Part 1 — For the Business Owner

The Situation

A hospitality client came to Barr Cyber because the computer used by their General Manager to run day-to-day operations — including access to their booking and payment system — had stopped working reliably. The machine was overheating, shutting down unexpectedly, and had developed file system errors that made normal use impossible.

The client had an existing IT service provider (MSP) on contract. That provider was supposed to be actively monitoring their systems and keeping them healthy. The General Manager reached out to Barr Cyber when the situation had deteriorated to the point where the machine was no longer usable.

Key Findings

What Barr Cyber Found

Finding 1 — Root Cause of Machine Failure

The workstation had been placed on carpeted flooring with restricted airflow. Over an extended period, this caused the machine to overheat repeatedly, shut down uncleanly, and corrupt the operating system and storage drive. The drive showed severe performance degradation consistent with thermal damage.

This is an environmental management failure — one that proper IT oversight should have caught and corrected before it caused data loss risk.

Finding 2 — The Monitoring Test

95 hrs

Zero contact from incumbent MSP

At the start of this engagement, the General Manager’s workstation (D10U003) was powered off and physically disconnected at 11:30 AM on April 23, 2026. Under any functioning monitoring arrangement, a managed endpoint going offline unexpectedly should trigger an alert to the IT provider within hours. Barr Cyber logged the time in the service record at that moment and documented this as a formal observation.

95 hours elapsed across April 23–27, 2026 — with zero contact from the incumbent MSP. No call. No email. No alert. Nothing.

When the MSP was subsequently informed directly of the machine change, they did not indicate they had detected anything through their monitoring. This confirms the monitoring was not actively functioning — the client was paying for a service that was not being delivered.

Finding 3 — Stale Staff Accounts

Multiple accounts belonging to former employees — including a former General Manager — were found active in the client’s Microsoft 365 tenant. One of these accounts held the software license being used by the current General Manager.

Former staff account access is a common security gap in small business environments. Accounts were reviewed, verified, and brought current as part of this engagement.

Accounts identified, documented, and removed. Exchange Online license reassigned to current GM.

Risk Mitigation — By the Numbers

What Was Applied & Why It Matters

Each configuration below closes a specific, documented attack path with a known business cost. These are not abstract security measures — every line maps to a CVE, a MITRE ATT&CK technique, and a published breach cost figure.

Stale Account Removal + MFA

Credential-based attacks are the #1 breach vector globally (16% of all breaches). Active account hygiene is one of the most effective controls available.

Avg. 292 days to detect. Avg. breach cost $4.81M. Businesses that process cardholder data without satisfying PCI DSS account lifecycle requirements may face monthly fines of $5K–$100K and potential loss of card processing ability.

Default-Deny Firewall + RDP Locked to VPN

Unauthorized remote access. RDP exposed to internet is one of the most scanned ports globally — automated exploits run continuously.

Leading ransomware delivery vector. Average ransomware incident cost: $1.85M+ (Sophos 2024).

LLMNR / NetBIOS / WPAD Disabled

Network poisoning (Responder). Guest WiFi networks are an active threat surface — any device on the same network can passively harvest credentials.

Silent credential theft requiring zero user interaction. Harvested hashes enable full domain compromise. No cost to attacker.

SMBv1 Disabled

EternalBlue (CVE-2017-0144). Still actively exploited on unpatched and misconfigured systems. CVSS 8.8 HIGH.

WannaCry caused an estimated $4–8B in global damages. A single SMBv1 machine can pivot to full network compromise.

LSASS PPL + Restricted Admin Mode

Credential dumping (Mimikatz and variants). Pass-the-hash lateral movement via RDP — standard post-exploitation technique.

Turns a single workstation compromise into a full network breach. Blocked commodity toolkits entirely. Advanced BYOVD bypasses require elevated cost and detection surface.

6 PCI DSS v4.0 Requirements Documented

PCI DSS v4.0 compliance documentation. Six requirements satisfied with command-level evidence — suitable for presentation to a QSA, acquiring bank, or legal counsel.

Businesses that process cardholder data without satisfying PCI DSS requirements may face fines of $5K–$100K/month, per-record penalties of $50–$90, and potential loss of the ability to process card payments entirely.

Remediation

What Was Done

Barr Cyber deployed a replacement workstation and built it from scratch — clean operating system install, no inherited software or configuration from the prior environment. Every security configuration was applied deliberately and documented with command-level evidence.

Key Protections Applied

Remote Access

Tailscale VPN — Encrypted Tunnel

Remote access secured through WireGuard-based overlay network. GM can work from home safely without exposing client systems to the internet. RDP scoped exclusively to Tailscale subnet.

PCI DSS 1.4.1 · 8.3.1

Authentication

MFA Enforced for All Remote Access

Multi-factor authentication enforced via Microsoft account on all remote sessions. Single-factor remote access path to the CDE eliminated entirely.

