[{"content":"In an MSP environment, the fastest way to lose time is by chasing a platform symptom that is actually caused by an identity conflict. To resolve escalations efficiently, I utilize a three-question diagnostic test to isolate the failure domain.\nThe Three-Question Test Is it User-Specific? Does the issue persist if a different user logs into the same machine? Is it Device-Specific? Does the user experience the same issue on a different workstation? Is it Network-Specific? Does the behavior change when moved to a guest network or an off-site connection? The Identity vs. Platform Divide By answering these, we distinguish between an Identity issue (M365 profiles, permissions, corrupted user hives) and a Platform issue (OS corruption, driver conflicts, or hardware failure). This framework ensures that we stop \u0026ldquo;trying things\u0026rdquo; and start moving toward a definitive root cause.\n","permalink":"https://avanster.tech/posts/global-troubleshooting-framework/","summary":"A strategic diagnostic approach to cut through the noise of L2 escalations by distinguishing between User Identity and System Platform domains.","title":"The Global Troubleshooting Framework: Identity vs. Platform"},{"content":"The Scenario A Tier 1 technician spends 45 minutes \u0026ldquo;trying things\u0026rdquo; to fix a recurring application crash or a VPN disconnect without success. In an MSP environment, time is the most expensive resource. To resolve L2 escalations effectively, you have to stop guessing and start looking for the \u0026ldquo;smoking gun\u0026rdquo; in the logs.\nAs an escalation engineer, I use a targeted triage map to cut through the noise and identify root causes in seconds, not hours.\nThe Technical Deep-Dive Below is the master reference I use to determine which log to pull based on the symptom reported. Using a standardized lookup method ensures that data, not intuition, drives the resolution.\nThe Log Lookup Table Issue / Symptom Primary Log Source What to Look For BSOD / System Crash Event Viewer \u0026gt; System Source: BugCheck (Event ID 1001) App Freeze/Crash Event Viewer \u0026gt; Application Event ID 1000 (Check Faulting Module) Entra ID Login Failure Entra ID \u0026gt; Sign-in Logs Error 50126 (Creds) or 50074 (MFA) GPO Failures Event Viewer \u0026gt; System Source: Microsoft-Windows-GroupPolicy Disk Performance Event Viewer \u0026gt; System Source: Disk (Look for \u0026ldquo;Bad Blocks\u0026rdquo;) Update Failures PowerShell: Get-WindowsUpdateLog Check CBS.log for [SR] repair tags VPN Driver Issues C:\\Windows\\inf\\setupapi.dev.log Driver/WAN Miniport install conflicts Identifying the \u0026ldquo;Faulting Module\u0026rdquo; When reviewing Event ID 1000 in the Application log, the most critical data point is the Faulting Module Path.\nIf the module is a .dll within the application’s own folder, the app itself is likely corrupt. If the module is ntdll.dll or kernel32.dll, you are likely dealing with a deeper OS-level conflict or memory instability. Engineering Solutions MTTR Reduction: By standardizing log review, we reduce the Mean Time to Resolution and prevent \u0026ldquo;ticket bouncing\u0026rdquo; between internal teams. Proactive Monitoring: I advocate for using RMM alerts to trigger automated diagnostic scripts the moment specific Event IDs (like Disk Bad Blocks) are detected, often solving the issue before the client even notices a performance dip. ","permalink":"https://avanster.tech/posts/msp-log-triage-map/","summary":"\u003ch3 id=\"the-scenario\"\u003eThe Scenario\u003c/h3\u003e\n\u003cp\u003eA Tier 1 technician spends 45 minutes \u0026ldquo;trying things\u0026rdquo; to fix a recurring application crash or a VPN disconnect without success. In an MSP environment, time is the most expensive resource. To resolve L2 escalations effectively, you have to stop guessing and start looking for the \u0026ldquo;smoking gun\u0026rdquo; in the logs.\u003c/p\u003e\n\u003cp\u003eAs an escalation engineer, I use a targeted triage map to cut through the noise and identify root causes in seconds, not hours.\u003c/p\u003e","title":"The MSP Triage Map: Which Logs to Check (And When)"},{"content":"The Scenario A client reports that their new VoIP system has \u0026ldquo;one-way audio,\u0026rdquo; or perhaps a remote worker is unable to establish a stable VPN tunnel. In the MSP world, these tickets often land on the escalation desk when standard troubleshooting fails.\nThe culprit is frequently a misunderstanding of how Network Address Translation (NAT) is handling traffic between the private LAN and the public internet.