win 11 default Start menu is acceptable to user. 17. **Classic Shell 4.3.1** — abandoned (last release 2017). Replace with maintained fork "Open-Shell-Menu", or remove if Win 11 default Start menu is acceptable to user.
18. **ExplorerPatcher** — third-party shell mod, sometimes breaks after Windows feature updates and occasionally flagged by AV. Confirm intentional with user. Likely paired with Classic Shell for Win 10 look. 18. **ExplorerPatcher** — third-party shell mod, sometimes breaks after Windows feature updates and occasionally flagged by AV. Confirm intentional with user. Likely paired with Classic Shell for Win 10 look.
19. **Windows 11 Installation Assistant** — leftover from Win 10 → Win 11 upgrade. Safe to uninstall. 19. **Windows 11 Installation Assistant** — leftover from Win 10 → Win 11 upgrade. Safe to uninstall.
20. **Bluetooth Network Connection adapter** — usually unused. Disable adapter if not actively used. 20. **Bluetooth Network Connection adapter** — usually unused. Disable adapter if not actively used.
21. **`Time source / Last sync` blank** — verify with `w32tm /query /status` from elevated prompt. Either parsing failure in the audit script or W32time service isn't healthy. 21. **`Time source / Last sync` blank** — verify with `w32tm /query /status` from elevated prompt. Either parsing failure in the audit script or W32time service isn't healthy.
## Working well — call out the wins ## Working well — call out the wins
- Bitdefender EDR running, all 4 services up - Bitdefender EDR running, all 4 services up
- Carbonite cloud backup installed (Dec 2025 build) - Carbonite cloud backup installed (Dec 2025 build)
- Firewall enabled on all 3 profiles - Firewall enabled on all 3 profiles
- LSA Protection (RunAsPPL) enabled - LSA Protection (RunAsPPL) enabled
- WDigest cleartext disabled - WDigest cleartext disabled
- 0 suspicious scheduled tasks, 0 IFEO debugger hijacks, 0 suspicious recently-modified files - 0 suspicious scheduled tasks, 0 IFEO debugger hijacks, 0 suspicious recently-modified files
- 0 Defender detections in last 30 days - 0 Defender detections in last 30 days
- Updates current (KB5088467 + KB5083769 from 4/15) - Updates current (KB5088467 + KB5083769 from 4/15)
- Disk healthy with 598 GB / 953 GB free - Disk healthy with 598 GB / 953 GB free
## Audit script false positives noted (to fix in v2.0.3, NOT findings on this machine) ## Audit script false positives noted (to fix in v2.0.3, NOT findings on this machine)
- Section 38 flagged `SyncroOvermind` (legitimate Syncro RMM agent at `C:\ProgramData\Syncro\bin\`). Need to add Syncro to the path allowlist alongside the Defender Platform exception. - Section 38 flagged `SyncroOvermind` (legitimate Syncro RMM agent at `C:\ProgramData\Syncro\bin\`). Need to add Syncro to the path allowlist alongside the Defender Platform exception.
- Section 35 displayed `Full scan age: d` (cosmetic — empty value rendering when full scan never ran; JSON value is correctly null). - Section 35 displayed `Full scan age: d` (cosmetic — empty value rendering when full scan never ran; JSON value is correctly null).