PCI DSS 8.3.1

Network Poisoning

LLMNR · NetBIOS · WPAD All Disabled

Legacy broadcast protocols that allow attackers on the same network — including guests — to passively harvest credential hashes without any user interaction. All three disabled at registry and service level.

MITRE T1557.001

Credential Protection

LSASS PPL + Restricted Admin Mode RDP

LSASS Protected Process Light blocks commodity credential dumping tools. Restricted Admin mode eliminates pass-the-hash attacks via RDP. Two independent controls on the same attack chain.

MITRE T1003.001 · T1550.002

Legacy Protocols

SMBv1 Disabled · AutoRun Off

SMBv1 eliminated — closes EternalBlue (CVE-2017-0144, CVSS 8.8). AutoRun disabled for all drive types — USB-borne malware cannot execute on insertion.

CVE-2017-0144 · MITRE T1091

Scripting Attacks

PowerShell Constrained Language Mode

CLM restricts PS to a safe subset, eliminating the majority of automated and opportunistic LOTL scripting attacks. Forces attackers toward noisier, more detectable techniques.

MITRE T1059.001

DNS + Logging

Quad9 DNS · Full Audit Logging

Malicious domain blocking at the resolver level — known C2 infrastructure blocked before connection. Audit logging across logon, account management, and policy change categories. Any attempt to disable logging generates a log entry.

PCI DSS 10.2 · 10.3

Exploit Mitigations

DEP · SEHOP · ASLR System-Wide

Exploit protection enforced at OS level. DEP prevents code execution from non-executable memory. SEHOP blocks exception handler overwrites. ASLR randomizes memory layout to defeat address-based exploits.

PCI DSS 5.2 · 6.3

Barr Cyber LLC — Company Policy & Professional Ethics Statement

Security hardening measures documented in this report were applied as standard professional practice and company policy. Barr Cyber LLC does not deploy, hand off, or leave client systems in a vulnerable or unaudited state regardless of engagement scope or billing arrangement. This is not an upsell — it is a baseline standard of care that Barr Cyber holds itself to on every engagement.

Barr Cyber’s position is that a cybersecurity professional who installs a system without applying reasonable defensive measures has not completed the job. This policy applies to all Barr Cyber engagements regardless of client size, scope, or existing MSP relationships. Barr Cyber takes sole professional responsibility for the configurations applied and documented herein.

Context

Why This Hardening Configuration Matters

A standard Windows install is not a secure workstation. Out of the box, Windows ships with legacy protocols enabled, default account names that attackers know to target, no enforced password policy, no audit logging, and remote access either wide open or completely absent. Most workstations deployed by IT providers are never hardened beyond basic setup — they are functional, but they are not defended.

What was built here is a different standard. Every configuration applied was chosen because it closes a specific, documented attack path. This is not checkbox security — it is a deliberate defensive posture built for a machine that handles booking data, payment system access, and remote management by the General Manager.

No system is impenetrable. The goal of endpoint hardening is not to make a machine impossible to breach. The goal is to make it an unattractive target compared to every other machine on the internet. Most attacks are opportunistic. A hardened machine raises the cost of attack high enough that the attacker goes elsewhere. This machine, as configured, is not low-hanging fruit.

The Value of PCI DSS Compliance

PCI DSS is not bureaucratic overhead — it is a practical security framework built from decades of documented breaches. Every requirement in it exists because a specific class of attack caused real financial damage at real businesses. When Barr Cyber applies these configurations, it is not filling out a compliance checklist. It is closing the exact attack vectors that PCI DSS was written to address.

The configurations applied to this workstation satisfy six specific PCI DSS v4.0 requirements with documented evidence for each. This documentation can be presented directly to a QSA, an acquiring bank, or legal counsel. If something goes wrong and there is ever a question about whether this business took reasonable steps to protect cardholder data, this report is the answer.

Part 2 — Technical Appendix

Engagement Timeline

April 23, 2026 — 11:30 AM

Session open. D10U003 (prior managed endpoint) powered off and physically disconnected. MSP monitoring observation formally begins — time logged. This is the clock-start for all MSP detection benchmarks.

April 23, 2026 — 6:30 PM

D10U001 (replacement machine) Windows 11 clean install complete via Rufus. Local account created. Ethernet active. New unrecognized device now network-visible with hostname, DHCP lease, and active traffic profile. Session paused.

April 24, 2026 — 10:30 PM

Session resumed. MSP benchmark: 35 hours elapsed since D10U003 went offline — zero contact. OneDrive disabled via policy. Microsoft work account added. M365 tenant audit — stale accounts identified, flagged for cleanup.