\nThe Technical Deep-Dive NAT was designed as a temporary solution to IPv4 address exhaustion, but it has become a permanent pillar of networking. It allows thousands of internal devices with private IPs to communicate with the world using a single Public IP address.\nThe Three Primary Types of NAT Static NAT (One-to-One): Maps a single private IP to a single public IP. This is primarily used for hosting internal servers (like a Web or Mail server) that must be consistently reachable from the outside. Dynamic NAT: Maps private IPs to the \u0026ldquo;next available\u0026rdquo; IP address from a pool of public addresses. PAT (Port Address Translation): Also known as \u0026ldquo;NAT Overload.\u0026rdquo; This is the most common configuration where an entire office shares one public IP. The firewall uses unique port numbers to distinguish which internal device requested which external packet. Engineering Solutions Effective infrastructure management requires solving the \u0026ldquo;edge cases\u0026rdquo; where NAT breaks standard communication:\nSolving Double NAT: This occurs when an ISP-provided modem and a secondary corporate firewall are both performing NAT. This creates a \u0026ldquo;translation within a translation\u0026rdquo; that breaks protocols like IPsec and SIP. The engineering fix is always placing the ISP modem into Bridge Mode. Implementing NAT Hairpinning: Also called Loopback NAT, this allows internal users to access a local server using its Public DNS URL. Without this, the firewall would drop the packet as it tries to exit and re-enter the same interface. Interested in data-driven infrastructure management? Connect with me on LinkedIn or browse my Script Library.\n","permalink":"https://avanster.tech/posts/understanding-nat/","summary":"\u003ch3 id=\"the-scenario\"\u003eThe Scenario\u003c/h3\u003e\n\u003cp\u003eA client reports that their new VoIP system has \u0026ldquo;one-way audio,\u0026rdquo; or perhaps a remote worker is unable to establish a stable VPN tunnel. In the MSP world, these tickets often land on the escalation desk when standard troubleshooting fails.\u003c/p\u003e\n\u003cp\u003eThe culprit is frequently a misunderstanding of how \u003cstrong\u003eNetwork Address Translation (NAT)\u003c/strong\u003e is handling traffic between the private LAN and the public internet.\u003c/p\u003e\n\u003ch3 id=\"the-technical-deep-dive\"\u003eThe Technical Deep-Dive\u003c/h3\u003e\n\u003cp\u003eNAT was designed as a temporary solution to IPv4 address exhaustion, but it has become a permanent pillar of networking. It allows thousands of internal devices with private IPs to communicate with the world using a single Public IP address.\u003c/p\u003e","title":"NAT Demystified: The Engine of Modern MSP Networking"},{"content":"The Scenario A remote user connects to the VPN and the client status shows \u0026ldquo;Connected.\u0026rdquo; Curiously, while the user can successfully ping an internal file server at 192.168.1.50, they are unable to map network drives, DNS resolution fails, and internal web applications refuse to load.\nIn an MSP environment, this \u0026ldquo;Ping Paradox\u0026rdquo; often leads Tier 1 technicians to believe the tunnel is healthy. However, as an escalation engineer, I recognize these as the classic symptoms of an IP Subnet Collision.\nThe Technical Deep-Dive A collision occurs when the user’s Local LAN (Home Wi-Fi) uses the exact same IP address range as the Remote Corporate Network. Because the vast majority of consumer routers default to 192.168.1.x/24 or 192.168.0.x/24, routing conflicts are inevitable when corporate networks utilize these same common ranges.\nThe Mechanics of the \u0026ldquo;Ping Paradox\u0026rdquo; The ability to ping despite a collision usually stems from two networking behaviors:\nLongest Prefix Match: If the VPN client injects a specific host route (192.168.1.50/32) into the routing table, that route is \u0026ldquo;more specific\u0026rdquo; than the local LAN\u0026rsquo;s /24 route. The ping succeeds because it follows the narrowest path, even though broader traffic (like DNS) is still being routed to the local home network. Interface Metric Priority: If the VPN’s virtual adapter is assigned a lower \u0026ldquo;Metric\u0026rdquo; (higher priority) than the local Wi-Fi, the OS will attempt to route ICMP traffic through the tunnel first. Higher-level protocols, however, often fail to initialize when a conflicting gateway exists on two active interfaces. Engineering Solutions Network Re-addressing: The most robust long-term fix involves