68
clients/at-trebesch/rmm/rmm.md → clients/attrebesch/rmm/rmm.md
View File

@@ -1,34 +1,34 @@
# RMM / Monitoring # RMM / Monitoring
## RMM Solution ## RMM Solution
- Product: - Product:
- Console URL: - Console URL:
- Agent Version: - Agent Version:
## Agent Deployment ## Agent Deployment
- Total Devices: - Total Devices:
- Servers Monitored: - Servers Monitored:
- Workstations Monitored: - Workstations Monitored:
- Network Devices Monitored: - Network Devices Monitored:
## Monitoring Policies ## Monitoring Policies
| Policy Name | Applies To | Alert Condition | Action | | Policy Name | Applies To | Alert Condition | Action |
|-------------------|----------------|-------------------------|---------------| |-------------------|----------------|-------------------------|---------------|
| Disk Space | All Servers | < 10% free | Alert + Ticket| | Disk Space | All Servers | < 10% free | Alert + Ticket|
| CPU | All Servers | > 90% for 15 min | Alert | | CPU | All Servers | > 90% for 15 min | Alert |
| Service Monitor | All Servers | | | | Service Monitor | All Servers | | |
| Backup Monitor | | | | | Backup Monitor | | | |
| Offline Alert | All Agents | Offline > 30 min | Alert | | Offline Alert | All Agents | Offline > 30 min | Alert |
## Patch Management ## Patch Management
- Patch Policy: - Patch Policy:
- Patch Window: - Patch Window:
- Auto-approve: Yes/No - Auto-approve: Yes/No
- Exclusions: - Exclusions:
## Scripting / Automation ## Scripting / Automation
| Script Name | Schedule | Purpose | | Script Name | Schedule | Purpose |
|---------------------|-------------|--------------------------| |---------------------|-------------|--------------------------|
| | | | | | | |
## Notes ## Notes

52
clients/at-trebesch/security/antivirus.md → clients/attrebesch/security/antivirus.md
View File

@@ -1,26 +1,26 @@
# Endpoint Security / Antivirus # Endpoint Security / Antivirus
## Solution ## Solution
- Product: - Product:
- Console URL: - Console URL:
- License Count: - License Count:
- License Expiry: - License Expiry:
- Managed By: - Managed By:
## Policy ## Policy
- Real-time Protection: Yes/No - Real-time Protection: Yes/No
- Scheduled Scans: (frequency) - Scheduled Scans: (frequency)
- Exclusions: - Exclusions:
## Deployment Status ## Deployment Status
- Total Endpoints: - Total Endpoints:
- Protected: - Protected:
- Missing Agent: - Missing Agent:
- Out of Date: - Out of Date:
## EDR / XDR ## EDR / XDR
- EDR Enabled: Yes/No - EDR Enabled: Yes/No
- Product: - Product:
- Console URL: - Console URL:
## Notes ## Notes

68
clients/at-trebesch/security/backup.md → clients/attrebesch/security/backup.md
View File

@@ -1,34 +1,34 @@
# Backup and Disaster Recovery # Backup and Disaster Recovery
## Backup Solution ## Backup Solution
- Product: - Product:
- Console URL: - Console URL:
- License/Subscription: - License/Subscription:
## Backup Targets ## Backup Targets
| Target Name | Type | Location | Capacity | Encrypted | | Target Name | Type | Location | Capacity | Encrypted |
|----------------|----------------|-----------------|--------------|-----------| |----------------|----------------|-----------------|--------------|-----------|
| | Local NAS | | | Yes/No | | | Local NAS | | | Yes/No |
| | Cloud | | | Yes/No | | | Cloud | | | Yes/No |
| | Offsite | | | Yes/No | | | Offsite | | | Yes/No |
## Backup Jobs ## Backup Jobs
| Job Name | Source | Target | Schedule | Retention | Status | | Job Name | Source | Target | Schedule | Retention | Status |
|-----------------|-------------------|------------|---------------|-------------|--------| |-----------------|-------------------|------------|---------------|-------------|--------|
| | | | | | | | | | | | | |
## M365 Backup ## M365 Backup
- M365 Backup Product: - M365 Backup Product:
- Exchange Backed Up: Yes/No - Exchange Backed Up: Yes/No
- SharePoint Backed Up: Yes/No - SharePoint Backed Up: Yes/No
- OneDrive Backed Up: Yes/No - OneDrive Backed Up: Yes/No
- Teams Backed Up: Yes/No - Teams Backed Up: Yes/No
## Disaster Recovery Plan ## Disaster Recovery Plan
- RTO Target: - RTO Target:
- RPO Target: - RPO Target:
- DR Site: - DR Site:
- Last DR Test Date: - Last DR Test Date:
- DR Test Result: - DR Test Result:
## Notes ## Notes