April 27, 2026 — 10:24 AM

MSP benchmark final: 95 hours elapsed since D10U003 went offline — zero proactive contact. MSP informed directly of machine change — no acknowledgment of detection upon notification. Observation period closed. Full hardening sequence executed.

April 27, 2026 — 4:00 PM

Hardening complete. Post-reboot verification passed. Tailscale enrolled. RDP scoped to Tailscale subnet. Machine handed to General Manager. All open items resolved.

New Endpoint — System Profile

Hardware & Configuration

Component	Detail
Make / Model	Dell OptiPlex 3040 Micro (MFF)
CPU	Intel Pentium G4400T @ 2.90GHz
Storage	Samsung SSD 860 Pro 512GB — hardware passed all diagnostics
OS	Windows 11 — clean debloated install via Rufus. All partitions deleted. Fully hardened.
Network	Ethernet only. No wireless adapter present. WLAN service disabled at service and registry level.
Remote Access	Tailscale VPN — WireGuard encrypted overlay. RDP scoped to Tailscale subnet only. MFA via Microsoft account. Only enrolled, authenticated devices can connect.
DNS	Quad9 (9.9.9.9 / 149.112.112.112) — malicious domain blocking at resolver level.

Hardware Diagnostic Results — Dell SupportAssist

Component	Result	Notes
Intel Pentium G4400T CPU	PASSED	—
Processor Fan	PASSED	—
Samsung SSD 860 Pro 512GB	PASSED	Hardware healthy
System Memory	PASSED	—
PCI Memory Controller	WARNING	Missing chipset driver — resolved
PCI Data Acquisition Controller	WARNING	Missing chipset driver — resolved
PCIe Status	WARNING	Missing chipset driver — resolved
SM Bus Controller	WARNING	Missing chipset driver — resolved

All four warnings were driver-related — expected on a clean OS install. No hardware defects. Drivers installed and verified via Device Manager, Dell Support, and Windows Update.

Endpoint Hardening Sequence

Full Configuration — Command Level

Applied in order. All commands run in PowerShell as administrator unless noted. Post-reboot verification confirms persistent state. Every command, result, and status is documented exactly as executed.

Account & Access Hygiene

Default account names and stale credentials are among the most common entry points in workstation attacks. PCI DSS Req 2.2, 8.2, 8.3.

Command / Action	Result	Status
net user [GM account] *	Password set — 13 characters, complexity enforced. Not documented. Physical sticky note held by manager.	RUN
Rename-LocalUser -Name "Administrator" -NewName "[RENAMED]"	No output — success. Default admin renamed. Eliminates known-username attack vector. WMIC deprecated on Win 11 — PS cmdlet used.	RUN
Disable-LocalUser -Name "Guest"	No output — success. Already disabled by default on Win 11 — confirmed and enforced explicitly.	RUN
Get-LocalUser	GM account: Enabled True. Admin: Enabled False. Guest: Enabled False. No stale accounts.	RUN
secpol.msc → Password Policy	Min 12 chars, complexity enabled, 90-day expiry.	RUN

Attack Surface Reduction

Legacy protocols left enabled on modern systems are a known attacker toolbox. SMBv1 is the vector behind EternalBlue. PSv2 bypasses modern logging and AMSI. PCI DSS Req 2.2.4.

Command / Action	Result	Status
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force	No output — success. SMBv1 disabled. Eliminates EternalBlue and related lateral movement vectors.	RUN
Disable-WindowsOptionalFeature ...PSv2Root	Feature unknown — PSv2 not present on this Win 11 install. Confirmed via Get-WindowsOptionalFeature.	N/A
reg add ...NoDriveTypeAutoRun /d 255 /f	Success. AutoRun and AutoPlay disabled for all drive types. Eliminates USB-borne malware auto-execution.	RUN

Firewall

Default-deny inbound policy means no unsolicited inbound connection can reach this machine from any network — local LAN, internet, or otherwise. RDP disabled on the public interface and re-enabled exclusively on the Tailscale tunnel after enrollment. PCI DSS Req 1.3.1, 1.3.2, 1.4.1.

Command / Action	Result	Status
netsh advfirewall set allprofiles state on	Ok. All three profiles enabled — Domain, Private, Public.	RUN
netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound	Ok. Default inbound block enforced. No unsolicited inbound traffic permitted.	RUN
reg add ...fDenyTSConnections /d 1	Success. RDP disabled on public interface. Re-enabled scoped to Tailscale subnet after VPN enrollment.	RUN
netsh advfirewall firewall set rule name="Remote Desktop - User Mode (TCP-In)" new remoteip=[REDACTED — Tailscale subnet]	Updated 1 rule. RDP inbound scoped to Tailscale subnet only.	RUN
netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes	Updated 3 rules. RDP active on Tailscale interface only.	RUN

Wireless Lockdown

WLAN service disabled at both service and registry level. No wireless adapter present, but both layers locked to prevent future hardware additions from inadvertently enabling wireless. PCI DSS Req 1.3.2, 2.2.4.