moving corporate production networks to \u0026ldquo;uncommon\u0026rdquo; RFC1918 ranges (e.g., obscure blocks within 172.16.x.x or 10.x.x.x) to stay clear of consumer-grade defaults. Policy NAT (Network Address Translation): When re-addressing isn\u0026rsquo;t an option, we can configure the VPN gateway to \u0026ldquo;mask\u0026rdquo; the internal network as a different range for remote users. This allows connectivity via a non-conflicting IP without requiring internal server changes. ","permalink":"https://avanster.tech/posts/vpn-subnet-collisions/","summary":"\u003ch3 id=\"the-scenario\"\u003eThe Scenario\u003c/h3\u003e\n\u003cp\u003eA remote user connects to the VPN and the client status shows \u0026ldquo;Connected.\u0026rdquo; Curiously, while the user can successfully \u003cstrong\u003eping\u003c/strong\u003e an internal file server at \u003ccode\u003e192.168.1.50\u003c/code\u003e, they are unable to map network drives, DNS resolution fails, and internal web applications refuse to load.\u003c/p\u003e\n\u003cp\u003eIn an MSP environment, this \u0026ldquo;Ping Paradox\u0026rdquo; often leads Tier 1 technicians to believe the tunnel is healthy. However, as an escalation engineer, I recognize these as the classic symptoms of an IP Subnet Collision.\u003c/p\u003e","title":"The VPN 'Ping Paradox': Solving IP Subnet Collisions"},{"content":"When a new 0-day vulnerability or a suspicious file hash is identified, waiting for a scheduled scan is not an option. This PowerShell tool utilizes the SentinelOne Management API to \u0026ldquo;scrape\u0026rdquo; the entire fleet for specific indicators of compromise (IOCs).\n1. The Workflow The script performs the following steps:\nAuthentication: Connects via API Token to the S1 Management Console. Query: Requests a list of all endpoints where a specific file hash or process has been detected in the last 24 hours. Reporting: Generates a CSV list of infected Hostnames, IP addresses, and the \u0026ldquo;Detection State\u0026rdquo; (Mitigated vs. Active). 2. The Implementation # S1 API Configuration $ApiToken = \u0026#34;YOUR_API_TOKEN\u0026#34; $BaseUrl = \u0026#34;[https://your-console.sentinelone.net/web/api/v2.1](https://your-console.sentinelone.net/web/api/v2.1)\u0026#34; $Header = @{ \u0026#34;Authorization\u0026#34; = \u0026#34;Token $ApiToken\u0026#34; } # Define the Threat Hash to hunt for $TargetHash = \u0026#34;e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\u0026#34; # Search for the hash across the site $Response = Invoke-RestMethod -Uri \u0026#34;$BaseUrl/threats?contentHashes=$TargetHash\u0026#34; -Method Get -Headers $Header if ($Response.data) { Write-Host \u0026#34;ALERT: Threat detected on $($Response.data.count) endpoints!\u0026#34; -ForegroundColor Red $Response.data | Select-Object computerName, lastActiveDate, threatName | Export-Csv -Path \u0026#34;./ThreatReport.csv\u0026#34; } else { Write-Host \u0026#34;Clear: No matches found for the target hash.\u0026#34; -ForegroundColor Green } ","permalink":"https://avanster.tech/library/s1-threat-scraper/","summary":"\u003cp\u003eWhen a new 0-day vulnerability or a suspicious file hash is identified, waiting for a scheduled scan is not an option. This PowerShell tool utilizes the SentinelOne Management API to \u0026ldquo;scrape\u0026rdquo; the entire fleet for specific indicators of compromise (IOCs).\u003c/p\u003e\n\u003ch3 id=\"1-the-workflow\"\u003e1. The Workflow\u003c/h3\u003e\n\u003cp\u003eThe script performs the following steps:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication:\u003c/strong\u003e Connects via API Token to the S1 Management Console.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eQuery:\u003c/strong\u003e Requests a list of all endpoints where a specific file hash or process has been detected in the last 24 hours.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReporting:\u003c/strong\u003e Generates a CSV list of infected Hostnames, IP addresses, and the \u0026ldquo;Detection State\u0026rdquo; (Mitigated vs. Active).