Alfred van Ster

Architecting Resilient TS Plus Environments for Remote Workforces

Sun, 03 May 2026 00:00:00 +0000

Overview

Delivering remote applications seamlessly requires more than just opening an RDP port. In a modern Managed Service Provider (MSP) landscape, exposing internal servers directly to the internet is a critical security failure.

This guide breaks down the architecture required to build a highly available, secure TS Plus environment that guarantees uptime while strictly controlling access via a centralized gateway and external MFA.

The Architecture

A resilient TS Plus deployment separates the access layer from the execution layer. This ensures that a spike in user traffic or a targeted attack on the gateway does not crash the underlying application servers.

Cloud Identity: Entra ID Stale Guest Reaper

Sun, 03 May 2026 00:00:00 +0000

The Workflow
The Implementation

External guest accounts are frequently provisioned for vendors but rarely decommissioned, creating a lingering attack surface. This script uses the Microsoft Graph API to identify and remove guest accounts that have been inactive for over 90 days.

1. The Workflow

The script performs the following steps:

Authentication: Uses App Registration credentials to silently authenticate to MS Graph.
Filtering: Queries all users where userType equals “Guest”.
Evaluation: Checks the signInActivity property against a 90-day threshold.
Purge: Identifies stale guest accounts to close the security loop.

2. The Implementation

$ThresholdDate = (Get-Date).AddDays(-90).ToString("yyyy-MM-ddTHH:mm:ssZ")
$Url = "[https://graph.microsoft.com/beta/users](https://graph.microsoft.com/beta/users)?`$filter=userType eq 'Guest'&`$select=displayName,userPrincipalName,signInActivity"
$Guests = Invoke-RestMethod -Uri $Url -Method Get -Headers $Headers

foreach ($Guest in $Guests.value) {
 if ([string]::IsNullOrEmpty($Guest.signInActivity.lastSignInDateTime) -or ($Guest.signInActivity.lastSignInDateTime -lt $ThresholdDate)) {
 Write-Host "Stale Guest Found: $($Guest.displayName)"
 }
}

Endpoint Security: BitLocker Key Escrow to IT Glue

Sun, 03 May 2026 00:00:00 +0000

The Workflow
The Implementation

Relying on manual documentation for BitLocker recovery keys often results in locked data when an endpoint fails. This script automates the escrow process, pulling the active numeric password from the local disk and pushing it directly into an IT Glue configuration record via their REST API.

1. The Workflow

The script performs the following steps:

Extraction: Queries the WMI namespace for the active, 48-digit BitLocker Numeric Password on the OS drive.
Authentication: Connects to the IT Glue API using a secure organizational API key.
Payload Delivery: Matches the local Hostname to the IT Glue Configuration ID and PATCHes the “BitLocker Key” custom field with the extracted key.

2. The Implementation

# IT Glue API Configuration
$ITGKey = "YOUR_ITGLUE_API_KEY"
$ITGBaseUrl = "[https://api.itglue.com](https://api.itglue.com)"
$Header = @{
 "x-api-key" = $ITGKey
 "Content-Type" = "application/vnd.api+json"
}

$BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
$RecoveryKey = ($BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }).RecoveryPassword

$SearchUri = "$ITGBaseUrl/configurations?filter[name]=$env:COMPUTERNAME"
$ConfigRecord = Invoke-RestMethod -Uri $SearchUri -Method Get -Headers $Header

if ($ConfigRecord.data) {
 $Payload = @{
 data = @{
 type = "configurations"
 attributes = @{
 "custom-fields" = @{
 "bitlocker-recovery-key" = $RecoveryKey
 }
 }
 }
 } | ConvertTo-Json -Depth 10

 Invoke-RestMethod -Uri "$ITGBaseUrl/configurations/$($ConfigRecord.data[0].id)" -Method Patch -Headers $Header -Body $Payload
}

Enforcing Zero-Trust on macOS via Jamf and SentinelOne

Sun, 03 May 2026 00:00:00 +0000

Overview

Managing Apple devices in a predominantly Windows-centric MSP environment is often treated as an afterthought. However, relying on basic MDM profiles is no longer sufficient. To achieve true Zero-Trust, macOS fleets require the same stringent Endpoint Detection and Response (EDR) and identity controls as their Windows counterparts.