98
clients/at-trebesch/servers/server_template.md → clients/attrebesch/servers/server_template.md
View File

@@ -1,49 +1,49 @@
# Server: [SERVER NAME] # Server: [SERVER NAME]
## General Info ## General Info
- Hostname: - Hostname:
- IP Address: - IP Address:
- OS: - OS:
- OS Version: - OS Version:
- Physical / Virtual: - Physical / Virtual:
- Host (if virtual): - Host (if virtual):
- Location: - Location:
- Last Patched: - Last Patched:
## Hardware (if physical) ## Hardware (if physical)
- Make/Model: - Make/Model:
- CPU: - CPU:
- RAM: - RAM:
- Storage: - Storage:
- Warranty Expiry: - Warranty Expiry:
## Roles and Services ## Roles and Services
<!-- List all roles this server performs --> <!-- List all roles this server performs -->
- [ ] Domain Controller - [ ] Domain Controller
- [ ] DNS Server - [ ] DNS Server
- [ ] DHCP Server - [ ] DHCP Server
- [ ] File Server - [ ] File Server
- [ ] Print Server - [ ] Print Server
- [ ] Application Server - [ ] Application Server
- [ ] Database Server - [ ] Database Server
- [ ] Backup Target - [ ] Backup Target
- [ ] RDS / Terminal Server - [ ] RDS / Terminal Server
- [ ] Hyper-V Host - [ ] Hyper-V Host
## Shares (if file server) ## Shares (if file server)
| Share Name | Path | Permissions Group | Notes | | Share Name | Path | Permissions Group | Notes |
|---------------|-------------------|---------------------|----------------| |---------------|-------------------|---------------------|----------------|
| | | | | | | | | |
## Applications Installed ## Applications Installed
| Application | Version | Purpose | License | | Application | Version | Purpose | License |
|-------------------|------------|----------------------|---------------| |-------------------|------------|----------------------|---------------|
| | | | | | | | | |
## Backup ## Backup
- Backup Method: - Backup Method:
- Backup Schedule: - Backup Schedule:
- Backup Target: - Backup Target:
- Last Verified Restore: - Last Verified Restore:
## Notes ## Notes

162
clients/at-trebesch/workstations.md → clients/attrebesch/workstations.md
View File