\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"2-the-implementation\"\u003e2. The Implementation\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-powershell\" data-lang=\"powershell\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# S1 API Configuration\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e$ApiToken = \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;YOUR_API_TOKEN\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e$BaseUrl = \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;[https://your-console.sentinelone.net/web/api/v2.1](https://your-console.sentinelone.net/web/api/v2.1)\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e$Header = @{ \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Authorization\u0026#34;\u003c/span\u003e = \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Token \u003c/span\u003e$ApiToken\u003cspan style=\"color:#e6db74\"\u003e\u0026#34;\u003c/span\u003e }\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Define the Threat Hash to hunt for\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e$TargetHash = \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Search for the hash across the site\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e$Response = Invoke-RestMethod -Uri \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;\u003c/span\u003e$BaseUrl\u003cspan style=\"color:#e6db74\"\u003e/threats?contentHashes=\u003c/span\u003e$TargetHash\u003cspan style=\"color:#e6db74\"\u003e\u0026#34;\u003c/span\u003e -Method Get -Headers $Header\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#66d9ef\"\u003eif\u003c/span\u003e ($Response.data) {\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e    Write-Host \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;ALERT: Threat detected on \u003c/span\u003e$($Response.data.count)\u003cspan style=\"color:#e6db74\"\u003e endpoints!\u0026#34;\u003c/span\u003e -ForegroundColor Red\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e    $Response.data | Select-Object computerName, lastActiveDate, threatName | Export-Csv -Path \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;./ThreatReport.csv\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e} \u003cspan style=\"color:#66d9ef\"\u003eelse\u003c/span\u003e {\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e    Write-Host \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;Clear: No matches found for the target hash.\u0026#34;\u003c/span\u003e -ForegroundColor Green\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e}\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e","title":"SecOps: SentinelOne Global Threat Scraper"},{"content":"You can have the most expensive, lightning-fast immutable backup array in the world, but if your lead engineer is panicking and your documentation is trapped inside the server that just went down, your architecture has failed.\nIn my experience as an L2 Escalation specialist, I’ve seen that the \u0026ldquo;Human Element\u0026rdquo; is the most unpredictable variable in any Disaster Recovery (DR) plan.\n1. The Paradox of Digital Documentation Many teams store their \u0026ldquo;How-to-Recover\u0026rdquo; guides on the very infrastructure they are trying to recover. If the SAN is dead, your recovery PDF is dead too. The Fix: I advocate for \u0026ldquo;Out-of-Band\u0026rdquo; documentation—secure, offline, or cloud-native copies (like an encrypted Git repository or a physical \u0026ldquo;Break-Glass\u0026rdquo; binder) that are accessible even when the primary network is dark.\n2. Decision Paralysis During a ransomware event, the sheer volume of alerts creates \u0026ldquo;Analysis Paralysis.\u0026rdquo; Without a pre-defined Command Structure, engineers often duplicate work or, worse, overwrite clean backups with corrupted data. The Fix: Every DR plan must have a designated \u0026ldquo;Incident Commander\u0026rdquo; whose only job is to manage the timeline and communication, leaving the engineers to focus on the restoration.\n3. The \u0026ldquo;Hero\u0026rdquo; Culture vs. The Process We love the idea of the engineer who stays up for 48 hours to save the company. In reality, a tired engineer makes 10x more mistakes. The Fix: True resilience is built on Rotational Shifts and Automated Runbooks. If your recovery depends on one specific person being awake, you don\u0026rsquo;t have a plan; you have a prayer.\nConclusion Disaster Recovery is 20% technology and 80% psychology. A Systems Engineer’s job is to build the automation that keeps the humans calm enough to do their jobs.\n","permalink":"https://avanster.tech/posts/human-factor-in-dr/","summary":"\u003cp\u003eYou can have the most expensive, lightning-fast immutable backup array in the world, but if your lead engineer is panicking and your documentation is trapped inside the server that just went down, your architecture has failed.\u003c/p\u003e\n\u003cp\u003eIn my experience as an L2 Escalation specialist, I’ve seen that the \u0026ldquo;Human Element\u0026rdquo; is the most unpredictable variable in any Disaster Recovery (DR) plan.