Command / Action	Result	Status
sc.exe config WlanSvc start= disabled	[SC] ChangeServiceConfig SUCCESS. Note: sc aliased to Set-Content in PS — sc.exe used instead.	RUN
net stop WlanSvc	Service not started — no Wi-Fi adapter present on this machine.	RUN
reg add ...NC_ShowSharedAccessUI /d 0 /f	Success. Network sharing UI suppressed via policy.	RUN
reg add ...HideSCANetwork /d 1 /f	Success. Network tray icon hidden via policy.	RUN
devmgmt.msc → Disable Wi-Fi adapter	No Wi-Fi adapter present. OptiPlex 3040 Micro has no wireless card. Lockdown complete via service and registry.	N/A

Remote Access — Tailscale VPN

Remote access to a PCI-scope machine must never be exposed to the public internet. Tailscale provides an encrypted overlay using WireGuard — only enrolled, authenticated devices on the tailnet can initiate a connection. No port forwarding. No public-facing attack surface. PCI DSS Req 1.4.1, 7.2.1, 8.3.1.

Command / Action	Result	Status
winget install tailscale.tailscale	Installed successfully. Machine enrolled on client tailnet under GM work account.	RUN
Tailscale sign-in via Microsoft account	Enrolled on tailnet. Tailscale IP assigned in 100.x.x.x range (redacted). Note: TPM not present on this machine — Microsoft device registration TPM error non-blocking. Tailscale enrollment succeeded independently.	RUN
MFA enforcement	MFA confirmed active via GM Microsoft account 2FA. Tailscale inherits Microsoft authentication.	RUN

Audit Logging

Without audit logging, there is no record of who logged in, what accounts were changed, or whether security policies were modified. Logging policy changes means any attempt to disable logging will itself generate a log entry. PCI DSS Req 10.2.1, 10.2.2, 10.3.3.

Command / Action	Result	Status
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable	Success. Logon/Logoff success and failure events logged.	RUN
auditpol /set /category:"Account Logon" /success:enable /failure:enable	Success. Account authentication events logged.	RUN
auditpol /set /category:"Account Management" /success:enable /failure:enable	Success. Account creation, deletion, and modification events logged.	RUN
auditpol /set /category:"Policy Change" /success:enable /failure:enable	Success. Policy change events logged — prevents silent audit config modification.	RUN

Credential Protection — LSASS

LSASS handles Windows authentication and stores credential material in memory. Tools like Mimikatz target it directly. Running LSASS as a Protected Process Light significantly raises the bar. On a fully patched Windows 11 system, most known userland bypass techniques have been closed by Microsoft. Determined attackers with BYOVD capability can bypass PPL, but this substantially increases attack complexity and detection surface. PCI DSS Req 8.3, 8.6.

Command / Action	Result	Status
reg add ...RunAsPPL /t REG_DWORD /d 1 /f	Success. LSASS PPL enabled. Requires reboot — deferred to end of sequence. Post-reboot: RunAsPPL: 1 confirmed.	RUN
reg add ...DisableRestrictedAdmin /t REG_DWORD /d 0 /f	Success. Restricted Admin mode enforced. Prevents pass-the-hash via RDP.	RUN

Network Poisoning Vectors — LLMNR, NetBIOS, WPAD

LLMNR and NetBIOS can be exploited by tools like Responder to intercept authentication attempts and capture credential hashes — even on a machine that has never visited a malicious site. WPAD allows an attacker on the same network to redirect all web traffic through a proxy they control. All three disabled. PCI DSS Req 1.3, 2.2.4.

Command / Action	Result	Status
reg add ...EnableMulticast /t REG_DWORD /d 0 /f	Success. LLMNR disabled. Eliminates Responder/poisoning attack vector.	RUN
$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration; foreach ($a in $adapters) { $a.SetTcpipNetbios(2) }	ReturnValue 0 on physical ethernet adapter — success. ReturnValue 84 on WAN Miniports — expected, not supported on virtual adapters.	RUN
reg add ...WpadOverride /t REG_DWORD /d 1 /f	Success. WPAD disabled at user level.	RUN
reg add ...DisableWpad /t REG_DWORD /d 1 /f	Success. WPAD disabled at system level. Eliminates proxy hijack vector.	RUN

Secure DNS — Quad9

DNS is the first step in nearly every network connection. Quad9 (9.9.9.9) provides malicious domain blocking at the resolver level — known malware C2 domains, phishing sites, and malicious infrastructure are blocked before a connection is ever made. PCI DSS Req 1.3, 6.3.

