appendix-A-change-log.md

Appendix A: Change Log

Every modification to the estate was recorded in an append-only change registry before or immediately after it was applied. Each entry is one atomic change and carries a unique ID, a timestamp, the host, a rollback command, a re-apply command, and a verification result. The discipline behind the registry, and the seven-minute domain-controller recovery it made possible, is described in Methodology.

This appendix is the registry summarized by phase. Change IDs are referenced throughout the report. (Sub-changes such as H011-1/2/3 are consolidated here under their parent ID.)

Firewall

ID	Change
H001	Rotated the pfSense admin password off the vendor default
H002	Deleted the wide-open WAN catch-all pass any any rule
H003	Removed three leftover debug rules on the LAN interface
H005	Created two block aliases (184 IPs, 79 networks) with WAN block rules
H006	Removed five unused WAN port forwards (echo, ARPA, TFTP, SNMP, SSDP)
H007	Blocked DMZ-to-LAN and DMZ-to-Nagios traffic
H008	Restricted the inbound SMTP NAT to the exercise mail server only
H017a-d	Remapped NAT for two required services and added placeholder pages so all six published URLs returned HTTP 200

Credentials, hosts, and Active Directory

ID	Change
H011	Domain controller - account rotation and the common Windows baseline
H012	XAMPP host - account rotation, database root password set, Apache and phpMyAdmin hardening
H013 / H013b	File server - Samba, SSH, UFW, and fail2ban hardening; file-integrity and kernel-hardening automation
H014	Mail server - five CIS settings, account rotation, legacy services disabled (reached over SMB ADMIN$)
H015	stormtrooper - account rotation, common baseline, IIS hardening, six dormant accounts disabled
H016	Hackazone - account rotation, SSH, UFW, and fail2ban hardening
H019 series	Active Directory - privilege-sprawl cleanup, AS-REP fix, password policy rebuilt, AD Recycle Bin enabled, krbtgt rotated twice, ~100 demonstration accounts reset
H019-CIS5 / H021 / H022	The five high-value CIS settings applied on the domain controller, stormtrooper, and the XAMPP host
H020	Removed an end-of-life browser and Flash plugin from the domain controller (~2,400 vulnerability instances)

Detection and deception

ID	Change
H018	Windows honey listeners on two hosts
H023	Enabled the ten custom Sigma rules in Security Onion
H026	Three AD canary accounts plus the eleventh Sigma rule that watches them
H027	PowerShell script-block, module, and transcription logging on all Windows hosts
H028	Honeyfile trap on the file server's Samba share, watched by auditd
H029	Scheduled-task baseline and diff on the Windows hosts
H030	Full auditd rule sets on the Linux hosts
H031	SYN rate-limit tarpit on the Linux hosts
H032 / H033	DNS sinkhole and Wazuh active response - partial / deferred, with documented reasons

Response automation

ID	Change
H024	Created the live red-team block alias, separate from the pre-cached baseline
H034	Registered the response daemons as auto-start tasks to survive a reboot
H035	Fixed a root-cause bug in the alert-bridge filter query
H036	Blocked the SO-5 multi-port-scan source
H037	Cleared the orphaned processes that had silently locked the alert-bridge log

---

← Previous: Recommendations | Contents | Next: Appendix B - Tools →