\u003c/p\u003e\n\u003ch3 id=\"1-the-paradox-of-digital-documentation\"\u003e1. The Paradox of Digital Documentation\u003c/h3\u003e\n\u003cp\u003eMany teams store their \u0026ldquo;How-to-Recover\u0026rdquo; guides on the very infrastructure they are trying to recover. If the SAN is dead, your recovery PDF is dead too.\n\u003cstrong\u003eThe Fix:\u003c/strong\u003e I advocate for \u0026ldquo;Out-of-Band\u0026rdquo; documentation—secure, offline, or cloud-native copies (like an encrypted Git repository or a physical \u0026ldquo;Break-Glass\u0026rdquo; binder) that are accessible even when the primary network is dark.\u003c/p\u003e","title":"The Human Factor: Why Great Backups Fail During Disasters"},{"content":"In modern infrastructure, \u0026ldquo;Backup\u0026rdquo; is not a task—it is a foundational pillar of security. For an MSP managing hundreds of endpoints, a simple file-copy isn\u0026rsquo;t enough. Here is how I architect systems to survive ransomware and site-wide disasters.\n1. The 3-2-1-1 Framework I advocate for an evolved version of the classic 3-2-1 rule, specifically designed for remote-first workforces:\n3 Copies of Data: Primary, local secondary, and offsite tertiary. 2 Different Media: Utilizing localized NAS storage for fast LAN recovery and cloud-native repositories. 1 Offsite Location: Ensuring data is physically separated from the primary site. 1 Immutable Copy: Utilizing S3 Object Lock or Air-gapping to ensure backups cannot be deleted by compromised credentials. 2. The Infrastructure Stack My preferred approach utilizes a unified management plane to reduce \u0026ldquo;Shadow Data\u0026rdquo;:\nLocal Recovery: On-premise appliances for rapid virtualization of failed servers (Instant Recovery). Cloud Orchestration: Encrypted transit to Azure Blob or Wasabi using AES-256 encryption. Automated Verification: Daily boot-testing to ensure a backup isn\u0026rsquo;t just \u0026ldquo;successful,\u0026rdquo; but actually \u0026ldquo;bootable.\u0026rdquo; 3. Measuring Success (RTO vs RPO) As a Systems Engineer, my goal is to reduce the \u0026ldquo;Human Element\u0026rdquo; in the recovery chain. A backup plan is only as good as the last successful restore test. I treat Backup Infrastructure as \u0026ldquo;Production-Minus-One\u0026rdquo;—it must be as hardened and monitored as the live environment.\nConclusion Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are the only metrics that matter. If the restoration process requires manual intervention, the architecture has failed.\n","permalink":"https://avanster.tech/posts/msp-backup-strategy/","summary":"\u003cp\u003eIn modern infrastructure, \u0026ldquo;Backup\u0026rdquo; is not a task—it is a foundational pillar of security. For an MSP managing hundreds of endpoints, a simple file-copy isn\u0026rsquo;t enough. Here is how I architect systems to survive ransomware and site-wide disasters.\u003c/p\u003e\n\u003ch3 id=\"1-the-3-2-1-1-framework\"\u003e1. The 3-2-1-1 Framework\u003c/h3\u003e\n\u003cp\u003eI advocate for an evolved version of the classic 3-2-1 rule, specifically designed for remote-first workforces:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003e3 Copies of Data:\u003c/strong\u003e Primary, local secondary, and offsite tertiary.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e2 Different Media:\u003c/strong\u003e Utilizing localized NAS storage for fast LAN recovery and cloud-native repositories.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e1 Offsite Location:\u003c/strong\u003e Ensuring data is physically separated from the primary site.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e1 Immutable Copy:\u003c/strong\u003e Utilizing \u003cstrong\u003eS3 Object Lock\u003c/strong\u003e or Air-gapping to ensure backups cannot be deleted by compromised credentials.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"2-the-infrastructure-stack\"\u003e2. The Infrastructure Stack\u003c/h3\u003e\n\u003cp\u003eMy preferred approach utilizes a unified management plane to reduce \u0026ldquo;Shadow Data\u0026rdquo;:\u003c/p\u003e","title":"Resilient Data: Architecting a 3-2-1-1 Backup Strategy for MSPs"},{"content":"Stale accounts are a primary vector for lateral movement in a compromised network. This script automates the \u0026ldquo;Sanitization\u0026rdquo; phase of identity management by identifying and disabling dormant accounts.\n1. The Logic Flow The script follows a safe-failure logic to ensure no critical service accounts are accidentally disabled:\nTargeting: Narrowly scopes the search to specific User OUs. Evaluation: Filters for LastLogonDate older than 90 days. Action: Disables the account and logs the event for auditing. 