Command / Action	Result	Status
netsh interface ip set dns "Ethernet" static 9.9.9.9	No output — success. Primary DNS set to Quad9.	RUN
netsh interface ip add dns "Ethernet" 149.112.112.112 index=2	No output — success. Secondary DNS set to Quad9. Both confirmed via show dns.	RUN

Windows Defender & Exploit Protection

Real-time protection, cloud-delivered threat intelligence, and system-wide exploit mitigations enforced explicitly rather than left at defaults. PCI DSS Req 5.2, 6.3.

Command / Action	Result	Status
Set-MpPreference -DisableRealtimeMonitoring $false	No output — success. Real-time protection enforced on.	RUN
Set-MpPreference -MAPSReporting Advanced	No output — success. Cloud-delivered protection enabled.	RUN
Set-ProcessMitigation -System -Enable DEP,SEHOP,ForceRelocateImages	No output — success. DEP, SEHOP, ASLR enforced system-wide.	RUN

PrintNightmare Mitigation

CVE-2021-34527 (CVSS 8.8 HIGH) allows RCE via Print Spooler. Printing confirmed required by manager — Spooler not disabled. PointAndPrint restriction applied instead. This machine must remain current on Windows Updates for the registry restriction to remain effective. PCI DSS Req 2.2.4.

Command / Action	Result	Status
sc config Spooler start= disabled	NOT APPLIED. Printing confirmed required by manager. Option 2 applied instead.	N/A
reg add ...RestrictDriverInstallationToAdministrators /t REG_DWORD /d 1 /f	Success. Print Spooler left running. Driver installation restricted to admins only. Residual risk: Spooler attack surface remains — patch currency is the primary control.	RUN

PowerShell Constrained Language Mode

CLM restricts PowerShell to a safe subset, significantly raising the cost of LOTL attacks. Not a hard barrier against compiled binaries or .NET, but eliminates the majority of automated and opportunistic PowerShell-based attack paths. Note to future MSP: CLM is active (value 4). Some admin scripts will fail — lift temporarily to 0, run, restore to 4. PCI DSS Req 2.2.4, 6.3.

Command / Action	Result	Status
reg add ...__PSLockdownPolicy /t REG_SZ /d 4 /f	Success. PS CLM enabled (value 4). Raises cost of PowerShell-based LOTL attacks significantly. Does not block compiled binary or .NET-based techniques.	RUN

Secure Boot — Finding & Remediation

Secure Boot status is verified early in the session as a baseline check. On this machine it was found disabled in firmware — a configuration gap that allows unsigned bootloaders and rootkits to execute before the OS loads. Remediated in-session via BIOS. PCI DSS Req 2.2.4.

Command / Action	Result	Status
Confirm-SecureBootUEFI	Returned: False. Secure Boot disabled in firmware on clean install. Flagged for immediate remediation — unsigned bootloaders and pre-OS rootkits are permitted when Secure Boot is off.	RUN
BIOS (F2) → Security → Secure Boot → Enabled → Save & Exit	Secure Boot enabled in UEFI firmware. Machine rebooted. Finding closed in-session — not deferred.	RUN
Confirm-SecureBootUEFI	True — Secure Boot active post-reboot. Boot chain integrity enforced at firmware level.	RUN

Post-Reboot Verification

Several configurations — notably LSASS PPL — require a reboot to take effect. Post-reboot verification confirms all critical settings survived the restart and are active in their final persistent state. This is the definitive check: not what was configured, but what is actually running.

Command	Result	Status
Confirm-SecureBootUEFI	True	RUN
Install-Module SpeculationControl -Force; Get-SpeculationControlSettings	All Spectre/Meltdown CPU mitigation flags confirmed True. Hardware microcode and OS-level mitigations active. No gaps on this hardware/OS combination.	RUN
auditpol /get /category:*	All required categories: Success and Failure. Logon/Logoff, Account Management, Account Logon, Policy Change — all confirmed.	RUN
Get-SmbServerConfiguration \| Select EnableSMB1Protocol	EnableSMB1Protocol: False	RUN
Get-ItemProperty HKLM:\...\Lsa -Name RunAsPPL	RunAsPPL: 1 — LSASS PPL active post-reboot.	RUN

Patch Currency: The configurations above close known attack vectors but are not a substitute for patch management. Windows Updates must remain current. A hardened but unpatched system is still vulnerable to known CVEs. PCI DSS Requirement 6 mandates a patch management process for in-scope systems — this is an ongoing operational obligation, not a one-time configuration.

Formal Finding — MSP Monitoring

MSP Monitoring Not Actively Functioning

Formal Finding — Documented Observation — Ticket A2B

95 hrs

April 23, 11:30 AM → April 27, 10:24 AM — zero proactive contact

D10U003 (the prior managed endpoint) was powered off and physically disconnected at 11:30 AM on April 23, 2026. Barr Cyber logged the time in the service record at that moment and allowed the observation to run its full course without intervention, contact, or prompting — to ensure the finding would reflect actual MSP behavior rather than a response to being tested.