@@ -1,81 +1,81 @@
# Workstations — AT Trebesch # Workstations — AT Trebesch
Inventory built from on-machine audit runs. Last updated 2026-04-17. Inventory built from on-machine audit runs. Last updated 2026-04-17.
## Summary ## Summary
| PC Name | User/Role | OS | Edition | Domain | BitLocker | Last Audit | | PC Name | User/Role | OS | Edition | Domain | BitLocker | Last Audit |
|---|---|---|---|---|---|---| |---|---|---|---|---|---|---|
| DESKTOP-QNP3ON5 | Owner | Win 11 25H2 | **Home** | WORKGROUP | None (decrypted) | 2026-04-17 | | DESKTOP-QNP3ON5 | Owner | Win 11 25H2 | **Home** | WORKGROUP | None (decrypted) | 2026-04-17 |
## DESKTOP-QNP3ON5 ## DESKTOP-QNP3ON5
**Hardware** **Hardware**
- Lenovo (model 91D00000US) - Lenovo (model 91D00000US)
- Serial: MZ025MVK - Serial: MZ025MVK
- BIOS: M68KT23A - BIOS: M68KT23A
- CPU: AMD Ryzen 7 250 w/ Radeon 780M Graphics (8 cores / 16 threads) - CPU: AMD Ryzen 7 250 w/ Radeon 780M Graphics (8 cores / 16 threads)
- RAM: 15.3 GB - RAM: 15.3 GB
- Storage: 953 GB KIOXIA KBG6AZNV1T02 LA SSD (NVMe), 598 GB free, healthy - Storage: 953 GB KIOXIA KBG6AZNV1T02 LA SSD (NVMe), 598 GB free, healthy
- Chassis: Desktop, no battery - Chassis: Desktop, no battery
**OS / Activation** **OS / Activation**
- Windows 11 Home 25H2 (build 26200), 64-bit - Windows 11 Home 25H2 (build 26200), 64-bit
- Installed 2025-10-12 - Installed 2025-10-12
- License: Licensed (StatusCode 1), partial key 6F4JW - License: Licensed (StatusCode 1), partial key 6F4JW
**Network** **Network**
- Ethernet: Realtek PCIe GbE — UP, 1 Gbps, 10.0.0.15 - Ethernet: Realtek PCIe GbE — UP, 1 Gbps, 10.0.0.15
- Wi-Fi: Realtek RTL8852BE WiFi 6 — disconnected - Wi-Fi: Realtek RTL8852BE WiFi 6 — disconnected
- Bluetooth NIC enabled (unused — recommend disable) - Bluetooth NIC enabled (unused — recommend disable)
- Saved Wi-Fi profiles: ComputerGuru, Scurda2 - Saved Wi-Fi profiles: ComputerGuru, Scurda2
**Local accounts (enabled)** **Local accounts (enabled)**
| Name | Last Logon | PasswordRequired | Notes | | Name | Last Logon | PasswordRequired | Notes |
|---|---|---|---| |---|---|---|---|
| Owner | 2026-04-15 | **False** | **PASSWORD NOT REQUIRED — fix immediately** | | Owner | 2026-04-15 | **False** | **PASSWORD NOT REQUIRED — fix immediately** |
| guru | 2025-10-18 | True | MSP backdoor, in Administrators | | guru | 2025-10-18 | True | MSP backdoor, in Administrators |
| localadmin | (never logged) | True | Second MSP backdoor, in Administrators | | localadmin | (never logged) | True | Second MSP backdoor, in Administrators |
**Local Administrators:** Administrator (disabled), guru, localadmin, Owner **Local Administrators:** Administrator (disabled), guru, localadmin, Owner
**Security posture (highlights)** **Security posture (highlights)**
- BitLocker: Off, drive fully decrypted (Win Home limits BitLocker to "Device Encryption" only) - BitLocker: Off, drive fully decrypted (Win Home limits BitLocker to "Device Encryption" only)
- Secure Boot: **DISABLED** (UEFI capable, TPM 2.0 ready — turn on) - Secure Boot: **DISABLED** (UEFI capable, TPM 2.0 ready — turn on)
- TPM: present + ready - TPM: present + ready
- WinRE: enabled - WinRE: enabled
- Firewall: enabled on all 3 profiles - Firewall: enabled on all 3 profiles
- LSA Protection (RunAsPPL): enabled (good) - LSA Protection (RunAsPPL): enabled (good)
- WDigest cleartext: disabled (good) - WDigest cleartext: disabled (good)
- Cached logons: 10 (recommend lower to 4) - Cached logons: 10 (recommend lower to 4)
- NTLM LmCompatibilityLevel: blank (defaults to 3, recommend explicit 5) - NTLM LmCompatibilityLevel: blank (defaults to 3, recommend explicit 5)
- UAC: enabled (default settings) - UAC: enabled (default settings)
- RDP: disabled - RDP: disabled
- USB storage: unrestricted - USB storage: unrestricted
- AutoPlay: not disabled - AutoPlay: not disabled
**Antivirus posture** **Antivirus posture**
- Bitdefender Endpoint Security Tools 8.26.4.628 — primary EDR, 4 services running - Bitdefender Endpoint Security Tools 8.26.4.628 — primary EDR, 4 services running
- Malwarebytes 5.5.4.252 — **CONFLICT, also real-time. Pick one.** - Malwarebytes 5.5.4.252 — **CONFLICT, also real-time. Pick one.**
- Defender: Passive Mode (correct, deferring to Bitdefender), but Tamper Protection disabled - Defender: Passive Mode (correct, deferring to Bitdefender), but Tamper Protection disabled
- Defender ASR rules: 1 configured, 0 in Block mode - Defender ASR rules: 1 configured, 0 in Block mode
**Apps of note** **Apps of note**
- Office 365 Apps Pro Plus (Office 2024) - Office 365 Apps Pro Plus (Office 2024)
- Carbonite 6.6.0 (Dec 2025 build) - Carbonite 6.6.0 (Dec 2025 build)
- Classic Shell 4.3.1 — abandoned project, replace with Open-Shell-Menu or remove - Classic Shell 4.3.1 — abandoned project, replace with Open-Shell-Menu or remove
- ExplorerPatcher 26100.4946.69.6 — Win10-style shell mod - ExplorerPatcher 26100.4946.69.6 — Win10-style shell mod
- Lenovo System Update 5.08.03.59 - Lenovo System Update 5.08.03.59
- AMD Software 26.3.1 - AMD Software 26.3.1
- Canon MX490 series MP Drivers 1.02 (printer) - Canon MX490 series MP Drivers 1.02 (printer)
- Windows 11 Installation Assistant — leftover, can uninstall - Windows 11 Installation Assistant — leftover, can uninstall
**Performance** **Performance**
- Memory at 85.1% used (2.3 GB free of 15.3 GB) — investigate top procs in audit JSON - Memory at 85.1% used (2.3 GB free of 15.3 GB) — investigate top procs in audit JSON
- Uptime: 2.6 days (boot 2026-04-14) - Uptime: 2.6 days (boot 2026-04-14)
- 263 processes running - 263 processes running
**Updates** **Updates**
- KB5083769, KB5082417, KB5088467 (4/14-4/15 cycle) installed - KB5083769, KB5082417, KB5088467 (4/14-4/15 cycle) installed
- 1 pending update - 1 pending update
- 0 WU failures in last 30d - 0 WU failures in last 30d