2. The Implementation # Configuration $DaysInactive = -90 $TargetDate = (Get-Date).AddDays($DaysInactive) $LogPath = \u0026#34;C:\\Logs\\AD_Cleanup_$(Get-Date -Format \u0026#39;yyyyMMdd\u0026#39;).log\u0026#34; # Fetch and Process Get-ADUser -Filter \u0026#39;LastLogonDate -lt $TargetDate -and Enabled -eq $true\u0026#39; -Properties LastLogonDate | ForEach-Object { $User = $_.SamAccountName try { # Use -WhatIf for safety during testing Disable-ADAccount -Identity $_.DistinguishedName -ErrorAction Stop Add-Content -Path $LogPath -Value \u0026#34;SUCCESS: Disabled $User (Last Login: $($_.LastLogonDate))\u0026#34; } catch { Add-Content -Path $LogPath -Value \u0026#34;ERROR: Failed to disable $User. Check permissions.\u0026#34; } } ","permalink":"https://avanster.tech/library/active-directory-user-cleanup/","summary":"\u003cp\u003eStale accounts are a primary vector for lateral movement in a compromised network. This script automates the \u0026ldquo;Sanitization\u0026rdquo; phase of identity management by identifying and disabling dormant accounts.\u003c/p\u003e\n\u003ch3 id=\"1-the-logic-flow\"\u003e1. The Logic Flow\u003c/h3\u003e\n\u003cp\u003eThe script follows a safe-failure logic to ensure no critical service accounts are accidentally disabled:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eTargeting:\u003c/strong\u003e Narrowly scopes the search to specific User OUs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEvaluation:\u003c/strong\u003e Filters for \u003ccode\u003eLastLogonDate\u003c/code\u003e older than 90 days.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAction:\u003c/strong\u003e Disables the account and logs the event for auditing.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch3 id=\"2-the-implementation\"\u003e2. The Implementation\u003c/h3\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-powershell\" data-lang=\"powershell\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Configuration\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e$DaysInactive = \u003cspan style=\"color:#ae81ff\"\u003e-90\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e$TargetDate = (Get-Date).AddDays($DaysInactive)\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e$LogPath = \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;C:\\Logs\\AD_Cleanup_\u003c/span\u003e$(Get-Date -Format \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;yyyyMMdd\u0026#39;\u003c/span\u003e)\u003cspan style=\"color:#e6db74\"\u003e.log\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Fetch and Process\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eGet-ADUser -Filter \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;LastLogonDate -lt $TargetDate -and Enabled -eq $true\u0026#39;\u003c/span\u003e -Properties LastLogonDate | \n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e    ForEach-Object {\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e        $User = $_.SamAccountName\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e        \u003cspan style=\"color:#66d9ef\"\u003etry\u003c/span\u003e {\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e            \u003cspan style=\"color:#75715e\"\u003e# Use -WhatIf for safety during testing\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e            Disable-ADAccount -Identity $_.DistinguishedName -ErrorAction Stop\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e            Add-Content -Path $LogPath -Value \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;SUCCESS: Disabled \u003c/span\u003e$User\u003cspan style=\"color:#e6db74\"\u003e (Last Login: \u003c/span\u003e$($_.LastLogonDate)\u003cspan style=\"color:#e6db74\"\u003e)\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e        } \u003cspan style=\"color:#66d9ef\"\u003ecatch\u003c/span\u003e {\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e            Add-Content -Path $LogPath -Value \u003cspan style=\"color:#e6db74\"\u003e\u0026#34;ERROR: Failed to disable \u003c/span\u003e$User\u003cspan style=\"color:#e6db74\"\u003e. Check permissions.\u0026#34;\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e        }\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e    }\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e","title":"AD Automation: Inactive Account Reaper"},{"content":"Script Overview This script scans the \u0026lsquo;Users\u0026rsquo; OU and disables accounts that haven\u0026rsquo;t logged in for 90 days.