This guide details the architectural implementation of enforcing Zero-Trust on macOS using Jamf Pro for orchestration, SentinelOne for threat hunting, and Keeper for MFA-backed identity management.

Infrastructure: Hyper-V Orphaned Snapshot Monitor

Sun, 03 May 2026 00:00:00 +0000

The Workflow
The Implementation

A common L3 infrastructure issue is technicians taking a VM checkpoint before an update and forgetting to delete it. This script scans for stale snapshots and fires an alert to a Microsoft Teams or Slack webhook.

1. The Workflow

The script performs the following steps:

Discovery: Scans the local Hyper-V host for all active checkpoints.
Evaluation: Compares the creation date of the snapshot against a 7-day threshold.
Alerting: If stale snapshots exist, it constructs a JSON payload and POSTs it to a designated webhook URL.

2. The Implementation

$ThresholdDate = (Get-Date).AddDays(-7)
$StaleSnapshots = Get-VM | Get-VMSnapshot | Where-Object { $_.CreationTime -lt $ThresholdDate }

if ($StaleSnapshots) {
 $Payload = @{ text = "⚠️ Orphaned Snapshots Detected on $env:COMPUTERNAME" } | ConvertTo-Json
 Invoke-RestMethod -Uri "[https://your-webhook.url](https://your-webhook.url)" -Method Post -Body $Payload -ContentType "application/json"
}

Infrastructure: Windows Server DNS Stale Record Scavenger

Sun, 03 May 2026 00:00:00 +0000

The Workflow
The Implementation

In dynamic DHCP environments, DNS zones become polluted with stale A-records. This script provides a surgical, auditable way to identify and purge stale DNS records older than a defined threshold.

1. The Workflow

The script performs the following steps:

Targeting: Selects a specific internal DNS zone.
Evaluation: Pulls all A records and compares the Timestamp against a 14-day threshold.
Execution: Exports a CSV log of the stale records before actively removing them from the server.

2. The Implementation

$ZoneName = "internal.avanster.tech"
$ThresholdDate = (Get-Date).AddDays(-14)

$Records = Get-DnsServerResourceRecord -ZoneName $ZoneName -RRType "A"
foreach ($Record in $Records) {
 if ($Record.Timestamp -ne $null -and $Record.Timestamp -lt $ThresholdDate) {
 Remove-DnsServerResourceRecord -ZoneName $ZoneName -InputObject $Record -Force
 Write-Host "[-] Removed: $($Record.HostName)"
 }
}

M365 Security: Unauthorized Mailbox Forwarding Auditor

Sun, 03 May 2026 00:00:00 +0000

The Workflow
The Implementation

A classic BEC tactic involves configuring an inbox rule to forward emails to an external address. This script audits an entire Exchange Online tenant for any mailboxes with active forwarding rules to external domains.

1. The Workflow

The script performs the following steps:

Connection: Authenticates to Exchange Online via module parameters.
Auditing: Iterates through all user mailboxes checking forwarding properties.
Evaluation: Compares the forwarding destination against the tenant’s accepted domains.
Alerting: Outputs a high-priority warning if external exfiltration is detected.

