# Step 8: Hardening & Cleanup (~3-4 hours, remote) --- ## 8.1 — Deploy endpoint security Via SyncroRMM, deploy to all endpoints: - **SentinelOne** — EDR agent - **Huntress** — threat detection Then uninstall Datto EDR from all machines. Verify on each machine: ```powershell Get-Service SentinelAgent, HuntressAgent -ErrorAction SilentlyContinue | Select-Object Name, Status ``` --- ## 8.2 — Delete Synology Sync VM On CS-SERVER: 1. Open Hyper-V Manager 2. Shut down the Synology Sync VM (if running) 3. Delete the VM and its virtual hard disks 4. Reclaim disk space ```powershell # Check for VMs Get-VM | Select-Object Name, State, Path # Stop and remove (adjust name as needed) # Stop-VM -Name "SynologySync" -Force # Remove-VM -Name "SynologySync" -Force # Then manually delete the VHD files from the VM path ``` --- ## 8.3 — Address shared accounts Replace these shared/generic AD accounts with individual user accounts: - **Culinary** → JD.Martin, Ramon.Castaneda, Alyssa.Brooks already in SG-Culinary-RW - **Receptionist** → Cathy.Kingston, Shontiel.Nunn, Ray.Rai, Sebastian.Leon, Michelle.Shestko already in SG-Receptionist-RW - **saleshare** → Megan.Hiatt, Crystal.Rodriguez, Tamra.Matthews already in SG-Sales-RW - **directoryshare** → Cathy.Kingston, Shontiel.Nunn, Christina.DuPras already in SG-Directory-RW Steps: 1. Verify individual users can access their shares via security group membership 2. Have users log in with their own accounts, confirm access works 3. Disable shared accounts (don't delete immediately) 4. Delete shared accounts after 30 days ### Clean up old shares/folders - **D:\Roaming** — old roaming profiles attempt, never completed. Remove SMB share and delete folder. - **D:\Shares\SaleShare** — old/duplicate sales folder. Verify no unique data, then remove SMB share. ```powershell # Remove old Roaming share Remove-SmbShare -Name "Roaming" -Force # Remove old SaleShare (verify empty/duplicate first) # Remove-SmbShare -Name "SaleShare" -Force ``` --- ## 8.4 — RDS decision Check if anyone uses Remote Desktop Services: ```powershell # Check active RDS sessions quser /server:CS-SERVER # Check RDS configuration Get-RDServer -ErrorAction SilentlyContinue Get-RDSessionCollection -ErrorAction SilentlyContinue ``` **If RDS is used:** Purchase proper CALs (grace period expired ~17 months ago). **If RDS is not used:** Remove the RDS role: ```powershell Remove-WindowsFeature -Name RDS-RD-Server -Restart ``` --- ## 8.5 — Update documentation Update Cascades knowledge base at `C:\Users\howar\Clients\Cascades\`: - [ ] `network/firewall.md` — new rules, Guest VLAN, aliases - [ ] `network/vlans.md` — add VLAN 50 (Guest) - [ ] `network/dns.md` — cleaned records, scavenging, reverse zones - [ ] `network/wifi.md` — Guest SSID on VLAN 50 - [ ] `network/dhcp.md` — reservations - [ ] `servers/active-directory.md` — new OUs, security groups, GPOs, all PCs joined - [ ] `servers/cs-server.md` — print server role, GPOs - [ ] `security/backup.md` — Synology ABB + offsite - [ ] `security/antivirus.md` — SentinelOne + Huntress deployed - [ ] `printers.md` — centralized print server, share names - [ ] `issues/log.md` — close resolved issues --- ## 8.6 — Re-ingest knowledge base ```cmd cd C:\Users\howar\Clients\MSP-AI msp-ingest.bat Cascades --clear ``` --- ## 8.7 — Close resolved issues Update `issues/log.md` to mark these as resolved: - Floating rule #4 - Guest WiFi on server LAN - No GPOs - 4 PCs not domain-joined - No backup - Shared accounts - Stale DNS records - Room 218 DHCP - Timezone mismatch - RDS licensing - Room 130 dead rule - VLAN 10 mismatch - Stale disabled AD accounts - Synology Sync VM