By 6:30 PM on April 23, a replacement machine (D10U001) was connected to the client network and fully network-visible — new hostname, new DHCP lease, active traffic. By 10:30 PM on April 24 — 35 hours in — there had been zero contact. By 10:24 AM on April 27, 95 hours had elapsed with zero proactive contact of any kind.

A managed endpoint going offline unexpectedly, combined with a new unrecognized hardware device appearing on the network under a new hostname with new local accounts — this sequence is precisely what endpoint detection, network monitoring, and asset management tools are designed to catch immediately. To any functioning monitoring stack, this sequence is indistinguishable from a ransomware deployment, hardware theft followed by rogue device introduction, or an unauthorized network intrusion.

No evasion techniques were employed. No alerts were suppressed. The events occurred in plain sight on the client’s own network across five calendar days.

When the incumbent MSP was subsequently informed directly of the machine change, they did not indicate they had detected or been alerted to either event through their monitoring systems. The absence of proactive contact combined with no acknowledgment of detection upon direct notification is consistent with monitoring that was not actively functioning.

Incumbent MSP Tooling — What Was Present on D10U003

The monitoring infrastructure existed. It did not alert.

In the interest of a complete and accurate record, Barr Cyber documents the following in credit to the incumbent MSP: professional-grade monitoring and remote access tooling was present on D10U003 at the time of this engagement. This is not a finding against the incumbent — it is documentation of what was there.

Remote Access

Splashtop Business Streamer v3.7.4.4

A commercial MSP remote access platform deployed via pre-configured installer with an embedded deployment token. A legitimate and professionally appropriate tool confirming the incumbent had an established remote access path to this machine.

Backup & Replication

Arcserve UDP Replication Agent v6.2.2626

A professional backup and disaster recovery platform performing continuous block-level data replication to a destination under the MSP’s control. Consistent with a managed backup service and a meaningful operational commitment.

Core Observation

Splashtop provided remote visibility into the machine. Arcserve UDP was actively replicating data from it. The incumbent had the means to know. Neither platform generated a notification, an alert, or any proactive contact across 95 hours of endpoint downtime, a new unrecognized device on the network, new local accounts, and remote access software enrollment — all on a system processing payment card data.

Note on methodology: This section was written after analysis of artifacts recovered from D10U003 during the migration session. The initial finding on Nmap and Netcat discovered on D10U003 was documented in real time as unknown origin. Upon recovery of the Splashtop and Arcserve installers and assessment of the full incumbent toolset, Barr Cyber revised that assessment — both tools are consistent with a standard MSP diagnostic toolkit. The evolution from initial uncertainty to charitable conclusion is documented in the engagement record. Barr Cyber does not install diagnostic tools on client machines — any tools required are carried on technician media and removed on session close.

A note on the nature of this finding — This was not a commissioned penetration test of MSP monitoring infrastructure. It was a workstation migration. The assessment of monitoring posture was derived from documentation of that migration — not from any adversarial intent. A functioning monitoring stack would have detected these events without a test being necessary. A formal adversarial MSP audit — designed to probe detection with evasion — is available as a contracted engagement from Barr Cyber. What this engagement established is that the threshold for detection was never reached by events that should have been impossible to miss.

MSP Penetration Testing Available from Barr Cyber — Formal penetration testing of MSP monitoring and detection infrastructure as a contracted service. Includes controlled simulation of endpoint failure, rogue device introduction, unauthorized account creation, and lateral movement — all designed to verify whether your current MSP’s monitoring is actually functioning as billed. If you are paying for managed monitoring and have never verified that it works — you may already know the answer. Contact Barr Cyber to find out for certain.

PCI DSS v4.0 — Compliance Documentation

Six Requirements — Command-Level Evidence

Each of the following requirement blocks documents what PCI DSS requires, the specific commands applied as evidence, and how the current configuration satisfies each requirement. This section is suitable for presentation to a QSA, acquiring bank, or legal counsel.

Req 1.3 / 1.4

Restrict Inbound and Outbound Traffic

What PCI DSS requires: Network security controls must restrict inbound and outbound traffic to only that which is necessary. All other traffic must be denied by default. Remote access to the CDE must be secured and controlled.

Current configuration: Default-deny inbound firewall policy enforced across all profiles. No wireless attack surface. Remote access restricted exclusively to an encrypted Tailscale VPN tunnel. No unauthorized inbound network path exists.

Compliance argument: The CDE endpoint now operates with default-deny inbound firewall policy across all profiles, no wireless attack surface, and remote access restricted exclusively to an encrypted Tailscale VPN tunnel. No unauthorized inbound network path exists. Satisfies PCI DSS v4.0 Requirements 1.3.1, 1.3.2, and 1.4.1.