2. The Implementation

Connect-ExchangeOnline -ShowBanner:$false
$AcceptedDomains = (Get-AcceptedDomain).Name

foreach ($Mailbox in (Get-Mailbox -ResultSize Unlimited)) {
 if ($Mailbox.ForwardingSmtpAddress) {
 $ForwardDestination = $Mailbox.ForwardingSmtpAddress.Replace("smtp:","")
 if ($ForwardDestination -notmatch ($AcceptedDomains -join "|")) {
 Write-Host "⚠️ EXTERNAL FORWARD: $($Mailbox.UserPrincipalName) -> $ForwardDestination" -ForegroundColor Red
 }
 }
}

Networking: Cisco Meraki Automated Configuration Backup

Sun, 03 May 2026 00:00:00 +0000

The Workflow
The Implementation

Meraki dashboards are convenient, but if an admin accidentally modifies a critical firewall rule, rolling back is a nightmare. This Python script uses the Meraki Dashboard API to serialize your network configurations into a secure JSON format.

1. The Workflow

The script performs the following steps:

Authentication: Initializes the Meraki SDK using a read-only API key.
Iteration: Loops through the Organization to find all active Networks.
Extraction: Pulls VLAN subnets, SSID configurations, and MX L3 Firewall rules.
Serialization: Dumps the state into a structured JSON file.

2. The Implementation

import meraki
import json
from datetime import datetime

API_KEY = 'YOUR_MERAKI_API_KEY'
ORG_ID = 'YOUR_ORG_ID'
dashboard = meraki.DashboardAPI(API_KEY, suppress_logging=True)

def backup_network_config():
 networks = dashboard.organizations.getOrganizationNetworks(ORG_ID)
 backup_data = {}
 for net in networks:
 net_id = net['id']
 net_name = net['name']
 backup_data[net_name] = {'vlans': dashboard.appliance.getNetworkApplianceVlans(net_id)}

 filename = f"meraki_backup_{datetime.now().strftime('%Y%m%d')}.json"
 with open(filename, 'w') as f:
 json.dump(backup_data, f, indent=4)

Zero-Touch M365 Offboarding with n8n, Docker, and PowerShell

Sun, 03 May 2026 00:00:00 +0000

Overview

In a Managed Service Provider (MSP) environment, manual offboarding is a massive liability. Missing a step when revoking access can lead to data breaches, compliance violations, and wasted licensing costs.

This guide outlines an architectural approach to “Zero-Touch” offboarding, leveraging a self-hosted n8n instance running in Docker to trigger a robust PowerShell workflow that interacts directly with the Microsoft Graph API.

The Architecture

Relying on technicians to manually run scripts on their local machines creates bottlenecks. By containerizing the automation engine, we achieve predictable, auditable execution.

The Global Troubleshooting Framework: Identity vs. Platform

Mon, 20 Apr 2026 00:00:00 +0000

A strategic diagnostic approach to cut through the noise of L2 escalations by distinguishing between User Identity and System Platform domains.

The MSP Triage Map: Which Logs to Check (And When)

Thu, 15 Jan 2026 12:00:00 +0200

A master reference guide for identifying the correct logs to resolve common MSP service desk escalations.

NAT Demystified: The Engine of Modern MSP Networking

Thu, 15 Jan 2026 11:00:00 +0200

A comprehensive guide to NAT types, use cases, and common MSP troubleshooting scenarios like Double NAT and Hairpinning.

The VPN 'Ping Paradox': Solving IP Subnet Collisions

Thu, 15 Jan 2026 10:00:00 +0200

Why can you ping a server but not access its data? A deep dive into IP subnet collisions in remote work environments.

SecOps: SentinelOne Global Threat Scraper

Sat, 10 Jan 2026 11:00:00 +0000

When a new 0-day vulnerability or a suspicious file hash is identified, waiting for a scheduled scan is not an option. This PowerShell tool utilizes the SentinelOne Management API to “scrape” the entire fleet for specific indicators of compromise (IOCs).

1. The Workflow

The script performs the following steps:

Authentication: Connects via API Token to the S1 Management Console.
Query: Requests a list of all endpoints where a specific file hash or process has been detected in the last 24 hours.
Reporting: Generates a CSV list of infected Hostnames, IP addresses, and the “Detection State” (Mitigated vs. Active).