\n# Get inactive users $date = (Get-Date).AddDays(-90) Get-ADUser -Filter \u0026#39;LastLogonDate -lt $date\u0026#39; | Disable-ADAccount Note: Always run this in -WhatIf mode first!\n","permalink":"https://avanster.tech/library/sample-script/","summary":"\u003ch3 id=\"script-overview\"\u003eScript Overview\u003c/h3\u003e\n\u003cp\u003eThis script scans the \u0026lsquo;Users\u0026rsquo; OU and disables accounts that haven\u0026rsquo;t logged in for 90 days.\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;\"\u003e\u003ccode class=\"language-powershell\" data-lang=\"powershell\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e\u003cspan style=\"color:#75715e\"\u003e# Get inactive users\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003e$date = (Get-Date).AddDays(\u003cspan style=\"color:#ae81ff\"\u003e-90\u003c/span\u003e)\n\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003eGet-ADUser -Filter \u003cspan style=\"color:#e6db74\"\u003e\u0026#39;LastLogonDate -lt $date\u0026#39;\u003c/span\u003e | Disable-ADAccount\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003chr\u003e\n\u003cblockquote\u003e\n\u003cp\u003e\u003cstrong\u003eNote:\u003c/strong\u003e Always run this in -WhatIf mode first!\u003c/p\u003e\n\u003c/blockquote\u003e","title":"AD User Cleanup Script"},{"content":"Most portfolios live on shared hosting—cheap, easy, but restricted. For my infrastructure, I chose a Virtual Private Server (VPS). Here’s why a Systems Engineer treats their \u0026ldquo;home on the web\u0026rdquo; like a production environment.\n1. The Isolation Advantage On shared hosting, you are at the mercy of your \u0026ldquo;neighbors.\u0026rdquo; If another site on the same IP gets hit with a DDoS or runs a malicious script, your site slows down or goes dark. On my VPS, my vCPU and RAM are mine alone.\n2. Full Root Authority Shared hosting gives you a file manager; a VPS gives you the Terminal. This allowed me to:\nImplement a UFW Firewall to drop unauthorized traffic. Disable Root SSH Login to prevent brute-force attacks. Deploy Nginx specifically tuned for my latency requirements. 3. End-to-End Encryption Instead of relying on a generic shared certificate, I managed my own SSL handshake using Certbot and Let\u0026rsquo;s Encrypt, then integrated it with Cloudflare\u0026rsquo;s Full (Strict) mode.\nConclusion A portfolio is more than a resume; it’s a proof of concept. By managing the underlying Linux kernel and network stack myself, I’m not just showing my work—I\u0026rsquo;m demonstrating the skills I use to protect enterprise data.\n","permalink":"https://avanster.tech/posts/securing-the-perimeter/","summary":"\u003cp\u003eMost portfolios live on shared hosting—cheap, easy, but restricted. For my infrastructure, I chose a \u003cstrong\u003eVirtual Private Server (VPS)\u003c/strong\u003e. Here’s why a Systems Engineer treats their \u0026ldquo;home on the web\u0026rdquo; like a production environment.\u003c/p\u003e\n\u003ch3 id=\"1-the-isolation-advantage\"\u003e1. The Isolation Advantage\u003c/h3\u003e\n\u003cp\u003eOn shared hosting, you are at the mercy of your \u0026ldquo;neighbors.\u0026rdquo; If another site on the same IP gets hit with a DDoS or runs a malicious script, your site slows down or goes dark. On my VPS, my \u003cstrong\u003evCPU and RAM\u003c/strong\u003e are mine alone.\u003c/p\u003e","title":"Securing the Perimeter: Why I chose a VPS over Shared Hosting"},{"content":" Feel free to reach out using the form below! Send Message ","permalink":"https://avanster.tech/contact/","summary":"\u003cdiv id=\"contact-intro\"\u003e\nFeel free to reach out using the form below!\n\u003c/div\u003e\n\u003cdiv id=\"contact-wrapper\"\u003e\n  \u003cform id=\"ajax-form\" action=\"https://formspree.io/f/mreezkkz\" method=\"POST\" style=\"display: flex; flex-direction: column; gap: 15px; max-width: 500px;\"\u003e\n    \u003cinput type=\"text\" name=\"name\" placeholder=\"Your Name\" required style=\"padding: 12px; border-radius: 5px; border: 1px solid #ccc; background: white; color: black; font-family: inherit; font-size: 1rem;\"\u003e\n    \u003cinput type=\"email\" name=\"email\" placeholder=\"Your Email\" required style=\"padding: 12px; border-radius: 5px; border: 1px solid #ccc; background: white; color: black; font-family: inherit; font-size: 1rem;\"\u003e\n    \u003ctextarea name=\"message\" placeholder=\"How can I help?