Files
claudetools/clients/at-trebesch/reports/2026-04-17-initial-audit-DESKTOP-QNP3ON5.md
Howard Enos 0a7f3368a6 sync: auto-sync from ACG-TECH03L at 2026-04-17 19:47:15
Author: Howard Enos
Machine: ACG-TECH03L
Timestamp: 2026-04-17 19:47:15
2026-04-17 19:47:20 -07:00

82 lines
5.5 KiB
Markdown

# DESKTOP-QNP3ON5 — initial audit findings (AT Trebesch)
**Date:** 2026-04-17
**Technician:** Howard Enos
**Machine:** DESKTOP-QNP3ON5 (Lenovo desktop, Owner)
**Audit script:** workstation_audit.ps1 v2.0.2 (schema 2.0)
**JSON artifact:** `clients/at-trebesch/diagnostics/DESKTOP-QNP3ON5_workstation_audit_2026-04-17.json` (when uploaded)
## Critical — fix this week
1. **`Owner` local account requires no password** — anyone with physical access gets a full admin shell. Fix:
```powershell
Set-LocalUser -Name Owner -PasswordRequired $true
$p = Read-Host -AsSecureString "New password for Owner"
Set-LocalUser -Name Owner -Password $p
```
Hand the new password to the user directly. Store nothing in the script.
2. **Two real-time AV engines installed and active** — Bitdefender Endpoint Security Tools 8.26.4.628 (primary) **and** Malwarebytes 5.5.4.252 are both registered with Security Center and running real-time. Two engines fight over file scans, cause file-lock errors, slow boot, and occasionally bluescreen. Confirm Bitdefender is the intended primary (it is, per our MSP standard) and either uninstall Malwarebytes or set it to scheduled/manual scan only.
3. **Secure Boot DISABLED** — UEFI machine with TPM 2.0 ready. No reason to be off; turn on in BIOS. Also unblocks BitLocker enrollment if/when this machine moves to Win 11 Pro.
4. **Windows 11 Home (not Pro)** — for a business workstation, Pro is the right SKU. Without Pro:
- No real BitLocker (only "Device Encryption" auto-mode tied to Microsoft account)
- No GPO, no Group Policy Editor
- No remote management of inactivity timeout, USB lockdown, etc.
- Limits Bitdefender / Defender hardening
Recommend upgrade path: in-place upgrade to Win 11 Pro via license key (`changepk.exe`). Cost: ~$99/license retail, less via volume.
## High — fix this month
5. **Defender Tamper Protection OFF** — registry value 4 = explicitly disabled. Even though Defender is in passive mode, Tamper Protection prevents an attacker from twiddling Defender settings if they ever take over. Enable in Windows Security → Virus & threat protection → Manage settings.
6. **Defender ASR rules: only 1 rule configured, all disabled** — apply Microsoft's Standard preset rules even in passive mode (sets a fallback baseline if Defender ever becomes primary).
7. **`localadmin` + `guru` — two MSP backdoor accounts** on the same machine. Pick one as standard, retire the other. Confirm chosen account's password is current and in the SOPS vault.
8. **Memory at 85% used** (2.3 GB free of 15.3 GB) with only 263 processes — investigate top procs (in JSON) for the offender. Likely candidate: Bitdefender + Malwarebytes overlap (item 2 above) or a leaking app. Reboot + monitor.
9. **NETLOGON 3095 errors on a WORKGROUP machine** — multiple NETLOGON failures on 2026-04-14. NETLOGON should not be doing anything on a non-domain-joined PC. Verify:
```powershell
Get-Service Netlogon | Format-List Name, Status, StartType
nltest /sc_query:WORKGROUP
```
If Netlogon is running or set to Auto, change to Manual + Stopped.
## Medium — schedule
10. **No screen lock / inactivity timeout configured** — set `MachineInactivityLimit = 900` (15 min) via local policy.
11. **USB storage unrestricted** — depending on what AT Trebesch handles, lock down via local policy.
12. **AutoPlay not disabled** — disable to reduce USB-borne malware risk.
13. **HOSTS file has 17 active entries** — unusual on a clean workgroup workstation. Pull from JSON and review what's there. Could be legit dev mappings, ad-blocker entries, or worth investigating further.
14. **Cached logons count = 10** — lower to 4 for security on a single-user workstation.
15. **NTLM LmCompatibilityLevel blank** — set explicitly to 5.
16. **TLS protocols all "OS Default"** — Win 11 25H2 defaults are reasonable; explicit policy is better but low priority.
## Cleanup
17. **Classic Shell 4.3.1** — abandoned (last release 2017). Replace with maintained fork "Open-Shell-Menu", or remove if Win 11 default Start menu is acceptable to user.
18. **ExplorerPatcher** — third-party shell mod, sometimes breaks after Windows feature updates and occasionally flagged by AV. Confirm intentional with user. Likely paired with Classic Shell for Win 10 look.
19. **Windows 11 Installation Assistant** — leftover from Win 10 → Win 11 upgrade. Safe to uninstall.
20. **Bluetooth Network Connection adapter** — usually unused. Disable adapter if not actively used.
21. **`Time source / Last sync` blank** — verify with `w32tm /query /status` from elevated prompt. Either parsing failure in the audit script or W32time service isn't healthy.
## Working well — call out the wins
- Bitdefender EDR running, all 4 services up
- Carbonite cloud backup installed (Dec 2025 build)
- Firewall enabled on all 3 profiles
- LSA Protection (RunAsPPL) enabled
- WDigest cleartext disabled
- 0 suspicious scheduled tasks, 0 IFEO debugger hijacks, 0 suspicious recently-modified files
- 0 Defender detections in last 30 days
- Updates current (KB5088467 + KB5083769 from 4/15)
- Disk healthy with 598 GB / 953 GB free
## Audit script false positives noted (to fix in v2.0.3, NOT findings on this machine)
- Section 38 flagged `SyncroOvermind` (legitimate Syncro RMM agent at `C:\ProgramData\Syncro\bin\`). Need to add Syncro to the path allowlist alongside the Defender Platform exception.
- Section 35 displayed `Full scan age: d` (cosmetic — empty value rendering when full scan never ran; JSON value is correctly null).