2. The Implementation

# S1 API Configuration
$ApiToken = "YOUR_API_TOKEN"
$BaseUrl = "[https://your-console.sentinelone.net/web/api/v2.1](https://your-console.sentinelone.net/web/api/v2.1)"
$Header = @{ "Authorization" = "Token $ApiToken" }

# Define the Threat Hash to hunt for
$TargetHash = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"

# Search for the hash across the site
$Response = Invoke-RestMethod -Uri "$BaseUrl/threats?contentHashes=$TargetHash" -Method Get -Headers $Header

if ($Response.data) {
 Write-Host "ALERT: Threat detected on $($Response.data.count) endpoints!" -ForegroundColor Red
 $Response.data | Select-Object computerName, lastActiveDate, threatName | Export-Csv -Path "./ThreatReport.csv"
} else {
 Write-Host "Clear: No matches found for the target hash." -ForegroundColor Green
}

The Human Factor: Why Great Backups Fail During Disasters

Sat, 10 Jan 2026 10:00:00 +0000

You can have the most expensive, lightning-fast immutable backup array in the world, but if your lead engineer is panicking and your documentation is trapped inside the server that just went down, your architecture has failed.

In my experience as an L2 Escalation specialist, I’ve seen that the “Human Element” is the most unpredictable variable in any Disaster Recovery (DR) plan.

1. The Paradox of Digital Documentation

Many teams store their “How-to-Recover” guides on the very infrastructure they are trying to recover. If the SAN is dead, your recovery PDF is dead too. The Fix: I advocate for “Out-of-Band” documentation—secure, offline, or cloud-native copies (like an encrypted Git repository or a physical “Break-Glass” binder) that are accessible even when the primary network is dark.

Resilient Data: Architecting a 3-2-1-1 Backup Strategy for MSPs

Mon, 05 Jan 2026 10:00:00 +0000

In modern infrastructure, “Backup” is not a task—it is a foundational pillar of security. For an MSP managing hundreds of endpoints, a simple file-copy isn’t enough. Here is how I architect systems to survive ransomware and site-wide disasters.

1. The 3-2-1-1 Framework

I advocate for an evolved version of the classic 3-2-1 rule, specifically designed for remote-first workforces:

3 Copies of Data: Primary, local secondary, and offsite tertiary.
2 Different Media: Utilizing localized NAS storage for fast LAN recovery and cloud-native repositories.
1 Offsite Location: Ensuring data is physically separated from the primary site.
1 Immutable Copy: Utilizing S3 Object Lock or Air-gapping to ensure backups cannot be deleted by compromised credentials.

2. The Infrastructure Stack

My preferred approach utilizes a unified management plane to reduce “Shadow Data”:

Securing the Perimeter: Why I chose a VPS over Shared Hosting

Wed, 01 Jan 2025 17:00:00 +0000

Most portfolios live on shared hosting—cheap, easy, but restricted. For my infrastructure, I chose a Virtual Private Server (VPS). Here’s why a Systems Engineer treats their “home on the web” like a production environment.

1. The Isolation Advantage

On shared hosting, you are at the mercy of your “neighbors.” If another site on the same IP gets hit with a DDoS or runs a malicious script, your site slows down or goes dark. On my VPS, my vCPU and RAM are mine alone.

Contact

Mon, 01 Jan 0001 00:00:00 +0000

Feel free to reach out using the form below!

Resume

Mon, 01 Jan 0001 00:00:00 +0000

📥 Download Full PDF Resume

ALFRED VAN STER

Systems Engineer | SME | Service Engagement Manager Cape Town, South Africa (Remote | 100% Uptime UPS) alfred@avanster.tech | avanster.tech

PROFESSIONAL SUMMARY

Performance-driven Systems Engineer and Subject Matter Expert (SME) with over 5 years of experience in technical troubleshooting, infrastructure automation, and high-level escalations. Specialized in managing MSP infrastructure and serving as a Service Engagement Manager (SEM) for enterprise clients. Expert in maintaining high-availability environments and securing identity-focused cloud architectures.