1
wiki/clients/attrebesch.md
View File

@@ -8,6 +8,7 @@ sources:
- clients/attrebesch/session-logs/2026-06-01-session.md - clients/attrebesch/session-logs/2026-06-01-session.md
backlinks: backlinks:
- projects/gururmm - projects/gururmm
aliases: [at-trebesch]
--- ---
# AT Trebesch # AT Trebesch

1
wiki/clients/birth-biologic.md
View File

@@ -9,6 +9,7 @@ sources:
- clients/birth-biologic/session-logs/2026-06-02-session.md - clients/birth-biologic/session-logs/2026-06-02-session.md
backlinks: backlinks:
- projects/gururmm - projects/gururmm
aliases: [birthbiologic]
--- ---
# BirthBiologic # BirthBiologic

1
wiki/clients/lonestar-electrical.md
View File

@@ -20,6 +20,7 @@ sources:
- temp/lonestar-kyla-reset.py - temp/lonestar-kyla-reset.py
- temp/lonestar-kyla-2fa-fix.py - temp/lonestar-kyla-2fa-fix.py
backlinks: [] backlinks: []
aliases: [lonestar]
--- ---
# Lone Star Electrical Systems LLC # Lone Star Electrical Systems LLC

1
wiki/clients/scileppi-law.md
View File

@@ -6,6 +6,7 @@ last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main compiled_by: DESKTOP-0O8A1RL/claude-main
sources: sources:
- clients/scileppi-law/session-logs/2026-05-07-howard-sylvia-mac-mini-mail-memory.md - clients/scileppi-law/session-logs/2026-05-07-howard-sylvia-mac-mini-mail-memory.md
aliases: [scileppi]
--- ---
# The Law Offices of Chris Scileppi # The Law Offices of Chris Scileppi