Req 2.2

Develop and Implement Secure Configuration Standards

What PCI DSS requires: System components must be configured and managed using a secure baseline. All unnecessary functionality, features, and services must be removed or disabled. Default accounts and passwords must be changed before deployment.

Current configuration: Secure configuration baseline applied on a clean OS install. Default account names changed, legacy protocols disabled, removable media auto-execution eliminated. PSv2 confirmed absent. No undocumented configuration artifacts present.

Compliance argument: A secure configuration baseline was applied from scratch on a clean OS install. Default account names changed, unnecessary legacy protocols disabled, removable media auto-execution eliminated. No inherited configuration artifacts from the prior environment remain. PSv2 confirmed absent on this Win 11 install. Satisfies PCI DSS v4.0 Requirements 2.2.1 and 2.2.4.

Req 7.2

Access to System Components and Data Appropriately Defined

What PCI DSS requires: Access to system components and cardholder data must be restricted to only those individuals whose job requires it. Deny-by-default.

Current configuration: Remote access restricted exclusively to authenticated VPN tunnel sessions with MFA enforced. All active accounts are current staff with documented access levels. No unauthenticated or single-factor remote access path exists.

Compliance argument: Access to the CDE endpoint via remote management is restricted exclusively to authenticated VPN tunnel sessions with MFA enforced. No unauthenticated or single-factor remote access path exists. Satisfies PCI DSS v4.0 Requirements 7.2.1, 7.2.2, and 7.2.5.

Req 8.2.6 / 8.3

User Identification, Authentication, and Account Lifecycle

What PCI DSS requires: Accounts for terminated or transferred personnel must be removed or disabled immediately upon termination. MFA must be implemented for all remote access to the CDE.

Current configuration: All active accounts verified as current staff with documented roles. MFA enforced for all remote access via Tailscale. Strong password policy applied. All accounts uniquely identifiable. M365 tenant reviewed and current.

Compliance argument: Stale former GM account identified, documented, and removed. MFA enforced for all remote access via Tailscale. Strong password policy applied. All accounts uniquely identifiable. M365 tenant cleanup complete. Satisfies PCI DSS v4.0 Requirements 8.2.6, 8.3.1, and 8.2.1.

Req 10.2 / 10.3

Audit Logs — Implementation and Protection

What PCI DSS requires: Audit logs must capture all individual user access, all actions by privileged users, invalid logical access attempts, and all changes to audit log configuration. Logs must be protected from unauthorized modification.

Current configuration: Audit logging enabled across all required categories. Logon events, account authentication, account management, and policy changes all captured with success and failure events. Any attempt to modify logging configuration is itself logged.

Compliance argument: Audit logging enabled across all categories required by PCI DSS Req 10.2. Logon events, account authentication, account management, and policy changes all captured with success and failure events. The logging of policy changes satisfies the requirement to protect audit log integrity — any attempt to disable logging will itself generate a log entry. Satisfies PCI DSS v4.0 Requirements 10.2.1, 10.2.2, and 10.3.3.

Req 12.3

Hardware and Environmental Risk Management

What PCI DSS requires: Hardware must be protected from environmental threats. Risk to CDE systems from physical and environmental factors must be identified and managed.

Current configuration: Hardware deployed with correct physical configuration and documented environmental management guidance provided to client. Replacement endpoint fully operational with verified hardware diagnostics on file.

Compliance argument: Environmental root cause identified, documented, and remediated. Replacement hardware deployed with correct physical configuration. Client formally advised on ongoing environmental management obligations. Satisfies PCI DSS v4.0 Requirement 12.3.4.

Full PCI DSS Compliance Available from Barr Cyber — The configurations in this engagement represent what can be applied at the workstation level. PCI DSS v4.0 is a comprehensive framework — many requirements operate at the organizational, network, and program level. Requirements outside scope for this engagement include: Req 3/4 (cardholder data storage scoping), Req 10.5 (12-month log retention), Req 11 (quarterly vulnerability scanning + annual pen testing), Req 12.10 (incident response plan), and Req 9 (physical security of CDE). All can be addressed under a contracted engagement. Contact Barr Cyber to discuss a full compliance program for your property.

Appendix — Attack Vector Reference

CVE & MITRE ATT&CK Techniques

All CVEs listed are confirmed as Known Exploited Vulnerabilities in the CISA KEV catalog unless noted. MITRE ATT&CK techniques where no CVE exists are protocol design weaknesses or configuration abuses — not patchable, only configurable.

