82 lines
5.5 KiB
Markdown
82 lines
5.5 KiB
Markdown
# DESKTOP-QNP3ON5 — initial audit findings (AT Trebesch)
|
|
|
|
**Date:** 2026-04-17
|
|
**Technician:** Howard Enos
|
|
**Machine:** DESKTOP-QNP3ON5 (Lenovo desktop, Owner)
|
|
**Audit script:** workstation_audit.ps1 v2.0.2 (schema 2.0)
|
|
**JSON artifact:** `clients/at-trebesch/diagnostics/DESKTOP-QNP3ON5_workstation_audit_2026-04-17.json` (when uploaded)
|
|
|
|
## Critical — fix this week
|
|
|
|
1. **`Owner` local account requires no password** — anyone with physical access gets a full admin shell. Fix:
|
|
```powershell
|
|
Set-LocalUser -Name Owner -PasswordRequired $true
|
|
$p = Read-Host -AsSecureString "New password for Owner"
|
|
Set-LocalUser -Name Owner -Password $p
|
|
```
|
|
Hand the new password to the user directly. Store nothing in the script.
|
|
|
|
2. **Two real-time AV engines installed and active** — Bitdefender Endpoint Security Tools 8.26.4.628 (primary) **and** Malwarebytes 5.5.4.252 are both registered with Security Center and running real-time. Two engines fight over file scans, cause file-lock errors, slow boot, and occasionally bluescreen. Confirm Bitdefender is the intended primary (it is, per our MSP standard) and either uninstall Malwarebytes or set it to scheduled/manual scan only.
|
|
|
|
3. **Secure Boot DISABLED** — UEFI machine with TPM 2.0 ready. No reason to be off; turn on in BIOS. Also unblocks BitLocker enrollment if/when this machine moves to Win 11 Pro.
|
|
|
|
4. **Windows 11 Home (not Pro)** — for a business workstation, Pro is the right SKU. Without Pro:
|
|
- No real BitLocker (only "Device Encryption" auto-mode tied to Microsoft account)
|
|
- No GPO, no Group Policy Editor
|
|
- No remote management of inactivity timeout, USB lockdown, etc.
|
|
- Limits Bitdefender / Defender hardening
|
|
|
|
Recommend upgrade path: in-place upgrade to Win 11 Pro via license key (`changepk.exe`). Cost: ~$99/license retail, less via volume.
|
|
|
|
## High — fix this month
|
|
|
|
5. **Defender Tamper Protection OFF** — registry value 4 = explicitly disabled. Even though Defender is in passive mode, Tamper Protection prevents an attacker from twiddling Defender settings if they ever take over. Enable in Windows Security → Virus & threat protection → Manage settings.
|
|
|
|
6. **Defender ASR rules: only 1 rule configured, all disabled** — apply Microsoft's Standard preset rules even in passive mode (sets a fallback baseline if Defender ever becomes primary).
|
|
|
|
7. **`localadmin` + `guru` — two MSP backdoor accounts** on the same machine. Pick one as standard, retire the other. Confirm chosen account's password is current and in the SOPS vault.
|
|
|
|
8. **Memory at 85% used** (2.3 GB free of 15.3 GB) with only 263 processes — investigate top procs (in JSON) for the offender. Likely candidate: Bitdefender + Malwarebytes overlap (item 2 above) or a leaking app. Reboot + monitor.
|
|
|
|
9. **NETLOGON 3095 errors on a WORKGROUP machine** — multiple NETLOGON failures on 2026-04-14. NETLOGON should not be doing anything on a non-domain-joined PC. Verify:
|
|
```powershell
|
|
Get-Service Netlogon | Format-List Name, Status, StartType
|
|
nltest /sc_query:WORKGROUP
|
|
```
|
|
If Netlogon is running or set to Auto, change to Manual + Stopped.
|
|
|
|
## Medium — schedule
|
|
|
|
10. **No screen lock / inactivity timeout configured** — set `MachineInactivityLimit = 900` (15 min) via local policy.
|
|
11. **USB storage unrestricted** — depending on what AT Trebesch handles, lock down via local policy.
|
|
12. **AutoPlay not disabled** — disable to reduce USB-borne malware risk.
|
|
13. **HOSTS file has 17 active entries** — unusual on a clean workgroup workstation. Pull from JSON and review what's there. Could be legit dev mappings, ad-blocker entries, or worth investigating further.
|
|
14. **Cached logons count = 10** — lower to 4 for security on a single-user workstation.
|
|
15. **NTLM LmCompatibilityLevel blank** — set explicitly to 5.
|
|
16. **TLS protocols all "OS Default"** — Win 11 25H2 defaults are reasonable; explicit policy is better but low priority.
|
|
|
|
## Cleanup
|
|
|
|
17. **Classic Shell 4.3.1** — abandoned (last release 2017). Replace with maintained fork "Open-Shell-Menu", or remove if Win 11 default Start menu is acceptable to user.
|
|
18. **ExplorerPatcher** — third-party shell mod, sometimes breaks after Windows feature updates and occasionally flagged by AV. Confirm intentional with user. Likely paired with Classic Shell for Win 10 look.
|
|
19. **Windows 11 Installation Assistant** — leftover from Win 10 → Win 11 upgrade. Safe to uninstall.
|
|
20. **Bluetooth Network Connection adapter** — usually unused. Disable adapter if not actively used.
|
|
21. **`Time source / Last sync` blank** — verify with `w32tm /query /status` from elevated prompt. Either parsing failure in the audit script or W32time service isn't healthy.
|
|
|
|
## Working well — call out the wins
|
|
|
|
- Bitdefender EDR running, all 4 services up
|
|
- Carbonite cloud backup installed (Dec 2025 build)
|
|
- Firewall enabled on all 3 profiles
|
|
- LSA Protection (RunAsPPL) enabled
|
|
- WDigest cleartext disabled
|
|
- 0 suspicious scheduled tasks, 0 IFEO debugger hijacks, 0 suspicious recently-modified files
|
|
- 0 Defender detections in last 30 days
|
|
- Updates current (KB5088467 + KB5083769 from 4/15)
|
|
- Disk healthy with 598 GB / 953 GB free
|
|
|
|
## Audit script false positives noted (to fix in v2.0.3, NOT findings on this machine)
|
|
|
|
- Section 38 flagged `SyncroOvermind` (legitimate Syncro RMM agent at `C:\ProgramData\Syncro\bin\`). Need to add Syncro to the path allowlist alongside the Defender Platform exception.
|
|
- Section 35 displayed `Full scan age: d` (cosmetic — empty value rendering when full scan never ran; JSON value is correctly null).
|