# Valleywide (VWP) — Project State > READ THIS before starting work on this client. > UPDATE THIS when you begin work (claim a lock) and when you finish (release lock + log changes). > Last updated: 2026-04-20 --- ## Active Session Locks | Session | Working On | Status | Started | |---------|-----------|--------|---------| | _(none active)_ | | | | **How to claim a lock:** Add a row before starting work. Remove it when done. Locks older than 2 hours with no update are considered stale. --- ## Current State **Status:** ACTIVE — POST-INCIDENT MONITORING **Last Activity:** 2026-04-16 Financial services client, domain `vwp.local`. RDWeb was exposed to the internet via UDM port forward; distributed brute-force attack discovered 2026-04-13. Port forward removed same day. 30-day audit confirmed no successful external logons — no compromise. RDS deployment reconfigured 2026-04-16 to bypass gateway (direct VPN connect). RDS licensing pointer also fixed. Outstanding: RDS CAL purchase, UPnP audit, scanner account password rotation. --- ## Infrastructure / Access | Server | IP | Notes | |--------|-----|-------| | VWP_ADSRVR | 192.168.0.25 | Windows Server 2019 DC, domain `vwp.local`. SSH: `ssh vwp\guru@192.168.0.25` (ed25519 key) | | VWP-QBS | 172.16.9.169 | Windows Server 2022, QuickBooks + RDS host. Reach via VPN + double-hop: `Invoke-Command -ComputerName VWP-QBS` | | UDM | (gateway) | Static DNS: `vwp-qbs.vwp.us` → `172.16.9.169` | **Networks:** 172.16.9.0/24 (internal), 192.168.0.0/24 (conflicts with IMC — careful when switching VPN contexts). **VPN:** OpenVPN, pushes DNS=192.168.4.1 (UDM), routes for 172.16.9.0/24, 192.168.0.0/24, 192.168.3.0/24. **Credentials:** SOPS vault at `clients/vwp/` (adsrvr, dc1, udm, xenserver, quickbooks-server-idrac). --- ## Pending / Next Up - [ ] Purchase Windows Server 2022 RDS Per User CALs for VWP-QBS (sized to active user count — check distinct interactive logons last 30d via `licmgr.msc`) - [ ] Confirm UPnP state on UDM (prevent server from re-punching its own port-forward hole) - [ ] Rotate `scanner` AD account password (last set 2024-10-17; carried since 2026-04-13) - [ ] Formally document VPN-only RDWeb access decision --- ## Recent Changes | Date | By | Change | Status | |------|-----|--------|--------| | 2026-04-16 | Mike | RDS deployment set to bypass gateway (direct VPN connect); UDM DNS typo fixed; RDS licensing mode set Per User, pointed at VWP-QBS license server | DEPLOYED | | 2026-04-13 | Mike | RDWeb brute-force incident: UDM port forward removed, lockout policy restored, IIS reset, 30-day audit confirmed no compromise | RESOLVED | --- ## How to Update **When starting:** Add your session to Active Session Locks. **When finishing:** Remove your lock row, add entries to Recent Changes, update Current State if needed.