CVE / Technique	Vulnerability / Attack	CVSS	Description & Source
CVE-2017-0144	EternalBlue — SMBv1 RCE	8.8 HIGH	RCE via crafted SMBv1 packets. No authentication required. Weaponized by WannaCry and NotPetya. KEV listed. nvd.nist.gov
CVE-2021-34527	PrintNightmare — Print Spooler RCE	8.8 HIGH	RCE and privilege escalation via Windows Print Spooler. Authenticated attacker gains SYSTEM. KEV listed. nvd.nist.gov
CVE-2021-1675	PrintNightmare — Print Spooler LPE	7.8 HIGH	Local privilege escalation via Print Spooler. SYSTEM-level access. KEV listed. nvd.nist.gov
CVE-2016-3236	WPAD Proxy Discovery — Traffic Redirect	7.5 HIGH	Windows WPAD mishandles proxy discovery, allowing traffic interception. Attacker on same network intercepts all web sessions. nvd.nist.gov
MITRE T1557.001	LLMNR / NBT-NS Poisoning (Responder)	No CVE	Inherent protocol weakness. Attackers use Responder to harvest NTLM hashes silently. No user interaction required. attack.mitre.org
MITRE T1003.001	LSASS Credential Dumping (Mimikatz)	No CVE	Mimikatz exploits legitimate LSASS memory access. LSASS PPL blocks commodity tools. BYOVD bypasses require driver deployment — substantially increased cost. attack.mitre.org
MITRE T1550.002	Pass-the-Hash via RDP	No CVE	Authentication abuse — captured NTLM hashes used without plaintext passwords. Restricted Admin mode blocks this vector via RDP. attack.mitre.org
MITRE T1059.001	PowerShell LOTL Scripting	No CVE	CLM restricts PS execution environment. Eliminates commodity intrusion toolkits. Forces attackers toward noisier, more detectable methods. attack.mitre.org
MITRE T1091	USB / AutoRun Malware	No CVE	Configuration weakness. AutoRun disabled for all drive types (REG_DWORD 255) prevents USB payload execution on insertion. attack.mitre.org
CWE-798 / CWE-521	Default / Predictable Account Names	Config	Default account names are targeted first in automated scans. Renamed admin account + 12-character complexity closes this vector. cwe.mitre.org
CVE-2017-5715 / CVE-2017-5754	Spectre / Meltdown — CPU Speculation Attacks	5.6 MED	Hardware-level speculative execution vulnerabilities affecting most modern CPUs. OS and microcode mitigations verified active via SpeculationControl module. All flags confirmed True post-reboot. nvd.nist.gov

Engagement Outcome

Complete

Engagement complete. All open items resolved.

Clean OS install, full hardening sequence, and post-reboot verification — complete. Tailscale VPN enrolled on office machine and GM home machine — RDP tunnel tested end-to-end, confirmed working. User data migrated from prior machine to new endpoint. Booking software license rehosted to new machine hardware, application operational. Microsoft 365 tenant cleanup complete — stale departed staff accounts removed, Exchange Online license reassigned to current General Manager.

Machine handed to client. Configurations documented, verified, and on file with Barr Cyber.

Notes for Future MSP

Every configuration in this engagement was intentional and documented. Before changing any setting, understand what it does and why it was applied.

RDP and Tailscale are coupled — RDP is scoped to the Tailscale subnet. Removing Tailscale breaks remote access. Update the firewall rule before making changes.
PowerShell CLM is active (value 4) — admin scripts will fail. To lift temporarily: set __PSLockdownPolicy to 0, run script, restore to 4.
LSASS PPL requires reboot to take effect after reconfiguration. Verify with: Get-ItemProperty HKLM:\...\Lsa -Name RunAsPPL
Print Spooler is running — printing required. Driver install restricted to admins via PointAndPrint registry key.
Ethernet IP is DHCP and may change. Use Tailscale IP (100.x.x.x range) for remote access.
No TPM on this machine — Microsoft device registration errors during account sign-in flows are expected and non-blocking.
WMIC is deprecated on Windows 11 — use PowerShell equivalents throughout.
Quad9 DNS is set on adapter named ‘Ethernet’ — if adapter name changes due to hardware swap, DNS must be reapplied.

Full Technical Report

Download Complete Case Study

The full case study document includes both Part 1 (business-owner summary) and Part 2 (complete technical appendix) — the full hardening command sequence with results, PCI DSS v4.0 compliance mapping with QSA-presentable evidence, MSP monitoring finding documentation, CVE & MITRE ATT&CK reference, and engagement timeline. 21 pages. Print-ready.

Download Full Case Study — PDF →

Does Your Business Process Payment Card Data?

If your business has an IT provider and you’ve never verified their monitoring actually works — you may already be in a similar position. Barr Cyber provides endpoint hardening, PCI DSS compliance programs, MSP monitoring verification, and full adversarial security engagements. The starting point is understanding what you’re protecting and what a breach would cost you.

Get in Touch 713-882-0902 Download Full Report — PDF More Case Studies