\" rows=\"5\" required style=\"padding: 12px; border-radius: 5px; border: 1px solid #ccc; background: white; color: black; font-family: inherit; font-size: 1rem;\"\u003e\u003c/textarea\u003e\n    \n    \u003cbutton type=\"submit\" id=\"submit-btn\" style=\"padding: 12px; background: #222; color: #fff; border: none; border-radius: 5px; cursor: pointer; font-weight: bold; font-family: inherit; font-size: 1rem;\"\u003e\n      Send Message\n    \u003c/button\u003e\n    \u003cp id=\"form-status\" style=\"margin-top: 10px; font-family: inherit;\"\u003e\u003c/p\u003e","title":"Contact"},{"content":"👤 ALFRED VAN STER Systems Engineer | SME • 📍 Cape Town (Remote | 100% Uptime UPS)\n📧 alfred@avanster.tech • 🌐 avanster.tech • 📞 +27794695530\n📄 PROFESSIONAL SUMMARY Performance-driven Systems Engineer and Subject Matter Expert (SME) with over 5 years of experience in technical troubleshooting and infrastructure automation. Currently serving as a Service Engagement Manager (SEM) for four key clients and a Level 2 escalation point for complex technical failures. Expert in the MSP \u0026ldquo;Power Stack,\u0026rdquo; specializing in TS Plus environments, ConnectWise Asio, N-able, and Jamf. Advanced proficiency in architecting scripting solutions to manage cloud identity and secure remote infrastructure.\n🛠️ TECHNICAL SKILLS PROFILE ☁️ Cloud \u0026amp; Identity: Microsoft Entra ID (Azure AD), M365 Admin Center, Google Workspace, Azure Cloud, Keeper (PAM). 🛡️ Networking \u0026amp; Security: TS Plus (Application Delivery), SentinelOne (S1), Cisco Meraki, IronScales, SonicWall, Cisco AnyConnect. 🖥️ RMM \u0026amp; Orchestration: ConnectWise Asio, N-able (RMM/N-central), Jamf (Apple Device Management), IT Glue, ScreenConnect, BeyondTrust. 📜 Automation \u0026amp; ITSM: Advanced Scripting (Automation), Bash, Zendesk, ConnectWise PSA, Jira Service Management. 💼 PROFESSIONAL EXPERIENCE IT SUPPORT TECHNICIAN (L2 ESCALATIONS \u0026amp; SME) | Fortis \u0026amp; Cerge Nov 2022 – Present\nSME \u0026amp; Escalation Lead: Act as the primary Subject Matter Expert and escalation point for complex identity and access issues within Entra ID and M365 environments. Service Engagement Management: Serve as the designated SEM for four primary clients, overseeing technical strategy, service delivery, and high-level stakeholder communication. Application Delivery: Administer and optimize TS Plus environments to ensure secure, high-availability remote application access and server stability. Infrastructure Automation: Developed and deployed custom scripts to automate repetitive administrative tasks, significantly reducing manual ticket processing time. Security \u0026amp; Compliance: Manage threat hunting and incident remediation using SentinelOne and IronScales; enforced zero-trust security via Keeper and MFA. Apple Fleet Management: Implemented and managed device enrollment and security policies using Jamf for macOS and iOS deployments. Network Security: Maintain and troubleshoot SonicWall VPN tunnels and Cisco AnyConnect clients, resolving complex VLAN and DNS issues. SYSTEMS INTEGRATION SPECIALIST | Maitland Group S.A Feb 2010 – Jan 2013\nIdentified and initiated technical repairs for system process failures, mitigating critical risk exposures for the risk management team. Performed real-time reconciliation of financial systems to ensure accurate and timeous data integration. 🎓 CERTIFICATIONS \u0026amp; EDUCATION CompTIA A+ \u0026amp; Network+: Knowledge Domains Completed. Cisco CCNA: Coursework \u0026amp; Network Labs Completed. Certificate in Business Administration: University of South Africa. Certificate in Wealth Management: INSETA. ","permalink":"https://avanster.tech/resume/","summary":"\u003ch1 id=\"-alfred-van-ster\"\u003e👤 ALFRED VAN STER\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eSystems Engineer | SME\u003c/strong\u003e • 📍 Cape Town (Remote | 100% Uptime UPS)\u003cbr\u003e\n📧 \u003ca href=\"mailto:alfred@avanster.tech\"\u003ealfred@avanster.tech\u003c/a\u003e • 🌐 \u003ca href=\"https://avanster.tech\"\u003eavanster.tech\u003c/a\u003e • 📞 +27794695530\u003c/p\u003e\n\u003chr\u003e\n\u003ch3 id=\"-professional-summary\"\u003e📄 PROFESSIONAL SUMMARY\u003c/h3\u003e\n\u003cp\u003ePerformance-driven Systems Engineer and Subject Matter Expert (SME) with over 5 years of experience in technical troubleshooting and infrastructure automation. Currently serving as a Service Engagement Manager (SEM) for four key clients and a Level 2 escalation point for complex technical failures. Expert in the MSP \u0026ldquo;Power Stack,\u0026rdquo; specializing in TS Plus environments, ConnectWise Asio, N-able, and Jamf. Advanced proficiency in architecting scripting solutions to manage cloud identity and secure remote infrastructure.\u003c/p\u003e","title":"Resume"}]